From 7f4443088d5ebc92a016375657da9cdcb11ae9d0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:17:43 +0000 Subject: import nss-3.34.0-4.el7 --- diff --git a/.gitignore b/.gitignore index 63bb458..7286e8d 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.28.4.tar.gz +SOURCES/nss-3.34.0.tar.gz SOURCES/nss-config.xml SOURCES/secmod.db.xml SOURCES/setup-nsssysinit.xml diff --git a/.nss.metadata b/.nss.metadata index 17a1a7d..7b7738a 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -10,7 +10,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz +01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch index 3defed5..40e3e6d 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -1,7 +1,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh ---- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-01-04 15:24:24.000000000 +0100 -+++ nss/tests/ssl/ssl.sh 2017-01-13 16:51:20.759277059 +0100 -@@ -63,8 +63,14 @@ ssl_init() +--- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/tests/ssl/ssl.sh 2017-10-06 16:19:10.812108552 +0200 +@@ -69,8 +69,14 @@ ssl_init() # Test case files SSLCOV=${QADIR}/ssl/sslcov.txt @@ -17,7 +17,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh SSLPOLICY=${QADIR}/ssl/sslpolicy.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat -@@ -129,7 +135,11 @@ is_selfserv_alive() +@@ -128,7 +134,11 @@ is_selfserv_alive() fi echo "kill -0 ${PID} >/dev/null 2>/dev/null" @@ -29,8 +29,8 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh echo "selfserv with PID ${PID} found at `date`" } -@@ -153,7 +163,11 @@ wait_for_selfserv() - ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ +@@ -152,7 +162,11 @@ wait_for_selfserv() + ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} if [ $? -ne 0 ]; then + if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then @@ -41,16 +41,16 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh fi fi is_selfserv_alive -@@ -272,7 +286,7 @@ ssl_cov() +@@ -275,7 +289,7 @@ ssl_cov() start_selfserv # Launch the server VMIN="ssl3" - VMAX="tls1.1" + VMAX="tls1.2" - exec < ${SSLCOV} + ignore_blank_lines ${SSLCOV} | \ while read ectype testmax param testname -@@ -280,6 +294,12 @@ ssl_cov() +@@ -283,6 +297,12 @@ ssl_cov() echo "${testname}" | grep "EXPORT" > /dev/null EXP=$? @@ -60,6 +60,6 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh + continue + fi + - if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + if [ "$ectype" = "ECC" ] ; then echo "$SCRIPTNAME: skipping $testname (ECC only)" - elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then + else diff --git a/SOURCES/disable-pss.patch b/SOURCES/disable-pss.patch deleted file mode 100644 index 1ae9630..0000000 --- a/SOURCES/disable-pss.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -up nss/lib/ssl/ssl3con.c.disable_pss nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.disable_pss 2017-02-17 11:44:34.969825045 +0100 -+++ nss/lib/ssl/ssl3con.c 2017-02-17 11:44:34.973824961 +0100 -@@ -177,9 +177,15 @@ static const SSLSignatureScheme defaultS - ssl_sig_ecdsa_secp384r1_sha384, - ssl_sig_ecdsa_secp521r1_sha512, - ssl_sig_ecdsa_sha1, -+#if 0 -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - ssl_sig_rsa_pss_sha256, - ssl_sig_rsa_pss_sha384, - ssl_sig_rsa_pss_sha512, -+#endif - ssl_sig_rsa_pkcs1_sha256, - ssl_sig_rsa_pkcs1_sha384, - ssl_sig_rsa_pkcs1_sha512, -@@ -4622,9 +4628,16 @@ ssl_IsSupportedSignatureScheme(SSLSignat - case ssl_sig_rsa_pkcs1_sha256: - case ssl_sig_rsa_pkcs1_sha384: - case ssl_sig_rsa_pkcs1_sha512: -+ return PR_TRUE; -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - case ssl_sig_rsa_pss_sha256: - case ssl_sig_rsa_pss_sha384: - case ssl_sig_rsa_pss_sha512: -+ return PR_FALSE; -+ - case ssl_sig_ecdsa_secp256r1_sha256: - case ssl_sig_ecdsa_secp384r1_sha384: - case ssl_sig_ecdsa_secp521r1_sha512: -diff -up nss/lib/ssl/sslcert.c.disable_pss nss/lib/ssl/sslcert.c ---- nss/lib/ssl/sslcert.c.disable_pss 2017-01-30 02:06:08.000000000 +0100 -+++ nss/lib/ssl/sslcert.c 2017-02-17 11:44:34.973824961 +0100 -@@ -399,7 +399,13 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket - PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT); - - if ((data->authType == ssl_auth_rsa_sign && ku_sig) || -+#if 0 -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - (data->authType == ssl_auth_rsa_pss && ku_sig) || -+#endif - (data->authType == ssl_auth_rsa_decrypt && ku_enc)) { - return ssl_ConfigCert(ss, cert, keyPair, data); - } -@@ -416,12 +422,18 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket - return rv; - } - -+#if 0 -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - /* This certificate is RSA, assume that it's also PSS. */ - data->authType = ssl_auth_rsa_pss; - rv = ssl_ConfigCert(ss, cert, keyPair, data); - if (rv != SECSuccess) { - return rv; - } -+#endif - } - - if (ku_enc) { diff --git a/SOURCES/moz-1320932.patch b/SOURCES/moz-1320932.patch deleted file mode 100644 index 8f8602d..0000000 --- a/SOURCES/moz-1320932.patch +++ /dev/null @@ -1,24 +0,0 @@ -changeset: 12916:6f35dc12506a -branch: wip/dueno/typo-fix -tag: tip -parent: 12913:f2a9e4d85b64 -user: Daiki Ueno -date: Tue Nov 29 14:18:08 2016 +0100 -files: tests/ssl/ssl.sh -description: -Use correct shell conditional for NSS_DISABLE_LIBPKIX check - - -diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ---- a/tests/ssl/ssl.sh -+++ b/tests/ssl/ssl.sh -@@ -1006,7 +1006,7 @@ ssl_run() - do - case "${SSL_RUN}" in - "stapling") -- if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then -+ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then - ssl_stapling - fi - ;; - diff --git a/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch b/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch deleted file mode 100644 index db6be92..0000000 --- a/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch +++ /dev/null @@ -1,4522 +0,0 @@ -diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c ---- a/cmd/addbuiltin/addbuiltin.c -+++ b/cmd/addbuiltin/addbuiltin.c -@@ -26,16 +26,39 @@ dumpbytes(unsigned char *buf, int len) - if ((i != 0) && ((i & 0xf) == 0)) { - printf("\n"); - } - printf("\\%03o", buf[i]); - } - printf("\n"); - } - -+int -+hasPositiveTrust(unsigned int trust) -+{ -+ if (trust & CERTDB_TRUSTED) { -+ if (trust & CERTDB_TRUSTED_CA) { -+ return PR_TRUE; -+ } else { -+ return PR_FALSE; -+ } -+ } else { -+ if (trust & CERTDB_TRUSTED_CA) { -+ return PR_TRUE; -+ } else if (trust & CERTDB_VALID_CA) { -+ return PR_TRUE; -+ } else if (trust & CERTDB_TERMINAL_RECORD) { -+ return PR_FALSE; -+ } else { -+ return PR_FALSE; -+ } -+ } -+ return PR_FALSE; -+} -+ - char * - getTrustString(unsigned int trust) - { - if (trust & CERTDB_TRUSTED) { - if (trust & CERTDB_TRUSTED_CA) { - return "CKT_NSS_TRUSTED_DELEGATOR"; - } else { - return "CKT_NSS_TRUSTED"; -@@ -197,16 +220,21 @@ ConvertCertificate(SECItem *sdder, char - dumpbytes(cert->derIssuer.data, cert->derIssuer.len); - printf("END\n"); - printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); - dumpbytes(serial->data, serial->len); - printf("END\n"); - printf("CKA_VALUE MULTILINE_OCTAL\n"); - dumpbytes(sdder->data, sdder->len); - printf("END\n"); -+ if (hasPositiveTrust(trust->sslFlags) || -+ hasPositiveTrust(trust->emailFlags) || -+ hasPositiveTrust(trust->objectSigningFlags)) { -+ printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n"); -+ } - } - - if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == - CERTDB_TERMINAL_RECORD) - trust_info = "Distrust"; - else - trust_info = "Trust for"; - -diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c ---- a/cmd/lib/secutil.c -+++ b/cmd/lib/secutil.c -@@ -27,17 +27,17 @@ - #include - #endif - - /* for SEC_TraverseNames */ - #include "cert.h" - #include "certt.h" - #include "certdb.h" - --/* #include "secmod.h" */ -+#include "secmod.h" - #include "pk11func.h" - #include "secoid.h" - - static char consoleName[] = { - #ifdef XP_UNIX - "/dev/tty" - #else - #ifdef XP_OS2 -@@ -3224,25 +3224,58 @@ SECU_PrintSignedContent(FILE *out, SECIt - SECStatus - SEC_PrintCertificateAndTrust(CERTCertificate *cert, - const char *label, - CERTCertTrust *trust) - { - SECStatus rv; - SECItem data; - CERTCertTrust certTrust; -+ PK11SlotList *slotList; -+ PRBool falseAttributeFound = PR_FALSE; -+ PRBool trueAttributeFound = PR_FALSE; -+ const char *moz_policy_ca_info = NULL; - - data.data = cert->derCert.data; - data.len = cert->derCert.len; - - rv = SECU_PrintSignedData(stdout, &data, label, 0, - (SECU_PPFunc)SECU_PrintCertificate); - if (rv) { - return (SECFailure); - } -+ -+ slotList = PK11_GetAllSlotsForCert(cert, NULL); -+ if (slotList) { -+ PK11SlotListElement *se = PK11_GetFirstSafe(slotList); -+ for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) { -+ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL); -+ if (handle != CK_INVALID_HANDLE) { -+ PORT_SetError(0); -+ if (PK11_HasAttributeSet(se->slot, handle, -+ CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) { -+ trueAttributeFound = PR_TRUE; -+ } else if (!PORT_GetError()) { -+ falseAttributeFound = PR_TRUE; -+ } -+ } -+ } -+ PK11_FreeSlotList(slotList); -+ } -+ -+ if (trueAttributeFound) { -+ moz_policy_ca_info = "true (attribute present)"; -+ } else if (falseAttributeFound) { -+ moz_policy_ca_info = "false (attribute present)"; -+ } else { -+ moz_policy_ca_info = "false (attribute missing)"; -+ } -+ SECU_Indent(stdout, 1); -+ printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info); -+ - if (trust) { - SECU_PrintTrustFlags(stdout, trust, - "Certificate Trust Flags", 1); - } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) { - SECU_PrintTrustFlags(stdout, &certTrust, - "Certificate Trust Flags", 1); - } - -diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt ---- a/lib/ckfw/builtins/certdata.txt -+++ b/lib/ckfw/builtins/certdata.txt -@@ -186,16 +186,17 @@ - \034\161\142\356\312\310\227\254\027\135\212\302\370\107\206\156 - \052\304\126\061\225\320\147\211\205\053\371\154\246\135\106\235 - \014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341 - \134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364 - \053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004 - \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146 - \125\342\374\110\311\051\046\151\340 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GlobalSign Root CA" - # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE - # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94 - # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE - # Not Valid Before: Tue Sep 01 12:00:00 1998 - # Not Valid After : Fri Jan 28 12:00:00 2028 - # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A -@@ -319,16 +320,17 @@ - \176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135 - \001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202 - \301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014 - \345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373 - \114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373 - \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214 - \152\374\176\102\070\100\144\022\367\236\201\341\223\056 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GlobalSign Root CA - R2" - # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 - # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d - # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 - # Not Valid Before: Fri Dec 15 08:00:00 2006 - # Not Valid After : Wed Dec 15 08:00:00 2021 - # Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30 -@@ -474,16 +476,17 @@ - \114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354 - \245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216 - \274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042 - \171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170 - \023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043 - \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243 - \113\336\006\226\161\054\362\333\266\037\244\357\077\356 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4 - # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Fri Oct 01 00:00:00 1999 - # Not Valid After : Wed Jul 16 23:59:59 2036 - # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73 -@@ -638,16 +641,17 @@ - \301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110 - \260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153 - \106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045 - \342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317 - \162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263 - \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125 - \311\130\020\371\252\357\132\266\317\113\113\337\052 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a - # Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Fri Oct 01 00:00:00 1999 - # Not Valid After : Wed Jul 16 23:59:59 2036 - # Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6 -@@ -802,16 +806,17 @@ - \022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151 - \027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246 - \124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156 - \352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255 - \117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126 - \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255 - \153\271\012\172\116\117\113\204\356\113\361\175\335\021 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3" - # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 - # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Fri Oct 01 00:00:00 1999 - # Not Valid After : Wed Jul 16 23:59:59 2036 - # Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09 -@@ -1076,16 +1081,17 @@ - \273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320 - \036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304 - \171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376 - \155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171 - \057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227 - \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053 - \174\136\232\166\351\131\220\305\174\203\065\021\145\121 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Entrust.net Premium 2048 Secure Server CA" - # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net - # Serial Number: 946069240 (0x3863def8) - # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net - # Not Valid Before: Fri Dec 24 17:50:51 1999 - # Not Valid After : Tue Jul 24 14:15:12 2029 - # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90 -@@ -1213,16 +1219,17 @@ - \056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275 - \144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163 - \222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021 - \356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017 - \365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322 - \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374 - \347\201\035\031\303\044\102\352\143\071\251 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Baltimore CyberTrust Root" - # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE - # Serial Number: 33554617 (0x20000b9) - # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE - # Not Valid Before: Fri May 12 18:46:00 2000 - # Not Valid After : Mon May 12 23:59:00 2025 - # Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 -@@ -1356,16 +1363,17 @@ - \213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145 - \247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030 - \062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173 - \054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200 - \132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317 - \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344 - \065\341\035\026\034\320\274\053\216\326\161\331 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AddTrust Low-Value Services Root" - # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE - # Serial Number: 1 (0x1) - # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE - # Not Valid Before: Tue May 30 10:38:31 2000 - # Not Valid After : Sat May 30 10:38:31 2020 - # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC -@@ -1504,16 +1512,17 @@ - \335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247 - \142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027 - \163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236 - \216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163 - \111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132 - \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202 - \027\132\173\320\274\307\217\116\206\004 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AddTrust External Root" - # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE - # Serial Number: 1 (0x1) - # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE - # Not Valid Before: Tue May 30 10:48:38 2000 - # Not Valid After : Sat May 30 10:48:38 2020 - # Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F -@@ -1649,16 +1658,17 @@ - \330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341 - \341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266 - \200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120 - \305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046 - \136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035 - \137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362 - \116\072\063\014\053\263\055\220\006 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AddTrust Public Services Root" - # Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE - # Serial Number: 1 (0x1) - # Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE - # Not Valid Before: Tue May 30 10:41:50 2000 - # Not Valid After : Sat May 30 10:41:50 2020 - # Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F -@@ -1794,16 +1804,17 @@ - \077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056 - \011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033 - \365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130 - \211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335 - \340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336 - \074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350 - \306\241 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AddTrust Qualified Certificates Root" - # Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE - # Serial Number: 1 (0x1) - # Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE - # Not Valid Before: Tue May 30 10:44:50 2000 - # Not Valid After : Sat May 30 10:44:50 2020 - # Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB -@@ -1956,16 +1967,17 @@ - \175\352\261\355\060\045\301\204\332\064\322\133\170\203\126\354 - \234\066\303\046\342\021\366\147\111\035\222\253\214\373\353\377 - \172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231 - \074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140 - \073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146 - \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376 - \036\177\132\264\074 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Entrust Root Certification Authority" - # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US - # Serial Number: 1164660820 (0x456b5054) - # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US - # Not Valid Before: Mon Nov 27 20:23:42 2006 - # Not Valid After : Fri Nov 27 20:53:42 2026 - # Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4 -@@ -2089,16 +2101,17 @@ - \270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047 - \207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002 - \256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115 - \063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325 - \345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013 - \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355 - \302\005\146\200\241\313\346\063 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Global CA" - # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US - # Serial Number: 144470 (0x23456) - # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US - # Not Valid Before: Tue May 21 04:00:00 2002 - # Not Valid After : Sat May 21 04:00:00 2022 - # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5 -@@ -2216,16 +2229,17 @@ - \151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227 - \136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126 - \000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005 - \043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133 - \105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152 - \107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363 - \342\042\051\256\175\203\100\250\272\154 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Global CA 2" - # Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US - # Serial Number: 1 (0x1) - # Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US - # Not Valid Before: Thu Mar 04 05:00:00 2004 - # Not Valid After : Mon Mar 04 05:00:00 2019 - # Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9 -@@ -2375,16 +2389,17 @@ - \121\173\327\251\234\006\241\066\335\325\211\224\274\331\344\055 - \014\136\011\154\010\227\174\243\075\174\223\377\077\241\024\247 - \317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225 - \033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346 - \154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305 - \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157 - \244\346\216\330\371\051\110\212\316\163\376\054 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Universal CA" - # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US - # Serial Number: 1 (0x1) - # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US - # Not Valid Before: Thu Mar 04 05:00:00 2004 - # Not Valid After : Sun Mar 04 05:00:00 2029 - # Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48 -@@ -2534,16 +2549,17 @@ - \227\124\167\332\075\022\267\340\036\357\010\006\254\371\205\207 - \351\242\334\257\176\030\022\203\375\126\027\101\056\325\051\202 - \175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262 - \110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027 - \100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306 - \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246 - \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Universal CA 2" - # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US - # Serial Number: 1 (0x1) - # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US - # Not Valid Before: Thu Mar 04 05:00:00 2004 - # Not Valid After : Sun Mar 04 05:00:00 2029 - # Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7 -@@ -2670,16 +2686,17 @@ - \022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106 - \004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060 - \373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213 - \115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000 - \346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355 - \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026 - \222\340\134\366\007\017 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Visa eCommerce Root" - # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US - # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 - # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US - # Not Valid Before: Wed Jun 26 02:18:36 2002 - # Not Valid After : Fri Jun 24 00:16:12 2022 - # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02 -@@ -2792,16 +2809,17 @@ - \012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171 - \345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323 - \362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161 - \073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122 - \256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151 - \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054 - \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Certum Root CA" - # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL - # Serial Number: 65568 (0x10020) - # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL - # Not Valid Before: Tue Jun 11 10:46:39 2002 - # Not Valid After : Fri Jun 11 10:46:39 2027 - # Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9 -@@ -2937,16 +2955,17 @@ - \154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217 - \372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042 - \227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242 - \156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362 - \343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267 - \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237 - \225\351\066\226\230\156 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Comodo AAA Services root" - # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number: 1 (0x1) - # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Thu Jan 01 00:00:00 2004 - # Not Valid After : Sun Dec 31 23:59:59 2028 - # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0 -@@ -3087,16 +3106,17 @@ - \223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011 - \150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217 - \243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344 - \145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345 - \213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315 - \241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174 - \354\375\051 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Comodo Secure Services root" - # Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number: 1 (0x1) - # Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Thu Jan 01 00:00:00 2004 - # Not Valid After : Sun Dec 31 23:59:59 2028 - # Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD -@@ -3239,16 +3259,17 @@ - \201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076 - \306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261 - \115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336 - \172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047 - \164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335 - \005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230 - \160\136\310\304\170\260\142 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Comodo Trusted Services root" - # Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number: 1 (0x1) - # Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Thu Jan 01 00:00:00 2004 - # Not Valid After : Sun Dec 31 23:59:59 2028 - # Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27 -@@ -3417,16 +3438,17 @@ - \231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106 - \154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060 - \242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026 - \304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050 - \362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240 - \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212 - \112\164\066\371 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "QuoVadis Root CA" - # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM - # Serial Number: 985026699 (0x3ab6508b) - # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM - # Not Valid Before: Mon Mar 19 18:33:33 2001 - # Not Valid After : Wed Mar 17 18:33:33 2021 - # Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24 -@@ -3585,16 +3607,17 @@ - \226\136\234\307\357\047\142\010\342\221\031\134\322\361\041\335 - \272\027\102\202\227\161\201\123\061\251\237\366\175\142\277\162 - \341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026 - \264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271 - \274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332 - \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122 - \020\005\145\325\202\020\352\302\061\315\056 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "QuoVadis Root CA 2" - # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM - # Serial Number: 1289 (0x509) - # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM - # Not Valid Before: Fri Nov 24 18:27:00 2006 - # Not Valid After : Mon Nov 24 18:23:33 2031 - # Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B -@@ -3764,16 +3787,17 @@ - \340\164\053\262\353\175\276\101\033\265\300\106\305\241\042\313 - \137\116\301\050\222\336\030\272\325\052\050\273\021\213\027\223 - \230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067 - \036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164 - \076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312 - \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022 - \332 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "QuoVadis Root CA 3" - # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM - # Serial Number: 1478 (0x5c6) - # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM - # Not Valid Before: Fri Nov 24 19:11:23 2006 - # Not Valid After : Mon Nov 24 19:06:44 2031 - # Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF -@@ -3892,16 +3916,17 @@ - \161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124 - \045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101 - \065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260 - \112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055 - \105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003 - \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026 - \057\317\246\356\311\160\042\024\275\375\276\154\013\003 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Security Communication Root CA" - # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP - # Serial Number: 0 (0x0) - # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP - # Not Valid Before: Tue Sep 30 04:20:49 2003 - # Not Valid After : Sat Sep 30 04:20:49 2023 - # Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A -@@ -4014,16 +4039,17 @@ - \066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272 - \116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143 - \256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165 - \267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366 - \146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032 - \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132 - \160\254\337\114 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Sonera Class 2 Root CA" - # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI - # Serial Number: 29 (0x1d) - # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI - # Not Valid Before: Fri Apr 06 07:29:40 2001 - # Not Valid After : Tue Apr 06 07:29:40 2021 - # Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB -@@ -4175,16 +4201,17 @@ - \211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246 - \170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254 - \176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174 - \025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044 - \121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266 - \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303 - \005\323\312\003\112\124 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "UTN USERFirst Email Root CA" - # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US - # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89 - # Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US - # Not Valid Before: Fri Jul 09 17:28:50 1999 - # Not Valid After : Tue Jul 09 17:36:58 2019 - # Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7 -@@ -4338,16 +4365,17 @@ - \370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055 - \335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136 - \176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120 - \225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222 - \052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251 - \152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020 - \062\234\036\273\235\370\146\250 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "UTN USERFirst Hardware Root CA" - # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US - # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd - # Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US - # Not Valid Before: Fri Jul 09 18:10:42 1999 - # Not Valid After : Tue Jul 09 18:19:22 2019 - # Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39 -@@ -4498,16 +4526,17 @@ - \261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360 - \064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271 - \363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223 - \306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327 - \213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221 - \122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170 - \275\023\122\035\250\076\315\000\037\310 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "UTN USERFirst Object Root CA" - # Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US - # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b - # Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US - # Not Valid Before: Fri Jul 09 18:31:20 1999 - # Not Valid After : Tue Jul 09 18:40:36 2019 - # Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9 -@@ -4661,16 +4690,17 @@ - \210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312 - \327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064 - \170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110 - \132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335 - \250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356 - \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370 - \334 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Camerfirma Chambers of Commerce Root" - # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU - # Serial Number: 0 (0x0) - # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU - # Not Valid Before: Tue Sep 30 16:13:43 2003 - # Not Valid After : Wed Sep 30 16:13:44 2037 - # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84 -@@ -4820,16 +4850,17 @@ - \222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015 - \045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334 - \171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075 - \262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316 - \030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177 - \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111 - \166\135\165\220\032\365\046\217\360 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Camerfirma Global Chambersign Root" - # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU - # Serial Number: 0 (0x0) - # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU - # Not Valid Before: Tue Sep 30 16:14:18 2003 - # Not Valid After : Wed Sep 30 16:14:18 2037 - # Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19 -@@ -4972,16 +5003,17 @@ - \212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273 - \176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262 - \213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341 - \074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330 - \072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020 - \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311 - \264\003\045\274 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "XRamp Global CA Root" - # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US - # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad - # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US - # Not Valid Before: Mon Nov 01 17:14:04 2004 - # Not Valid After : Mon Jan 01 05:37:19 2035 - # Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1 -@@ -5118,16 +5150,17 @@ - \216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274 - \353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021 - \164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002 - \022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245 - \236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237 - \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035 - \177\333\275\237 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Go Daddy Class 2 CA" - # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US - # Serial Number: 0 (0x0) - # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US - # Not Valid Before: Tue Jun 29 17:06:20 2004 - # Not Valid After : Thu Jun 29 17:06:20 2034 - # Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67 -@@ -5262,16 +5295,17 @@ - \055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351 - \125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101 - \152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064 - \253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030 - \131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155 - \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057 - \037\027\224 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Starfield Class 2 CA" - # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US - # Serial Number: 0 (0x0) - # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US - # Not Valid Before: Tue Jun 29 17:39:16 2004 - # Not Valid After : Thu Jun 29 17:39:16 2034 - # Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24 -@@ -5467,16 +5501,17 @@ - \115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001 - \126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225 - \272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354 - \165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204 - \103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241 - \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060 - \152\263\364\210\034\200\015\374\162\212\350\203\136 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "StartCom Certification Authority" - # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - # Serial Number: 1 (0x1) - # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - # Not Valid Before: Sun Sep 17 19:46:36 2006 - # Not Valid After : Wed Sep 17 19:46:36 2036 - # Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 -@@ -5631,16 +5666,17 @@ - \262\304\060\231\043\116\135\362\110\241\022\014\334\022\220\011 - \220\124\221\003\074\107\345\325\311\145\340\267\113\175\354\107 - \323\263\013\076\255\236\320\164\000\016\353\275\121\255\300\336 - \054\300\303\152\376\357\334\013\247\372\106\337\140\333\234\246 - \131\120\165\043\151\163\223\262\371\374\002\323\107\346\161\316 - \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045 - \245\206\054\174\364\022 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Taiwan GRCA" - # Issuer: O=Government Root Certification Authority,C=TW - # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 - # Subject: O=Government Root Certification Authority,C=TW - # Not Valid Before: Thu Dec 05 13:23:33 2002 - # Not Valid After : Sun Dec 05 13:23:33 2032 - # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E -@@ -5803,16 +5839,17 @@ - \204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376 - \062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260 - \262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030 - \316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311 - \376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146 - \201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372 - \060\032\365\232\154\364\016\123\371\072\133\321\034 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Swisscom Root CA 1" - # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch - # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36 - # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch - # Not Valid Before: Thu Aug 18 12:06:20 2005 - # Not Valid After : Mon Aug 18 22:06:20 2025 - # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9 -@@ -5943,16 +5980,17 @@ - \102\267\372\214\036\335\142\361\276\120\147\267\154\275\363\361 - \037\153\014\066\007\026\177\067\174\251\133\155\172\361\022\106 - \140\203\327\047\004\276\113\316\227\276\303\147\052\150\021\337 - \200\347\014\063\146\277\023\015\024\156\363\177\037\143\020\036 - \372\215\033\045\155\154\217\245\267\141\001\261\322\243\046\241 - \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056 - \346\120\262\247\372\012\105\057\242\360\362 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "DigiCert Assured ID Root CA" - # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39 - # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Fri Nov 10 00:00:00 2006 - # Not Valid After : Mon Nov 10 00:00:00 2031 - # Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72 -@@ -6083,16 +6121,17 @@ - \076\052\271\066\123\317\072\120\006\367\056\350\304\127\111\154 - \141\041\030\325\004\255\170\074\054\072\200\153\247\353\257\025 - \024\351\330\211\301\271\070\154\342\221\154\212\377\144\271\167 - \045\127\060\300\033\044\243\341\334\351\337\107\174\265\264\044 - \010\005\060\354\055\275\013\277\105\277\120\271\251\363\353\230 - \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225 - \225\155\336 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "DigiCert Global Root CA" - # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a - # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Fri Nov 10 00:00:00 2006 - # Not Valid After : Mon Nov 10 00:00:00 2031 - # Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E -@@ -6224,16 +6263,17 @@ - \143\070\275\104\244\177\344\046\053\012\304\227\151\015\351\214 - \342\300\020\127\270\310\166\022\221\125\362\110\151\330\274\052 - \002\133\017\104\324\040\061\333\364\272\160\046\135\220\140\236 - \274\113\027\011\057\264\313\036\103\150\311\007\047\301\322\134 - \367\352\041\271\150\022\234\074\234\277\236\374\200\134\233\143 - \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251 - \370\351\056\023\243\167\350\037\112 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "DigiCert High Assurance EV Root CA" - # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77 - # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Fri Nov 10 00:00:00 2006 - # Not Valid After : Mon Nov 10 00:00:00 2031 - # Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A -@@ -6356,16 +6396,17 @@ - \311\273\211\176\156\200\210\036\057\024\264\003\044\250\062\157 - \003\232\107\054\060\276\126\306\247\102\002\160\033\352\100\330 - \272\005\003\160\007\244\226\377\375\110\063\012\341\334\245\201 - \220\233\115\335\175\347\347\262\315\134\310\152\225\370\245\366 - \215\304\135\170\010\276\173\006\326\111\317\031\066\120\043\056 - \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273 - \227\277\242\216\264\124 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Certplus Class 2 Primary CA" - # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR - # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23 - # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR - # Not Valid Before: Wed Jul 07 17:05:00 1999 - # Not Valid After : Sat Jul 06 23:59:59 2019 - # Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B -@@ -6482,16 +6523,17 @@ - \162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122 - \147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071 - \044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011 - \220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221 - \213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050 - \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221 - \013\004\216\007\333\051\266\012\356\235\202\065\065\020 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "DST Root CA X3" - # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. - # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b - # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. - # Not Valid Before: Sat Sep 30 21:12:19 2000 - # Not Valid After : Thu Sep 30 14:01:15 2021 - # Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5 -@@ -6623,16 +6665,17 @@ - \343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052 - \370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121 - \256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233 - \150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041 - \064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366 - \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101 - \363\267\240\247\315\345\172\063\066\152\372\232\053 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "DST ACES CA X6" - # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US - # Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9 - # Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US - # Not Valid Before: Thu Nov 20 21:19:58 2003 - # Not Valid After : Mon Nov 20 21:19:58 2017 - # Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8 -@@ -6790,16 +6833,17 @@ - \137\373\140\130\321\373\304\301\155\211\242\273\040\037\235\161 - \221\313\062\233\023\075\076\175\222\122\065\254\222\224\242\323 - \030\302\174\307\352\257\166\005\026\335\147\047\302\176\034\007 - \042\041\363\100\012\033\064\007\104\023\302\204\152\216\337\031 - \132\277\177\353\035\342\032\070\321\134\257\107\222\153\200\265 - \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251 - \205\206\171\145\322 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "SwissSign Platinum CA - G2" - # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH - # Serial Number:4e:b2:00:67:0c:03:5d:4f - # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH - # Not Valid Before: Wed Oct 25 08:36:00 2006 - # Not Valid After : Sat Oct 25 08:36:00 2036 - # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6 -@@ -6954,16 +6998,17 @@ - \001\320\277\150\236\143\140\153\065\115\013\155\272\241\075\300 - \223\340\177\043\263\125\255\162\045\116\106\371\322\026\357\260 - \144\301\001\236\351\312\240\152\230\016\317\330\140\362\057\111 - \270\344\102\341\070\065\026\364\310\156\117\367\201\126\350\272 - \243\276\043\257\256\375\157\003\340\002\073\060\166\372\033\155 - \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362 - \111\044\133\311\260\320\127\301\372\076\172\341\227\311 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "SwissSign Gold CA - G2" - # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH - # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0 - # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH - # Not Valid Before: Wed Oct 25 08:30:35 2006 - # Not Valid After : Sat Oct 25 08:30:35 2036 - # Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93 -@@ -7119,16 +7164,17 @@ - \212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076 - \204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345 - \000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353 - \233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362 - \264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152 - \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056 - \156 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "SwissSign Silver CA - G2" - # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH - # Serial Number:4f:1b:d4:2f:54:bb:2f:4b - # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH - # Not Valid Before: Wed Oct 25 08:32:46 2006 - # Not Valid After : Sat Oct 25 08:32:46 2036 - # Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13 -@@ -7250,16 +7296,17 @@ - \254\257\031\240\163\022\055\374\302\101\272\201\221\332\026\132 - \061\267\371\264\161\200\022\110\231\162\163\132\131\123\301\143 - \122\063\355\247\311\322\071\002\160\372\340\261\102\146\051\252 - \233\121\355\060\124\042\024\137\331\253\035\301\344\224\360\370 - \365\053\367\352\312\170\106\326\270\221\375\246\015\053\032\024 - \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215 - \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Primary Certification Authority" - # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US - # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1 - # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US - # Not Valid Before: Mon Nov 27 00:00:00 2006 - # Not Valid After : Wed Jul 16 23:59:59 2036 - # Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF -@@ -7404,16 +7451,17 @@ - \376\254\100\171\345\254\020\157\075\217\033\171\166\213\304\067 - \263\041\030\204\345\066\000\353\143\040\231\271\351\376\063\004 - \273\101\310\301\002\371\104\143\040\236\201\316\102\323\326\077 - \054\166\323\143\234\131\335\217\246\341\016\240\056\101\367\056 - \225\107\317\274\375\063\363\366\013\141\176\176\221\053\201\107 - \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173 - \215\126\214\150 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "thawte Primary Root CA" - # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US - # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d - # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US - # Not Valid Before: Fri Nov 17 00:00:00 2006 - # Not Valid After : Wed Jul 16 23:59:59 2036 - # Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12 -@@ -7578,16 +7626,17 @@ - \336\375\250\202\052\155\050\037\015\013\304\345\347\032\046\031 - \341\364\021\157\020\265\225\374\347\102\005\062\333\316\235\121 - \136\050\266\236\205\323\133\357\245\175\105\100\162\216\267\016 - \153\016\006\373\063\065\110\161\270\235\047\213\304\145\137\015 - \206\166\234\104\172\366\225\134\366\135\062\010\063\244\124\266 - \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362 - \254\021\326\250\355\143\152 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" - # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a - # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Wed Nov 08 00:00:00 2006 - # Not Valid After : Wed Jul 16 23:59:59 2036 - # Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C -@@ -7720,16 +7769,17 @@ - \144\122\066\137\140\147\331\234\305\005\164\013\347\147\043\322 - \010\374\210\351\256\213\177\341\060\364\067\176\375\306\062\332 - \055\236\104\060\060\154\356\007\336\322\064\374\322\377\100\366 - \113\364\146\106\006\124\246\362\062\012\143\046\060\153\233\321 - \334\213\107\272\341\271\325\142\320\242\240\364\147\005\170\051 - \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050 - \113\035\236\054\302\270\150\274\355\002\356\061 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "SecureTrust CA" - # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US - # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0 - # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US - # Not Valid Before: Tue Nov 07 19:31:18 2006 - # Not Valid After : Mon Dec 31 19:40:55 2029 - # Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1 -@@ -7854,16 +7904,17 @@ - \103\265\113\055\024\237\371\334\046\015\277\246\107\164\006\330 - \210\321\072\051\060\204\316\322\071\200\142\033\250\307\127\111 - \274\152\125\121\147\025\112\276\065\007\344\325\165\230\067\171 - \060\024\333\051\235\154\305\151\314\107\125\242\060\367\314\134 - \177\302\303\230\034\153\116\026\200\353\172\170\145\105\242\000 - \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362 - \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Secure Global CA" - # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US - # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 - # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US - # Not Valid Before: Tue Nov 07 19:42:28 2006 - # Not Valid After : Mon Dec 31 19:52:06 2029 - # Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE -@@ -8003,16 +8054,17 @@ - \314\225\122\223\360\160\045\131\234\040\147\304\356\371\213\127 - \141\364\222\166\175\077\204\215\125\267\350\345\254\325\361\365 - \031\126\246\132\373\220\034\257\223\353\345\034\324\147\227\135 - \004\016\276\013\203\246\027\203\271\060\022\240\305\063\025\005 - \271\015\373\307\005\166\343\330\112\215\374\064\027\243\306\041 - \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001 - \145 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "COMODO Certification Authority" - # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d - # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Fri Dec 01 00:00:00 2006 - # Not Valid After : Mon Dec 31 23:59:59 2029 - # Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75 -@@ -8148,16 +8200,17 @@ - \056\044\137\313\130\017\353\050\354\257\021\226\363\334\173\157 - \300\247\210\362\123\167\263\140\136\256\256\050\332\065\054\157 - \064\105\323\046\341\336\354\133\117\047\153\026\174\275\104\004 - \030\202\263\211\171\027\020\161\075\172\242\026\116\365\001\315 - \244\154\145\150\241\111\166\134\103\311\330\274\066\147\154\245 - \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313 - \244\140\114\260\125\240\240\173\127\262 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Network Solutions Certificate Authority" - # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US - # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0 - # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US - # Not Valid Before: Fri Dec 01 00:00:00 2006 - # Not Valid After : Mon Dec 31 23:59:59 2029 - # Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E -@@ -8188,177 +8241,16 @@ - \150\340 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "WellsSecure Public Root Certificate Authority" --# --# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Serial Number: 1 (0x1) --# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Not Valid Before: Thu Dec 13 17:07:54 2007 --# Not Valid After : Wed Dec 14 00:07:54 2022 --# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36 --# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 --\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 --\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 --\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 --\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 --\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 --\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 --\165\164\150\157\162\151\164\171 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 --\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 --\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 --\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 --\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 --\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 --\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 --\165\164\150\157\162\151\164\171 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\001 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 --\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061 --\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040 --\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162 --\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154 --\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061 --\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123 --\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157 --\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165 --\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061 --\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064 --\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003 --\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012 --\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145 --\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125 --\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040 --\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003 --\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165 --\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146 --\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060 --\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 --\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 --\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253 --\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210 --\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051 --\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324 --\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122 --\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060 --\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054 --\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344 --\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264 --\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143 --\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050 --\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204 --\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237 --\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005 --\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300 --\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145 --\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006 --\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071 --\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206 --\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056 --\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167 --\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017 --\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016 --\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031 --\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043 --\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227 --\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244 --\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002 --\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154 --\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145 --\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127 --\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040 --\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154 --\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040 --\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145 --\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006 --\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001 --\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173 --\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355 --\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035 --\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225 --\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045 --\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101 --\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344 --\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255 --\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247 --\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163 --\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166 --\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075 --\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147 --\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176 --\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157 --\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130 --\333 --END -- --# Trust for Certificate "WellsSecure Public Root Certificate Authority" --# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Serial Number: 1 (0x1) --# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Not Valid Before: Thu Dec 13 17:07:54 2007 --# Not Valid After : Wed Dec 14 00:07:54 2022 --# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36 --# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364 --\175\117\350\356 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066 --END --CKA_ISSUER MULTILINE_OCTAL --\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 --\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 --\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 --\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 --\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 --\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 --\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 --\165\164\150\157\162\151\164\171 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\001 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "COMODO ECC Certification Authority" - # - # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a - # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Thu Mar 06 00:00:00 2008 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23 -@@ -8434,16 +8326,17 @@ - \004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254 - \267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346 - \175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316 - \231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223 - \074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157 - \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346 - \334\335\363\377\035\054\072\026\127\331\222\071\326 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "COMODO ECC Certification Authority" - # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a - # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Thu Mar 06 00:00:00 2008 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23 -@@ -8741,16 +8634,17 @@ - \250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176 - \102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343 - \067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240 - \340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116 - \124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017 - \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217 - \164 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Security Communication EV RootCA1" - # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP - # Serial Number: 0 (0x0) - # Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP - # Not Valid Before: Wed Jun 06 02:12:32 2007 - # Not Valid After : Sat Jun 06 02:12:32 2037 - # Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3 -@@ -8888,16 +8782,17 @@ - \204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030 - \113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000 - \267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142 - \026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243 - \156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051 - \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311 - \374\276\337\012\015 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "OISTE WISeKey Global Root GA CA" - # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH - # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a - # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH - # Not Valid Before: Sun Dec 11 16:03:44 2005 - # Not Valid After : Fri Dec 11 16:09:51 2037 - # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93 -@@ -8930,222 +8825,16 @@ - \337\232 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "Microsec e-Szigno Root CA" --# --# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11 --# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Not Valid Before: Wed Apr 06 12:28:44 2005 --# Not Valid After : Thu Apr 06 12:28:44 2017 --# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5 --# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "Microsec e-Szigno Root CA" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 --\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 --\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 --\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 --\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 --\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 --\164\040\103\101 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 --\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 --\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 --\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 --\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 --\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 --\164\040\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 --\054\017\021 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000 --\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 --\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021 --\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163 --\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162 --\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125 --\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061 --\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163 --\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164 --\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062 --\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070 --\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002 --\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144 --\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015 --\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060 --\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157 --\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151 --\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040 --\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052 --\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060 --\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070 --\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207 --\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256 --\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167 --\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331 --\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376 --\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006 --\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254 --\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300 --\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140 --\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270 --\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364 --\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341 --\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111 --\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161 --\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346 --\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004 --\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001 --\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060 --\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145 --\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060 --\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164 --\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157 --\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017 --\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 --\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146 --\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001 --\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007 --\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145 --\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057 --\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202 --\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156 --\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171 --\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145 --\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040 --\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147 --\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172 --\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147 --\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123 --\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141 --\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141 --\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141 --\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164 --\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154 --\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150 --\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167 --\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147 --\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132 --\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201 --\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150 --\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147 --\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154 --\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145 --\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151 --\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156 --\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125 --\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117 --\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056 --\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125 --\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157 --\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162 --\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 --\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201 --\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150 --\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032 --\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156 --\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003 --\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110 --\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003 --\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060 --\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125 --\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141 --\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166 --\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110 --\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141 --\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115 --\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022 --\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040 --\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143 --\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122 --\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032 --\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016 --\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322 --\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206 --\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146 --\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154 --\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240 --\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247 --\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345 --\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172 --\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250 --\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332 --\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133 --\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323 --\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321 --\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235 --\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362 --\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077 --\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226 --\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040 --\103\307\003\340\067\116\135\012\334\131\040\045 --END -- --# Trust for Certificate "Microsec e-Szigno Root CA" --# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11 --# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Not Valid Before: Wed Apr 06 12:28:44 2005 --# Not Valid After : Thu Apr 06 12:28:44 2017 --# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5 --# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "Microsec e-Szigno Root CA" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326 --\045\354\031\015 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345 --END --CKA_ISSUER MULTILINE_OCTAL --\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 --\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 --\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 --\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 --\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 --\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 --\164\040\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 --\054\017\021 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "Certigna" - # - # Issuer: CN=Certigna,O=Dhimyotis,C=FR - # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff - # Subject: CN=Certigna,O=Dhimyotis,C=FR - # Not Valid Before: Fri Jun 29 15:13:05 2007 - # Not Valid After : Tue Jun 29 15:13:05 2027 - # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF -@@ -9228,16 +8917,17 @@ - \013\221\003\165\054\154\162\265\141\225\232\015\213\271\015\347 - \365\337\124\315\336\346\330\326\011\010\227\143\345\301\056\260 - \267\104\046\300\046\300\257\125\060\236\073\325\066\052\031\004 - \364\134\036\377\317\054\267\377\320\375\207\100\021\325\021\043 - \273\110\300\041\251\244\050\055\375\025\370\260\116\053\364\060 - \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225 - \300\226\130\057\352\273\106\327\273\344\331\056 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Certigna" - # Issuer: CN=Certigna,O=Dhimyotis,C=FR - # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff - # Subject: CN=Certigna,O=Dhimyotis,C=FR - # Not Valid Before: Fri Jun 29 15:13:05 2007 - # Not Valid After : Tue Jun 29 15:13:05 2027 - # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF -@@ -9409,16 +9099,17 @@ - \104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352 - \147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211 - \302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153 - \060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030 - \107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043 - \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144 - \005\211\374\170\326\134\054\046\103\251 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AC Raiz Certicamara S.A." - # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO - # Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c - # Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO - # Not Valid Before: Mon Nov 27 20:46:29 2006 - # Not Valid After : Tue Apr 02 21:42:02 2030 - # Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6 -@@ -9566,16 +9257,17 @@ - \334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001 - \367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245 - \207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011 - \362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143 - \113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030 - \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154 - \016\121\075\157\373\226\126\200\342\066\027\321\334\344 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "TC TrustCenter Class 3 CA II" - # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE - # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf - # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE - # Not Valid Before: Thu Jan 12 14:41:57 2006 - # Not Valid After : Wed Dec 31 22:59:59 2025 - # Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E -@@ -9706,16 +9398,17 @@ - \332\347\212\067\041\276\131\143\340\362\205\210\061\123\324\124 - \024\205\160\171\364\056\006\167\047\165\057\037\270\212\371\376 - \305\272\330\066\344\203\354\347\145\267\277\143\132\363\106\257 - \201\224\067\324\101\214\326\043\326\036\317\365\150\033\104\143 - \242\132\272\247\065\131\241\345\160\005\233\016\043\127\231\224 - \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005 - \126\144\127 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Deutsche Telekom Root CA 2" - # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE - # Serial Number: 38 (0x26) - # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE - # Not Valid Before: Fri Jul 09 12:11:00 1999 - # Not Valid After : Tue Jul 09 23:59:00 2019 - # Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08 -@@ -9838,16 +9531,17 @@ - \205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334 - \157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135 - \023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044 - \105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163 - \055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370 - \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224 - \000\147\240\161\000\202\110 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "ComSign CA" - # Issuer: C=IL,O=ComSign,CN=ComSign CA - # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44 - # Subject: C=IL,O=ComSign,CN=ComSign CA - # Not Valid Before: Wed Mar 24 11:32:18 2004 - # Not Valid After : Mon Mar 19 15:02:18 2029 - # Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B -@@ -9968,16 +9662,17 @@ - \275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141 - \035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113 - \205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320 - \256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142 - \237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063 - \072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053 - \316\145\006\056\135\322\052\123\164\136\323\156\047\236\217 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "ComSign Secured CA" - # Issuer: C=IL,O=ComSign,CN=ComSign Secured CA - # Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9 - # Subject: C=IL,O=ComSign,CN=ComSign Secured CA - # Not Valid Before: Wed Mar 24 11:37:20 2004 - # Not Valid After : Fri Mar 16 15:04:56 2029 - # Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5 -@@ -10097,16 +9792,17 @@ - \017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354 - \174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034 - \003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327 - \347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006 - \140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326 - \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264 - \246\210\070\316\125 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Cybertrust Global Root" - # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" - # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48 - # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc" - # Not Valid Before: Fri Dec 15 08:00:00 2006 - # Not Valid After : Wed Dec 15 08:00:00 2021 - # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1 -@@ -10263,16 +9959,17 @@ - \115\343\061\325\307\354\350\362\260\376\222\036\026\012\032\374 - \331\363\370\047\266\311\276\035\264\154\144\220\177\364\344\304 - \133\327\067\256\102\016\335\244\032\157\174\210\124\305\026\156 - \341\172\150\056\370\072\277\015\244\074\211\073\170\247\116\143 - \203\004\041\010\147\215\362\202\111\320\133\375\261\315\017\203 - \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352 - \201\370\021\234 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "ePKI Root Certification Authority" - # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW - # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d - # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW - # Not Valid Before: Mon Dec 20 02:31:27 2004 - # Not Valid After : Wed Dec 20 02:31:27 2034 - # Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3 -@@ -10447,16 +10144,17 @@ - \200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112 - \057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307 - \060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147 - \240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154 - \301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204 - \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054 - \311\234\220\332\354\251\102\074\255\266\002 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" - # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR - # Serial Number: 17 (0x11) - # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR - # Not Valid Before: Fri Aug 24 11:37:07 2007 - # Not Valid After : Mon Aug 21 11:37:07 2017 - # Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26 -@@ -10583,16 +10281,17 @@ - \045\335\141\047\043\034\265\061\007\004\066\264\032\220\275\240 - \164\161\120\211\155\274\024\343\017\206\256\361\253\076\307\240 - \011\314\243\110\321\340\333\144\347\222\265\317\257\162\103\160 - \213\371\303\204\074\023\252\176\222\233\127\123\223\372\160\302 - \221\016\061\371\233\147\135\351\226\070\136\137\263\163\116\210 - \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115 - \366\356\260\132\116\111\104\124\130\137\102\203 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "certSIGN ROOT CA" - # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO - # Serial Number:20:06:05:16:70:02 - # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO - # Not Valid Before: Tue Jul 04 17:20:04 2006 - # Not Valid After : Fri Jul 04 17:20:04 2031 - # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17 -@@ -10706,16 +10405,17 @@ - \125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313 - \156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356 - \343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311 - \022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143 - \330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256 - \056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125 - \011\333\212\101\202\236\146\233\021 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "CNNIC ROOT" - # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN - # Serial Number: 1228079105 (0x49330001) - # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN - # Not Valid Before: Mon Apr 16 07:09:14 2007 - # Not Valid After : Fri Apr 16 07:09:14 2027 - # Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19 -@@ -10742,147 +10442,16 @@ - \002\004\111\063\000\001 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "ApplicationCA - Japanese Government" --# --# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP --# Serial Number: 49 (0x31) --# Subject: OU=ApplicationCA,O=Japanese Government,C=JP --# Not Valid Before: Wed Dec 12 15:00:00 2007 --# Not Valid After : Tue Dec 12 15:00:00 2017 --# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6 --# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74 --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "ApplicationCA - Japanese Government" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 --\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 --\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 --\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 --\151\157\156\103\101 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 --\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 --\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 --\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 --\151\157\156\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\061 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 --\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034 --\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163 --\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024 --\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151 --\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065 --\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060 --\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023 --\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141 --\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156 --\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154 --\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006 --\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017 --\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207 --\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005 --\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212 --\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212 --\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240 --\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006 --\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171 --\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004 --\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155 --\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060 --\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214 --\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005 --\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155 --\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331 --\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060 --\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046 --\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243 --\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024 --\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320 --\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004 --\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244 --\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120 --\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234 --\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003 --\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202 --\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060 --\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003 --\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017 --\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172 --\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011 --\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234 --\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026 --\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176 --\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221 --\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217 --\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124 --\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210 --\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353 --\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243 --\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046 --\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377 --\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113 --\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177 --\262\033\211\124 --END -- --# Trust for Certificate "ApplicationCA - Japanese Government" --# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP --# Serial Number: 49 (0x31) --# Subject: OU=ApplicationCA,O=Japanese Government,C=JP --# Not Valid Before: Wed Dec 12 15:00:00 2007 --# Not Valid After : Tue Dec 12 15:00:00 2017 --# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6 --# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "ApplicationCA - Japanese Government" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214 --\323\065\374\164 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326 --END --CKA_ISSUER MULTILINE_OCTAL --\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 --\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 --\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 --\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 --\151\157\156\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\061 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "GeoTrust Primary Certification Authority - G3" - # - # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f - # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Not Valid Before: Wed Apr 02 00:00:00 2008 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05 -@@ -10984,16 +10553,17 @@ - \207\174\015\015\317\056\010\134\112\100\015\076\354\201\141\346 - \044\333\312\340\016\055\007\262\076\126\334\215\365\101\205\007 - \110\233\014\013\313\111\077\175\354\267\375\313\215\147\211\032 - \253\355\273\036\243\000\010\010\027\052\202\134\061\135\106\212 - \055\017\206\233\164\331\105\373\324\100\261\172\252\150\055\206 - \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031 - \021\055 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Primary Certification Authority - G3" - # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f - # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Not Valid Before: Wed Apr 02 00:00:00 2008 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05 -@@ -11112,16 +10682,17 @@ - \003\003\151\000\060\146\002\061\000\335\370\340\127\107\133\247 - \346\012\303\275\365\200\212\227\065\015\033\211\074\124\206\167 - \050\312\241\364\171\336\265\346\070\260\360\145\160\214\177\002 - \124\302\277\377\330\241\076\331\317\002\061\000\304\215\224\374 - \334\123\322\334\235\170\026\037\025\063\043\123\122\343\132\061 - \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022 - \367\130\077\056\162\002\127\243\217\241\024\056 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "thawte Primary Root CA - G2" - # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US - # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56 - # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US - # Not Valid Before: Mon Nov 05 00:00:00 2007 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F -@@ -11271,16 +10842,17 @@ - \051\101\221\042\074\151\247\273\002\362\266\134\047\003\211\364 - \006\352\233\344\162\202\343\241\011\301\351\000\031\323\076\324 - \160\153\272\161\246\252\130\256\364\273\351\154\266\357\207\314 - \233\273\377\071\346\126\141\323\012\247\304\134\114\140\173\005 - \167\046\172\277\330\007\122\054\142\367\160\143\331\071\274\157 - \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156 - \061\324\100\032\142\064\066\077\065\001\256\254\143\240 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "thawte Primary Root CA - G3" - # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US - # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb - # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US - # Not Valid Before: Wed Apr 02 00:00:00 2008 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31 -@@ -11406,16 +10978,17 @@ - \144\226\131\246\350\011\336\213\272\372\132\210\210\360\037\221 - \323\106\250\362\112\114\002\143\373\154\137\070\333\056\101\223 - \251\016\346\235\334\061\034\262\240\247\030\034\171\341\307\066 - \002\060\072\126\257\232\164\154\366\373\203\340\063\323\010\137 - \241\234\302\133\237\106\326\266\313\221\006\143\242\006\347\063 - \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004 - \017\212 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GeoTrust Primary Certification Authority - G2" - # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b - # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Not Valid Before: Mon Nov 05 00:00:00 2007 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A -@@ -11575,16 +11148,17 @@ - \007\021\360\325\333\335\345\214\360\325\062\260\203\346\127\342 - \217\277\276\241\252\277\075\035\265\324\070\352\327\260\134\072 - \117\152\077\217\300\146\154\143\252\351\331\244\026\364\201\321 - \225\024\016\175\315\225\064\331\322\217\160\163\201\173\234\176 - \275\230\141\330\105\207\230\220\305\353\206\060\306\065\277\360 - \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267 - \354\315\202\141\361\070\346\117\227\230\052\132\215 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "VeriSign Universal Root Certification Authority" - # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d - # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Wed Apr 02 00:00:00 2008 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19 -@@ -11729,16 +11303,17 @@ - \000\060\145\002\060\146\041\014\030\046\140\132\070\173\126\102 - \340\247\374\066\204\121\221\040\054\166\115\103\075\304\035\204 - \043\320\254\326\174\065\006\316\315\151\275\220\015\333\154\110 - \102\035\016\252\102\002\061\000\234\075\110\071\043\071\130\032 - \025\022\131\152\236\357\325\131\262\035\122\054\231\161\315\307 - \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252 - \055\247\330\206\052\335\056\020 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" - # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3 - # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Mon Nov 05 00:00:00 2007 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41 -@@ -11888,16 +11463,17 @@ - \276\245\025\143\241\324\225\207\361\236\271\363\211\363\075\205 - \270\270\333\276\265\271\051\371\332\067\005\000\111\224\003\204 - \104\347\277\103\061\317\165\213\045\321\364\246\144\365\222\366 - \253\005\353\075\351\245\013\066\142\332\314\006\137\066\213\266 - \136\061\270\052\373\136\366\161\337\104\046\236\304\346\015\221 - \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233 - \330\316\304\143\165\077\131\107\261 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "NetLock Arany (Class Gold) FÅ‘tanúsítvány" - # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU - # Serial Number:49:41:2c:e4:00:10 - # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU - # Not Valid Before: Thu Dec 11 15:08:21 2008 - # Not Valid After : Wed Dec 06 15:08:21 2028 - # Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88 -@@ -12061,16 +11637,17 @@ - \120\346\105\020\107\170\266\116\322\145\311\303\067\337\341\102 - \143\260\127\067\105\055\173\212\234\277\005\352\145\125\063\367 - \071\020\305\050\052\041\172\033\212\304\044\371\077\025\310\232 - \025\040\365\125\142\226\355\155\223\120\274\344\252\170\255\331 - \313\012\145\207\246\146\301\304\201\243\167\072\130\036\013\356 - \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265 - \370\161\012\334\271\374\175\062\140\346\353\257\212\001 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Staat der Nederlanden Root CA - G2" - # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL - # Serial Number: 10000012 (0x98968c) - # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL - # Not Valid Before: Wed Mar 26 11:18:17 2008 - # Not Valid After : Wed Mar 25 11:03:10 2020 - # Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A -@@ -12186,16 +11763,17 @@ - \022\024\344\141\215\254\020\220\236\204\120\273\360\226\157\105 - \237\212\363\312\154\117\372\021\072\025\025\106\303\315\037\203 - \133\055\101\022\355\120\147\101\023\075\041\253\224\212\252\116 - \174\301\261\373\247\326\265\047\057\227\253\156\340\035\342\321 - \034\054\037\104\342\374\276\221\241\234\373\326\051\123\163\206 - \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342 - \002\153\331\132 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Hongkong Post Root CA 1" - # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK - # Serial Number: 1000 (0x3e8) - # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK - # Not Valid Before: Thu May 15 05:13:14 2003 - # Not Valid After : Mon May 15 04:52:29 2023 - # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA -@@ -12316,16 +11894,17 @@ - \143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310 - \122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371 - \244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154 - \017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055 - \015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215 - \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003 - \362 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "SecureSign RootCA11" - # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP - # Serial Number: 1 (0x1) - # Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP - # Not Valid Before: Wed Apr 08 04:56:47 2009 - # Not Valid After : Sun Apr 08 04:56:47 2029 - # Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26 -@@ -12481,16 +12060,17 @@ - \307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125 - \207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255 - \257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351 - \032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235 - \350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112 - \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176 - \113\076\053\070\007\125\230\136\244 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "ACEDICOM Root" - # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root - # Serial Number:61:8d:c7:86:3b:01:82:05 - # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root - # Not Valid Before: Fri Apr 18 16:24:22 2008 - # Not Valid After : Thu Apr 13 16:24:22 2028 - # Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6 -@@ -12627,16 +12207,17 @@ - \255\234\032\303\004\074\355\002\141\326\036\006\363\137\072\207 - \362\053\361\105\207\345\075\254\321\307\127\204\275\153\256\334 - \330\371\266\033\142\160\013\075\066\311\102\362\062\327\172\141 - \346\322\333\075\317\310\251\311\233\334\333\130\104\327\157\070 - \257\177\170\323\243\255\032\165\272\034\301\066\174\217\036\155 - \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311 - \202\042\055\172\124\253\160\303\175\042\145\202\160\226 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Microsec e-Szigno Root CA 2009" - # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU - # Serial Number:00:c2:7e:43:04:4e:47:3f:19 - # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU - # Not Valid Before: Tue Jun 16 11:30:18 2009 - # Not Valid After : Sun Dec 30 11:30:18 2029 - # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1 -@@ -12758,16 +12339,17 @@ - \231\302\037\172\016\343\055\010\255\012\034\054\377\074\253\125 - \016\017\221\176\066\353\303\127\111\276\341\056\055\174\140\213 - \303\101\121\023\043\235\316\367\062\153\224\001\250\231\347\054 - \063\037\072\073\045\322\206\100\316\073\054\206\170\311\141\057 - \024\272\356\333\125\157\337\204\356\005\011\115\275\050\330\162 - \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107 - \130\077\137 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "GlobalSign Root CA - R3" - # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 - # Serial Number:04:00:00:00:00:01:21:58:53:08:a2 - # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 - # Not Valid Before: Wed Mar 18 10:00:00 2009 - # Not Valid After : Sun Mar 18 10:00:00 2029 - # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28 -@@ -12930,16 +12512,17 @@ - \330\153\044\254\227\130\104\107\255\131\030\361\041\145\160\336 - \316\064\140\250\100\361\363\074\244\303\050\043\214\376\047\063 - \103\100\240\027\074\353\352\073\260\162\246\243\271\112\113\136 - \026\110\364\262\274\310\214\222\305\235\237\254\162\066\274\064 - \200\064\153\251\213\222\300\270\027\355\354\166\123\365\044\001 - \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156 - \156\117\022\176\012\074\235\225 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" - # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES - # Serial Number:53:ec:3b:ee:fb:b2:48:5f - # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES - # Not Valid Before: Wed May 20 08:38:15 2009 - # Not Valid After : Tue Dec 31 08:38:15 2030 - # Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3 -@@ -13098,16 +12681,17 @@ - \150\103\110\262\333\353\163\044\347\221\177\124\244\266\200\076 - \235\243\074\114\162\302\127\304\240\324\314\070\047\316\325\006 - \236\242\110\331\351\237\316\202\160\066\223\232\073\337\226\041 - \343\131\267\014\332\221\067\360\375\131\132\263\231\310\151\154 - \103\046\001\065\143\140\125\211\003\072\165\330\272\112\331\124 - \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154 - \333\374\046\210\307 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Izenpe.com" - # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES - # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d - # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES - # Not Valid Before: Thu Dec 13 13:08:28 2007 - # Not Valid After : Sun Dec 13 08:27:25 2037 - # Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73 -@@ -13302,16 +12886,17 @@ - \176\030\230\265\105\073\366\171\264\350\367\032\173\006\203\373 - \320\213\332\273\307\275\030\253\010\157\074\200\153\100\077\031 - \031\272\145\212\346\276\325\134\323\066\327\357\100\122\044\140 - \070\147\004\061\354\217\363\202\306\336\271\125\363\073\061\221 - \132\334\265\010\025\255\166\045\012\015\173\056\207\342\014\246 - \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331 - \167\110\320 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Chambers of Commerce Root - 2008" - # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU - # Serial Number:00:a3:da:42:7e:a4:b1:ae:da - # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU - # Not Valid Before: Fri Aug 01 12:29:50 2008 - # Not Valid After : Sat Jul 31 12:29:50 2038 - # Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7 -@@ -13510,16 +13095,17 @@ - \223\256\231\240\357\045\152\163\230\211\133\072\056\023\210\036 - \277\300\222\224\064\033\343\047\267\213\036\157\102\377\347\351 - \067\233\120\035\055\242\371\002\356\313\130\130\072\161\274\150 - \343\252\301\257\034\050\037\242\334\043\145\077\201\352\256\231 - \323\330\060\317\023\015\117\025\311\204\274\247\110\055\370\060 - \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364 - \351\233\256\325\124\300\164\200\321\013\102\237\301 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Global Chambersign Root - 2008" - # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU - # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce - # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU - # Not Valid Before: Fri Aug 01 12:31:40 2008 - # Not Valid After : Sat Jul 31 12:31:40 2038 - # Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3 -@@ -15376,16 +14962,17 @@ - \330\144\363\054\176\024\374\002\352\237\315\377\007\150\027\333 - \042\220\070\055\172\215\321\124\361\151\343\137\063\312\172\075 - \173\012\343\312\177\137\071\345\342\165\272\305\166\030\063\316 - \054\360\057\114\255\367\261\347\316\117\250\304\233\112\124\006 - \305\177\175\325\010\017\342\034\376\176\027\270\254\136\366\324 - \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210 - \342\342\104\276\134\367\352\034\365 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Go Daddy Root Certificate Authority - G2" - # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US - # Serial Number: 0 (0x0) - # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US - # Not Valid Before: Tue Sep 01 00:00:00 2009 - # Not Valid After : Thu Dec 31 23:59:59 2037 - # Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01 -@@ -15525,16 +15112,17 @@ - \037\305\354\372\234\176\317\176\261\361\007\055\266\374\277\312 - \244\277\320\227\005\112\274\352\030\050\002\220\275\124\170\011 - \041\161\323\321\175\035\331\026\260\251\141\075\320\012\000\042 - \374\307\173\313\011\144\105\013\073\100\201\367\175\174\062\365 - \230\312\130\216\175\052\356\220\131\163\144\371\066\164\136\045 - \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151 - \364 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Starfield Root Certificate Authority - G2" - # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US - # Serial Number: 0 (0x0) - # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US - # Not Valid Before: Tue Sep 01 00:00:00 2009 - # Not Valid After : Thu Dec 31 23:59:59 2037 - # Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96 -@@ -15676,16 +15264,17 @@ - \210\100\317\175\106\035\377\036\307\341\316\377\043\333\306\372 - \215\125\116\251\002\347\107\021\106\076\364\375\275\173\051\046 - \273\251\141\142\067\050\266\055\052\366\020\206\144\311\160\247 - \322\255\267\051\160\171\352\074\332\143\045\237\375\150\267\060 - \354\160\373\165\212\267\155\140\147\262\036\310\271\351\330\250 - \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215 - \261\050\272 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Starfield Services Root Certificate Authority - G2" - # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US - # Serial Number: 0 (0x0) - # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US - # Not Valid Before: Tue Sep 01 00:00:00 2009 - # Not Valid After : Thu Dec 31 23:59:59 2037 - # Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2 -@@ -15806,16 +15395,17 @@ - \265\063\252\262\157\323\012\242\120\343\366\073\350\056\104\302 - \333\146\070\251\063\126\110\361\155\033\063\215\015\214\077\140 - \067\235\323\312\155\176\064\176\015\237\162\166\213\033\237\162 - \375\122\065\101\105\002\226\057\034\262\232\163\111\041\261\111 - \107\105\107\264\357\152\064\021\311\115\232\314\131\267\326\002 - \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236 - \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AffirmTrust Commercial" - # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US - # Serial Number:77:77:06:27:26:a9:b1:7c - # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US - # Not Valid Before: Fri Jan 29 14:06:06 2010 - # Not Valid After : Tue Dec 31 14:06:06 2030 - # Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7 -@@ -15931,16 +15521,17 @@ - \115\207\165\155\267\130\226\132\335\155\322\000\240\364\233\110 - \276\303\067\244\272\066\340\174\207\205\227\032\025\242\336\056 - \242\133\275\257\030\371\220\120\315\160\131\370\047\147\107\313 - \307\240\007\072\175\321\054\135\154\031\072\146\265\175\375\221 - \157\202\261\276\010\223\333\024\107\361\242\067\307\105\236\074 - \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064 - \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AffirmTrust Networking" - # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US - # Serial Number:7c:4f:04:39:1c:d4:99:2d - # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US - # Not Valid Before: Fri Jan 29 14:08:24 2010 - # Not Valid After : Tue Dec 31 14:08:24 2030 - # Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F -@@ -16088,16 +15679,17 @@ - \030\246\265\250\136\264\203\154\153\151\100\323\237\334\361\303 - \151\153\271\341\155\011\364\361\252\120\166\012\172\175\172\027 - \241\125\226\102\231\061\011\335\140\021\215\005\060\176\346\216 - \106\321\235\024\332\307\027\344\005\226\214\304\044\265\033\317 - \024\007\262\100\370\243\236\101\206\274\004\320\153\226\310\052 - \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236 - \051\340\266\270\011\150\031\034\030\103 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AffirmTrust Premium" - # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US - # Serial Number:6d:8c:14:46:b1:a6:0a:ee - # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US - # Not Valid Before: Fri Jan 29 14:10:36 2010 - # Not Valid After : Mon Dec 31 14:10:36 2040 - # Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57 -@@ -16193,16 +15785,17 @@ - \027\011\363\207\210\120\132\257\310\300\102\277\107\137\365\154 - \152\206\340\304\047\164\344\070\123\327\005\177\033\064\343\306 - \057\263\312\011\074\067\235\327\347\270\106\361\375\241\342\161 - \002\060\102\131\207\103\324\121\337\272\323\011\062\132\316\210 - \176\127\075\234\137\102\153\365\007\055\265\360\202\223\371\131 - \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002 - \214\171 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "AffirmTrust Premium ECC" - # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US - # Serial Number:74:97:25:8a:c7:3f:7a:54 - # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US - # Not Valid Before: Fri Jan 29 14:20:24 2010 - # Not Valid After : Mon Dec 31 14:20:24 2040 - # Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D -@@ -16331,16 +15924,17 @@ - \227\306\166\350\047\226\243\146\335\341\256\362\101\133\312\230 - \126\203\163\160\344\206\032\322\061\101\272\057\276\055\023\132 - \166\157\116\350\116\201\016\077\133\003\042\240\022\276\146\130 - \021\112\313\003\304\264\052\052\055\226\027\340\071\124\274\110 - \323\166\047\235\232\055\006\246\311\354\071\322\253\333\237\232 - \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106 - \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Certum Trusted Network CA" - # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL - # Serial Number: 279744 (0x444c0) - # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL - # Not Valid Before: Wed Oct 22 12:07:37 2008 - # Not Valid After : Mon Dec 31 12:07:37 2029 - # Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78 -@@ -16500,16 +16094,17 @@ - \032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133 - \166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333 - \240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027 - \366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164 - \004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126 - \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143 - \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Certinomis - Autorité Racine" - # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR - # Serial Number: 1 (0x1) - # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR - # Not Valid Before: Wed Sep 17 08:28:59 2008 - # Not Valid After : Sun Sep 17 08:28:59 2028 - # Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A -@@ -16634,16 +16229,17 @@ - \172\162\132\203\263\171\157\357\264\374\320\012\245\130\117\106 - \337\373\155\171\131\362\204\042\122\256\017\314\373\174\073\347 - \152\312\107\141\303\172\370\323\222\004\037\270\040\204\341\066 - \124\026\307\100\336\073\212\163\334\337\306\011\114\337\354\332 - \377\324\123\102\241\311\362\142\035\042\203\074\227\305\371\031 - \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316 - \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "TWCA Root Certification Authority" - # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW - # Serial Number: 1 (0x1) - # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW - # Not Valid Before: Thu Aug 28 07:24:33 2008 - # Not Valid After : Tue Dec 31 15:59:59 2030 - # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79 -@@ -18024,16 +17620,17 @@ - \273\233\051\126\074\376\000\067\317\043\154\361\116\252\266\164 - \106\022\154\221\356\064\325\354\232\221\347\104\276\220\061\162 - \325\111\002\366\002\345\364\037\353\174\331\226\125\251\377\354 - \212\371\231\107\377\065\132\002\252\004\313\212\133\207\161\051 - \221\275\244\264\172\015\275\232\365\127\043\000\007\041\027\077 - \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136 - \201\050\174\247\175\047\353\000\256\215\067 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Security Communication RootCA2" - # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP - # Serial Number: 0 (0x0) - # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP - # Not Valid Before: Fri May 29 05:00:39 2009 - # Not Valid After : Tue May 29 05:00:39 2029 - # Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43 -@@ -18206,16 +17803,17 @@ - \234\211\333\151\070\276\354\134\016\126\307\145\121\345\120\210 - \210\277\102\325\053\075\345\371\272\236\056\263\312\364\163\222 - \002\013\276\114\146\353\040\376\271\313\265\231\177\346\266\023 - \372\312\113\115\331\356\123\106\006\073\306\116\255\223\132\201 - \176\154\052\113\152\005\105\214\362\041\244\061\220\207\154\145 - \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133 - \371\210\075\176\270\157\156\003\344\102 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "EC-ACC" - # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES - # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01 - # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES - # Not Valid Before: Tue Jan 07 23:00:00 2003 - # Not Valid After : Tue Jan 07 22:59:59 2031 - # Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09 -@@ -18368,16 +17966,17 @@ - \372\363\003\022\226\170\006\215\261\147\355\216\077\276\237\117 - \002\365\263\011\057\363\114\207\337\052\313\225\174\001\314\254 - \066\172\277\242\163\172\367\217\301\265\232\241\024\262\217\063 - \237\015\357\042\334\146\173\204\275\105\027\006\075\074\312\271 - \167\064\217\312\352\317\077\061\076\343\210\343\200\111\045\310 - \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071 - \113\321\047\327\270 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011" - # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR - # Serial Number: 0 (0x0) - # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR - # Not Valid Before: Tue Dec 06 13:49:52 2011 - # Not Valid After : Mon Dec 01 13:49:52 2031 - # Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9 -@@ -18603,16 +18202,17 @@ - \177\244\101\041\220\101\167\246\071\037\352\236\343\237\320\146 - \157\005\354\252\166\176\277\153\026\240\353\265\307\374\222\124 - \057\053\021\047\045\067\170\114\121\152\260\363\314\130\135\024 - \361\152\110\025\377\302\007\266\261\215\017\216\134\120\106\263 - \075\277\001\230\117\262\131\124\107\076\064\173\170\155\126\223 - \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056 - \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Actalis Authentication Root CA" - # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT - # Serial Number:57:0a:11:97:42:c4:e3:cc - # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT - # Not Valid Before: Thu Sep 22 11:22:02 2011 - # Not Valid After : Sun Sep 22 11:22:02 2030 - # Fingerprint (MD5): 69:C1:0D:4F:07:A3:1B:C3:FE:56:3D:04:BC:11:F6:A6 -@@ -18733,16 +18333,17 @@ - \177\124\365\243\340\217\360\174\125\042\217\051\266\201\243\341 - \155\116\054\033\200\147\354\255\040\237\014\142\141\325\227\377 - \103\355\055\301\332\135\051\052\205\077\254\145\356\206\017\005 - \215\220\137\337\356\237\364\277\356\035\373\230\344\177\220\053 - \204\170\020\016\154\111\123\357\025\133\145\106\112\135\257\272 - \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015 - \145\353\127\331\363\127\226\273\110\315\201 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Trustis FPS Root CA" - # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB - # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 - # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB - # Not Valid Before: Tue Dec 23 12:14:06 2003 - # Not Valid After : Sun Jan 21 11:36:54 2024 - # Fingerprint (MD5): 30:C9:E7:1E:6B:E6:14:EB:65:B2:16:69:20:31:67:4D -@@ -18933,16 +18534,17 @@ - \046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340 - \124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135 - \016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331 - \361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212 - \362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217 - \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346 - \177\045\245\362\110\000\300\244\001\332\077 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "StartCom Certification Authority" - # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - # Serial Number: 45 (0x2d) - # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - # Not Valid Before: Sun Sep 17 19:46:37 2006 - # Not Valid After : Wed Sep 17 19:46:36 2036 - # Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16 -@@ -19097,16 +18699,17 @@ - \102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050 - \205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355 - \173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311 - \062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153 - \262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303 - \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123 - \127\055\366\320\341\327\110 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "StartCom Certification Authority G2" - # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL - # Serial Number: 59 (0x3b) - # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL - # Not Valid Before: Fri Jan 01 01:00:01 2010 - # Not Valid After : Sat Dec 31 23:59:01 2039 - # Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64 -@@ -19256,16 +18859,17 @@ - \112\220\136\303\372\047\004\261\171\025\164\231\314\276\255\040 - \336\046\140\034\353\126\121\246\243\352\344\243\077\247\377\141 - \334\361\132\115\154\062\043\103\356\254\250\356\356\112\022\011 - \074\135\161\302\276\171\372\302\207\150\035\013\375\134\151\314 - \006\320\232\175\124\231\052\311\071\032\031\257\113\052\103\363 - \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277 - \327\201\011\361\311\307\046\015\254\230\026\126\240 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Buypass Class 2 Root CA" - # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO - # Serial Number: 2 (0x2) - # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO - # Not Valid Before: Tue Oct 26 08:38:03 2010 - # Not Valid After : Fri Oct 26 08:38:03 2040 - # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29 -@@ -19414,16 +19018,17 @@ - \105\310\114\161\331\274\311\231\122\127\106\057\120\317\275\065 - \151\364\075\025\316\006\245\054\017\076\366\201\272\224\273\303 - \273\277\145\170\322\206\171\377\111\073\032\203\014\360\336\170 - \354\310\362\115\114\032\336\202\051\370\301\132\332\355\356\346 - \047\136\350\105\320\235\034\121\250\150\253\104\343\320\213\152 - \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351 - \061\356\006\274\163\277\023\142\012\237\307\271\227 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Buypass Class 3 Root CA" - # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO - # Serial Number: 2 (0x2) - # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO - # Not Valid Before: Tue Oct 26 08:28:58 2010 - # Not Valid After : Fri Oct 26 08:28:58 2040 - # Fingerprint (MD5): 3D:3B:18:9E:2C:64:5A:E8:D5:88:CE:0E:F9:37:C2:EC -@@ -19555,16 +19160,17 @@ - \367\124\076\201\075\332\111\152\232\263\357\020\075\346\353\157 - \321\310\042\107\313\314\317\001\061\222\331\030\343\042\276\011 - \036\032\076\132\262\344\153\014\124\172\175\103\116\270\211\245 - \173\327\242\075\226\206\314\362\046\064\055\152\222\235\232\032 - \320\060\342\135\116\004\260\137\213\040\176\167\301\075\225\202 - \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051 - \116\223\303\244\124\024\133 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "T-TeleSec GlobalRoot Class 3" - # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE - # Serial Number: 1 (0x1) - # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE - # Not Valid Before: Wed Oct 01 10:29:56 2008 - # Not Valid After : Sat Oct 01 23:59:59 2033 - # Fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EF -@@ -19703,16 +19309,17 @@ - \346\164\163\224\135\026\230\023\225\376\373\333\261\104\345\072 - \160\254\067\153\346\263\063\162\050\311\263\127\240\366\002\026 - \210\006\013\266\246\113\040\050\324\336\075\213\255\067\005\123 - \164\376\156\314\274\103\027\161\136\371\305\314\032\251\141\356 - \367\166\014\363\162\364\162\255\317\162\002\066\007\107\317\357 - \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220 - \307\314\165\301\226\305\235 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "EE Certification Centre Root CA" - # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE - # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a - # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE - # Not Valid Before: Sat Oct 30 10:10:30 2010 - # Not Valid After : Tue Dec 17 23:59:59 2030 - # Fingerprint (MD5): 43:5E:88:D4:7D:1A:4A:7E:FD:84:2E:52:EB:01:D4:6F -@@ -19932,16 +19539,17 @@ - \005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032 - \135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325 - \242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277 - \354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031 - \253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146 - \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071 - \175 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "TURKTRUST Certificate Services Provider Root 2007" - # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. - # Serial Number: 1 (0x1) - # Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. - # Not Valid Before: Tue Dec 25 18:37:19 2007 - # Not Valid After : Fri Dec 22 18:37:19 2017 - # Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72 -@@ -20080,16 +19688,17 @@ - \310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133 - \163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274 - \074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227 - \212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366 - \121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330 - \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136 - \164\145\327\134\376\243\342 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "D-TRUST Root Class 3 CA 2 2009" - # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE - # Serial Number: 623603 (0x983f3) - # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE - # Not Valid Before: Thu Nov 05 08:35:58 2009 - # Not Valid After : Mon Nov 05 08:35:58 2029 - # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F -@@ -20223,16 +19832,17 @@ - \173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332 - \306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046 - \347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063 - \352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227 - \051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327 - \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041 - \352\237\026\361\054\124\265 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "D-TRUST Root Class 3 CA 2 EV 2009" - # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE - # Serial Number: 623604 (0x983f4) - # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE - # Not Valid Before: Thu Nov 05 08:50:46 2009 - # Not Valid After : Mon Nov 05 08:50:46 2029 - # Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6 -@@ -20472,16 +20082,17 @@ - \071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375 - \242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141 - \154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253 - \261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307 - \142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063 - \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335 - \376\206\364\274\340\032\161\263\142\246 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "PSCProcert" - # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano - # Serial Number: 11 (0xb) - # Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve - # Not Valid Before: Tue Dec 28 16:51:00 2010 - # Not Valid After : Fri Dec 25 23:59:59 2020 - # Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC -@@ -20630,16 +20241,17 @@ - \146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326 - \135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276 - \172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310 - \316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276 - \256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367 - \126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362 - \303\055\375\024\052\220\231\271\007\314\237 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "China Internet Network Information Center EV Certificates Root" - # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN - # Serial Number: 1218379777 (0x489f0001) - # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN - # Not Valid Before: Tue Aug 31 07:11:25 2010 - # Not Valid After : Sat Aug 31 07:11:25 2030 - # Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15 -@@ -20805,16 +20417,17 @@ - \361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114 - \130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164 - \302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166 - \364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335 - \312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224 - \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071 - \301\053\022\236\246\236\033\305\346\016\331\061\331 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Swisscom Root CA 2" - # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch - # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6 - # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch - # Not Valid Before: Fri Jun 24 08:38:14 2011 - # Not Valid After : Wed Jun 25 07:38:14 2031 - # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19 -@@ -20980,16 +20593,17 @@ - \234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370 - \042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310 - \174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357 - \361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036 - \344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033 - \043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255 - \046\277\242\367 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Swisscom Root EV CA 2" - # Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch - # Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58 - # Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch - # Not Valid Before: Fri Jun 24 09:45:08 2011 - # Not Valid After : Wed Jun 25 08:45:08 2031 - # Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC -@@ -21144,16 +20758,17 @@ - \001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205 - \153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121 - \243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276 - \200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023 - \103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066 - \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342 - \360\343\355\144\236\075\057\226\122\117\200\123\213 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "CA Disig Root R1" - # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK - # Serial Number:00:c3:03:9a:ee:50:90:6e:28 - # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK - # Not Valid Before: Thu Jul 19 09:06:56 2012 - # Not Valid After : Sat Jul 19 09:06:56 2042 - # Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A -@@ -21306,16 +20921,17 @@ - \233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254 - \314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123 - \022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302 - \075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061 - \057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146 - \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375 - \363\154\033\165\106\243\345\112\027\351\244\327\013 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "CA Disig Root R2" - # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK - # Serial Number:00:92:b8:88:db:b0:8a:c1:63 - # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK - # Not Valid Before: Thu Jul 19 09:15:30 2012 - # Not Valid After : Sat Jul 19 09:15:30 2042 - # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03 -@@ -21505,16 +21121,17 @@ - \346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105 - \167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226 - \040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217 - \013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207 - \244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311 - \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113 - \125\064\106\052\213\206\073 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "ACCVRAIZ1" - # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 - # Serial Number:5e:c3:b7:a6:43:7f:a4:e0 - # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 - # Not Valid Before: Thu May 05 09:37:37 2011 - # Not Valid After : Tue Dec 31 09:37:37 2030 - # Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02 -@@ -21664,16 +21281,17 @@ - \301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004 - \225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127 - \272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263 - \150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316 - \246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364 - \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262 - \053\006\320\004\315 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "TWCA Global Root CA" - # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW - # Serial Number: 3262 (0xcbe) - # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW - # Not Valid Before: Wed Jun 27 06:28:33 2012 - # Not Valid After : Tue Dec 31 15:59:59 2030 - # Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96 -@@ -21820,16 +21438,17 @@ - \255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047 - \034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206 - \130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077 - \306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161 - \110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131 - \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211 - \245\240\314\277\323\366\165\244\165\226\155\126 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "TeliaSonera Root CA v1" - # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera - # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96 - # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera - # Not Valid Before: Thu Oct 18 12:00:50 2007 - # Not Valid After : Mon Oct 18 12:00:50 2032 - # Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C -@@ -22007,16 +21626,17 @@ - \237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013 - \264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103 - \313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373 - \176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147 - \015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035 - \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073 - \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "E-Tugra Certification Authority" - # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR - # Serial Number:6a:68:3e:9c:51:9b:cb:53 - # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR - # Not Valid Before: Tue Mar 05 12:09:48 2013 - # Not Valid After : Fri Mar 03 12:09:48 2023 - # Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49 -@@ -22155,16 +21775,17 @@ - \203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311 - \057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030 - \014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015 - \366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263 - \251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333 - \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117 - \005\047\216\023\241\156\302 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "T-TeleSec GlobalRoot Class 2" - # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE - # Serial Number: 1 (0x1) - # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE - # Not Valid Before: Wed Oct 01 10:40:14 2008 - # Not Valid After : Sat Oct 01 23:59:59 2033 - # Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A -@@ -22285,16 +21906,17 @@ - \265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132 - \247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203 - \226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151 - \236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344 - \132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357 - \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140 - \035\362\376\011\021\260\360\207\173\247\235 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Atos TrustedRoot 2011" - # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011 - # Serial Number:5c:33:cb:62:2c:5f:b3:32 - # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011 - # Not Valid Before: Thu Jul 07 14:58:30 2011 - # Not Valid After : Tue Dec 31 23:59:59 2030 - # Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56 -@@ -22444,16 +22066,17 @@ - \353\134\237\336\263\257\147\003\263\037\335\155\135\151\150\151 - \253\136\072\354\174\151\274\307\073\205\116\236\025\271\264\025 - \117\303\225\172\130\327\311\154\351\154\271\363\051\143\136\264 - \054\360\055\075\355\132\145\340\251\133\100\302\110\231\201\155 - \236\037\006\052\074\022\264\213\017\233\242\044\360\246\215\326 - \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207 - \063\140\345\303 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "QuoVadis Root CA 1 G3" - # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM - # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93 - # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM - # Not Valid Before: Thu Jan 12 17:27:44 2012 - # Not Valid After : Sun Jan 12 17:27:44 2042 - # Fingerprint (SHA-256): 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74 -@@ -22605,16 +22228,17 @@ - \374\267\003\111\002\133\310\045\346\342\124\070\365\171\207\214 - \035\123\262\116\205\173\006\070\307\054\370\370\260\162\215\045 - \345\167\122\364\003\034\110\246\120\137\210\040\060\156\362\202 - \103\253\075\227\204\347\123\373\041\301\117\017\042\232\206\270 - \131\052\366\107\075\031\210\055\350\205\341\236\354\205\010\152 - \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151 - \203\336\177\214 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "QuoVadis Root CA 2 G3" - # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM - # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28 - # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM - # Not Valid Before: Thu Jan 12 18:59:32 2012 - # Not Valid After : Sun Jan 12 18:59:32 2042 - # Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40 -@@ -22766,16 +22390,17 @@ - \046\350\354\266\013\055\247\205\065\315\375\131\310\237\321\315 - \076\132\051\064\271\075\204\316\261\145\324\131\221\221\126\165 - \041\301\167\236\371\172\341\140\235\323\255\004\030\364\174\353 - \136\223\217\123\112\042\051\370\110\053\076\115\206\254\133\177 - \313\006\231\131\140\330\130\145\225\215\104\321\367\177\176\047 - \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375 - \130\371\230\364 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "QuoVadis Root CA 3 G3" - # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM - # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d - # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM - # Not Valid Before: Thu Jan 12 20:26:32 2012 - # Not Valid After : Sun Jan 12 20:26:32 2042 - # Fingerprint (SHA-256): 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46 -@@ -22902,16 +22527,17 @@ - \007\234\242\272\331\001\162\134\363\115\301\335\016\261\034\015 - \304\143\276\255\364\024\373\211\354\242\101\016\114\314\310\127 - \100\320\156\003\252\315\014\216\211\231\231\154\360\074\060\257 - \070\337\157\274\243\276\051\040\047\253\164\377\023\042\170\336 - \227\122\125\036\203\265\124\040\003\356\256\300\117\126\336\067 - \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050 - \042\023\163\154\317\046\365\212\051\347 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "DigiCert Assured ID Root G2" - # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b - # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Thu Aug 01 12:00:00 2013 - # Not Valid After : Fri Jan 15 12:00:00 2038 - # Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85 -@@ -23019,16 +22645,17 @@ - \003\003\147\000\060\144\002\060\045\244\201\105\002\153\022\113 - \165\164\117\310\043\343\160\362\165\162\336\174\211\360\317\221 - \162\141\236\136\020\222\131\126\271\203\307\020\347\070\351\130 - \046\066\175\325\344\064\206\071\002\060\174\066\123\360\060\345 - \142\143\072\231\342\266\243\073\233\064\372\036\332\020\222\161 - \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057 - \352\226\143\152\145\105\222\225\001\264 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "DigiCert Assured ID Root G3" - # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec - # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Thu Aug 01 12:00:00 2013 - # Not Valid After : Fri Jan 15 12:00:00 2038 - # Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2 -@@ -23157,16 +22784,17 @@ - \362\261\216\231\241\157\023\261\101\161\376\210\052\310\117\020 - \040\125\327\363\024\105\345\340\104\364\352\207\225\062\223\016 - \376\123\106\372\054\235\377\213\042\271\113\331\011\105\244\336 - \244\270\232\130\335\033\175\122\237\216\131\103\210\201\244\236 - \046\325\157\255\335\015\306\067\175\355\003\222\033\345\167\137 - \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345 - \062\266 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "DigiCert Global Root G2" - # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 - # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Thu Aug 01 12:00:00 2013 - # Not Valid After : Fri Jan 15 12:00:00 2038 - # Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F -@@ -23274,16 +22902,17 @@ - \000\255\274\362\154\077\022\112\321\055\071\303\012\011\227\163 - \364\210\066\214\210\047\273\346\210\215\120\205\247\143\371\236 - \062\336\146\223\017\361\314\261\011\217\335\154\253\372\153\177 - \240\002\060\071\146\133\302\144\215\270\236\120\334\250\325\111 - \242\355\307\334\321\111\177\027\001\270\310\206\217\116\214\210 - \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174 - \263\047\027 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "DigiCert Global Root G3" - # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72 - # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Thu Aug 01 12:00:00 2013 - # Not Valid After : Fri Jan 15 12:00:00 2038 - # Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0 -@@ -23444,16 +23073,17 @@ - \102\154\311\012\274\356\103\372\072\161\245\310\115\046\245\065 - \375\211\135\274\205\142\035\062\322\240\053\124\355\232\127\301 - \333\372\020\317\031\267\213\112\033\217\001\266\047\225\123\350 - \266\211\155\133\274\150\324\043\350\213\121\242\126\371\360\246 - \200\240\326\036\263\274\017\017\123\165\051\252\352\023\167\344 - \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274 - \317\363\146\176 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "DigiCert Trusted Root G4" - # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US - # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c - # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US - # Not Valid Before: Thu Aug 01 12:00:00 2013 - # Not Valid After : Fri Jan 15 12:00:00 2038 - # Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88 -@@ -23610,16 +23240,17 @@ - \047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221 - \103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244 - \063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045 - \072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110 - \246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246 - \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223 - \171\356\104\206\276\327\036\344\036\373 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "WoSign" - # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN - # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91 - # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN - # Not Valid Before: Sat Aug 08 01:00:01 2009 - # Not Valid After : Mon Aug 08 01:00:01 2039 - # Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 -@@ -23771,16 +23402,17 @@ - \324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215 - \034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336 - \211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117 - \302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010 - \364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165 - \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327 - \234\313\051\213\070\112\013\016\220\215\272\241 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "WoSign China" - # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN - # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d - # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN - # Not Valid Before: Sat Aug 08 01:00:01 2009 - # Not Valid After : Mon Aug 08 01:00:01 2039 - # Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 -@@ -23947,16 +23579,17 @@ - \100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336 - \274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116 - \166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245 - \320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174 - \372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354 - \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301 - \065\123\205\006\112\135\237\255\273\033\137\164 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "COMODO RSA Certification Authority" - # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d - # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Tue Jan 19 00:00:00 2010 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34 -@@ -24128,16 +23761,17 @@ - \245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301 - \260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201 - \057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217 - \173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135 - \231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306 - \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220 - \250\375 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "USERTrust RSA Certification Authority" - # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US - # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d - # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US - # Not Valid Before: Mon Feb 01 00:00:00 2010 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2 -@@ -24256,16 +23890,17 @@ - \066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001 - \317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035 - \372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115 - \002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326 - \104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304 - \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135 - \127\152\030 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "USERTrust ECC Certification Authority" - # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US - # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 - # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US - # Not Valid Before: Mon Feb 01 00:00:00 2010 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A -@@ -24367,16 +24002,17 @@ - \270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060 - \012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105 - \002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227 - \220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274 - \242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107 - \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354 - \173\013\370\237\204 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "GlobalSign ECC Root CA - R4" - # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 - # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02 - # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 - # Not Valid Before: Tue Nov 13 00:00:00 2012 - # Not Valid After : Tue Jan 19 03:14:07 2038 - # Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C -@@ -24479,16 +24115,17 @@ - \345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375 - \232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240 - \347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142 - \002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222 - \073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316 - \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146 - \220\067 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "GlobalSign ECC Root CA - R5" - # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 - # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c - # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 - # Not Valid Before: Tue Nov 13 00:00:00 2012 - # Not Valid After : Tue Jan 19 03:14:07 2038 - # Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24 -@@ -24653,16 +24290,17 @@ - \107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272 - \264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170 - \366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246 - \134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227 - \354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207 - \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333 - \145\110\041\012\057\327\334\176\240\314\145\176\171 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" - # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae - # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US - # Not Valid Before: Thu Mar 26 00:00:00 2009 - # Not Valid After : Sun Mar 24 23:59:59 2019 - # Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14 -@@ -24824,16 +24462,17 @@ - \325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044 - \157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276 - \321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077 - \100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172 - \307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110 - \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014 - \367\200\173\041\147\047\060\131 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Staat der Nederlanden Root CA - G3" - # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL - # Serial Number: 10003001 (0x98a239) - # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL - # Not Valid Before: Thu Nov 14 11:28:42 2013 - # Not Valid After : Mon Nov 13 23:00:00 2028 - # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28 -@@ -24987,16 +24626,17 @@ - \170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017 - \040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361 - \136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274 - \025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031 - \342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047 - \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034 - \356\354\327\056 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Staat der Nederlanden EV Root CA" - # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL - # Serial Number: 10000013 (0x98968d) - # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL - # Not Valid Before: Wed Dec 08 11:19:29 2010 - # Not Valid After : Thu Dec 08 11:10:28 2022 - # Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A -@@ -25148,16 +24788,17 @@ - \312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331 - \231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147 - \153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161 - \237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200 - \357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253 - \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030 - \272\204\156\207 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "IdenTrust Commercial Root CA 1" - # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US - # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02 - # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US - # Not Valid Before: Thu Jan 16 18:12:23 2014 - # Not Valid After : Mon Jan 16 18:12:23 2034 - # Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE -@@ -25309,16 +24950,17 @@ - \150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100 - \031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144 - \164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220 - \216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357 - \361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162 - \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245 - \267\254\266\255\267\312\076\001\357\234 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "IdenTrust Public Sector Root CA 1" - # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US - # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02 - # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US - # Not Valid Before: Thu Jan 16 17:53:32 2014 - # Not Valid After : Mon Jan 16 17:53:32 2034 - # Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F -@@ -25453,16 +25095,17 @@ - \217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314 - \043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052 - \367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141 - \032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007 - \054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116 - \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161 - \073\303\035\374\377\262\117\250\342\366\060\036 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "S-TRUST Universal Root CA" - # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE - # Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e - # Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE - # Not Valid Before: Tue Oct 22 00:00:00 2013 - # Not Valid After : Thu Oct 21 23:59:59 2038 - # Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31 -@@ -25615,16 +25258,17 @@ - \274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021 - \234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207 - \103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130 - \010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207 - \124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005 - \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213 - \105\366 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Entrust Root Certification Authority - G2" - # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US - # Serial Number: 1246989352 (0x4a538c28) - # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US - # Not Valid Before: Tue Jul 07 17:25:54 2009 - # Not Valid After : Sat Dec 07 17:55:54 2030 - # Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 -@@ -25759,16 +25403,17 @@ - \075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102 - \107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321 - \003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365 - \373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327 - \205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247 - \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270 - \231\267\046\101\133\045\140\256\320\110\032\356\006 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Entrust Root Certification Authority - EC1" - # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US - # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9 - # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US - # Not Valid Before: Tue Dec 18 15:25:36 2012 - # Not Valid After : Fri Dec 18 15:55:36 2037 - # Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 -@@ -25931,16 +25576,17 @@ - \110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231 - \000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325 - \171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222 - \313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331 - \346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243 - \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173 - \056 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "CFCA EV ROOT" - # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN - # Serial Number: 407555286 (0x184accd6) - # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN - # Not Valid Before: Wed Aug 08 03:07:01 2012 - # Not Valid After : Mon Dec 31 03:07:01 2029 - # Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD -@@ -26228,16 +25874,17 @@ - \245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364 - \220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235 - \162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205 - \142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114 - \267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346 - \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226 - \372\253\101\341\113\266\065\013\300\233\025 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H5" - # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR - # Serial Number:00:8e:17:fe:24:20:81 - # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR - # Not Valid Before: Tue Apr 30 08:07:01 2013 - # Not Valid After : Fri Apr 28 08:07:01 2023 - # Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78 -@@ -26272,176 +25919,16 @@ - \002\007\000\216\027\376\044\040\201 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --# --# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Serial Number:7d:a1:f2:65:ec:8a --# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Not Valid Before: Wed Dec 18 09:04:10 2013 --# Not Valid After : Sat Dec 16 09:04:10 2023 --# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 --# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 --\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 --\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 --\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 --\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 --\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 --\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 --\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 --\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 --\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 --\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 --\261\040\110\066 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 --\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 --\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 --\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 --\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 --\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 --\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 --\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 --\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 --\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 --\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 --\261\040\110\066 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\006\175\241\362\145\354\212 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175 --\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001 --\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006 --\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101 --\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104 --\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151 --\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102 --\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151 --\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101 --\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124 --\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162 --\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110 --\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143 --\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062 --\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061 --\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006 --\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004 --\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125 --\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102 --\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040 --\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166 --\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145 --\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004 --\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154 --\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151 --\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141 --\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042 --\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 --\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150 --\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161 --\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063 --\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157 --\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275 --\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324 --\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327 --\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200 --\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324 --\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330 --\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051 --\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315 --\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136 --\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251 --\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171 --\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143 --\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001 --\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004 --\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000 --\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004 --\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004 --\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015 --\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252 --\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122 --\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024 --\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002 --\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066 --\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356 --\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062 --\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226 --\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024 --\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003 --\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050 --\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342 --\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246 --\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203 --\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130 --\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006 --\264\013\230\113\050\136\257\210\130\313 --END -- --# Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Serial Number:7d:a1:f2:65:ec:8a --# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Not Valid Before: Wed Dec 18 09:04:10 2013 --# Not Valid After : Sat Dec 16 09:04:10 2023 --# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 --# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260 --\355\345\057\340 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106 --END --CKA_ISSUER MULTILINE_OCTAL --\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 --\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 --\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 --\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 --\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 --\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 --\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 --\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 --\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 --\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 --\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 --\261\040\110\066 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\006\175\241\362\145\354\212 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "Certinomis - Root CA" - # - # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR - # Serial Number: 1 (0x1) - # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR - # Not Valid Before: Mon Oct 21 09:17:18 2013 - # Not Valid After : Fri Oct 21 09:17:18 2033 - # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 -@@ -26559,16 +26046,17 @@ - \307\132\141\315\217\201\140\025\115\200\335\220\342\175\304\120 - \362\214\073\156\112\307\306\346\200\053\074\201\274\021\200\026 - \020\047\327\360\315\077\171\314\163\052\303\176\123\221\326\156 - \370\365\363\307\320\121\115\216\113\245\133\346\031\027\073\326 - \201\011\334\042\334\356\216\271\304\217\123\341\147\273\063\270 - \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305 - \153\206\102\006\271\101 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Certinomis - Root CA" - # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR - # Serial Number: 1 (0x1) - # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR - # Not Valid Before: Mon Oct 21 09:17:18 2013 - # Not Valid After : Fri Oct 21 09:17:18 2033 - # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 -@@ -26697,16 +26185,17 @@ - \265\253\226\300\264\113\242\035\227\236\172\362\156\100\161\337 - \150\361\145\115\316\174\005\337\123\145\251\245\360\261\227\004 - \160\025\106\003\230\324\322\277\124\264\240\130\175\122\157\332 - \126\046\142\324\330\333\211\061\157\034\360\042\302\323\142\034 - \065\315\114\151\025\124\032\220\230\336\353\036\137\312\167\307 - \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176 - \065\255\201\307\116\161\272\210\023 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "OISTE WISeKey Global Root GB CA" - # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH - # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0 - # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH - # Not Valid Before: Mon Dec 01 15:00:32 2014 - # Not Valid After : Thu Dec 01 15:10:31 2039 - # Fingerprint (SHA-256): 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6 -@@ -26831,16 +26320,17 @@ - \171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310 - \237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340 - \054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060 - \132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102 - \111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273 - \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340 - \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Certification Authority of WoSign G2" - # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN - # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44 - # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN - # Not Valid Before: Sat Nov 08 00:58:58 2014 - # Not Valid After : Tue Nov 08 00:58:58 2044 - # Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 -@@ -26939,16 +26429,17 @@ - \004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201 - \325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153 - \371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312 - \205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367 - \151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073 - \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046 - \056\153\361\221\262\220\145\364\232\346\220\356\112 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "CA WoSign ECC Root" - # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN - # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90 - # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN - # Not Valid Before: Sat Nov 08 00:58:58 2014 - # Not Valid After : Tue Nov 08 00:58:58 2044 - # Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 -@@ -27071,16 +26562,17 @@ - \322\324\141\372\325\025\333\327\237\207\121\124\353\245\343\353 - \311\205\240\045\040\067\373\216\316\014\064\204\341\074\201\262 - \167\116\103\245\210\137\206\147\241\075\346\264\134\141\266\076 - \333\376\267\050\305\242\007\256\265\312\312\215\052\022\357\227 - \355\302\060\244\311\052\172\373\363\115\043\033\231\063\064\240 - \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212 - \326\040\036\343\163\267 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "SZAFIR ROOT CA2" - # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL - # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 - # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL - # Not Valid Before: Mon Oct 19 07:43:30 2015 - # Not Valid After : Fri Oct 19 07:43:30 2035 - # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE -@@ -27248,16 +26740,17 @@ - \134\002\312\054\330\157\112\007\331\311\065\332\100\165\362\304 - \247\031\157\236\102\020\230\165\346\225\213\140\274\355\305\022 - \327\212\316\325\230\134\126\226\003\305\356\167\006\065\377\317 - \344\356\077\023\141\356\333\332\055\205\360\315\256\235\262\030 - \011\105\303\222\241\162\027\374\107\266\240\013\054\361\304\336 - \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342 - \016\265\271\276\044\217 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Certum Trusted Network CA 2" - # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL - # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9 - # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL - # Not Valid Before: Thu Oct 06 08:39:56 2011 - # Not Valid After : Sat Oct 06 08:39:56 2046 - # Fingerprint (SHA-256): B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04 -@@ -27434,16 +26927,17 @@ - \245\314\073\330\167\067\060\242\117\331\157\321\362\100\255\101 - \172\027\305\326\112\065\211\267\101\325\174\206\177\125\115\203 - \112\245\163\040\300\072\257\220\361\232\044\216\331\216\161\312 - \173\270\206\332\262\217\231\076\035\023\015\022\021\356\324\253 - \360\351\025\166\002\344\340\337\252\040\036\133\141\205\144\100 - \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264 - \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Hellenic Academic and Research Institutions RootCA 2015" - # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR - # Serial Number: 0 (0x0) - # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR - # Not Valid Before: Tue Jul 07 10:11:21 2015 - # Not Valid After : Sat Jun 30 10:11:21 2040 - # Fingerprint (SHA-256): A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36 -@@ -27569,16 +27063,17 @@ - \000\060\144\002\060\147\316\026\142\070\242\254\142\105\247\251 - \225\044\300\032\047\234\062\073\300\300\325\272\251\347\370\004 - \103\123\205\356\122\041\336\235\365\045\203\076\236\130\113\057 - \327\147\023\016\041\002\060\005\341\165\001\336\150\355\052\037 - \115\114\011\010\015\354\113\255\144\027\050\347\165\316\105\145 - \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312 - \342\174\352\002\130\042\221 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015" - # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR - # Serial Number: 0 (0x0) - # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR - # Not Valid Before: Tue Jul 07 10:37:12 2015 - # Not Valid After : Sat Jun 30 10:37:12 2040 - # Fingerprint (SHA-256): 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33 -@@ -27733,16 +27228,17 @@ - \040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271 - \203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372 - \141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166 - \202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145 - \373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213 - \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300 - \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Certplus Root CA G1" - # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR - # Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11 - # Subject: CN=Certplus Root CA G1,O=Certplus,C=FR - # Not Valid Before: Mon May 26 00:00:00 2014 - # Not Valid After : Fri Jan 15 00:00:00 2038 - # Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E -@@ -27838,16 +27334,17 @@ - \110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260 - \013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063 - \230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041 - \247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000 - \206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150 - \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245 - \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Certplus Root CA G2" - # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR - # Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55 - # Subject: CN=Certplus Root CA G2,O=Certplus,C=FR - # Not Valid Before: Mon May 26 00:00:00 2014 - # Not Valid After : Fri Jan 15 00:00:00 2038 - # Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17 -@@ -27999,16 +27496,17 @@ - \076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340 - \021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011 - \212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111 - \003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034 - \262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336 - \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043 - \326\214\161 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "OpenTrust Root CA G1" - # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR - # Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67 - # Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR - # Not Valid Before: Mon May 26 08:45:50 2014 - # Not Valid After : Fri Jan 15 00:00:00 2038 - # Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4 -@@ -28161,16 +27659,17 @@ - \210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140 - \237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225 - \010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037 - \130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030 - \170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377 - \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014 - \113\122\012 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "OpenTrust Root CA G2" - # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR - # Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11 - # Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR - # Not Valid Before: Mon May 26 00:00:00 2014 - # Not Valid After : Fri Jan 15 00:00:00 2038 - # Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2 -@@ -28270,16 +27769,17 @@ - \061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051 - \001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252 - \217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217 - \221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373 - \132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161 - \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352 - \315\215\361\373\301 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "OpenTrust Root CA G3" - # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR - # Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f - # Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR - # Not Valid Before: Mon May 26 00:00:00 2014 - # Not Valid After : Fri Jan 15 00:00:00 2038 - # Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92 -@@ -28433,16 +27933,17 @@ - \242\320\141\070\341\226\270\254\135\213\067\327\165\325\063\300 - \231\021\256\235\101\301\162\165\204\276\002\101\102\137\147\044 - \110\224\321\233\047\276\007\077\271\270\117\201\164\121\341\172 - \267\355\235\043\342\276\340\325\050\004\023\074\061\003\236\335 - \172\154\217\306\007\030\306\177\336\107\216\077\050\236\004\006 - \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137 - \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "ISRG Root X1" - # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US - # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 - # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US - # Not Valid Before: Thu Jun 04 11:04:38 2015 - # Not Valid After : Mon Jun 04 11:04:38 2035 - # Fingerprint (SHA-256): 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 -@@ -28595,16 +28096,17 @@ - \152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125 - \274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044 - \106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360 - \300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004 - \370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057 - \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121 - \072\117\110\366\213\266\263 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "AC RAIZ FNMT-RCM" - # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES - # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07 - # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES - # Not Valid Before: Wed Oct 29 15:59:56 2008 - # Not Valid After : Tue Jan 01 00:00:00 2030 - # Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA -@@ -28719,16 +28221,17 @@ - \331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127 - \131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324 - \344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136 - \010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223 - \103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162 - \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353 - \304\220\276\361\271 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Amazon Root CA 1" - # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US - # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca - # Subject: CN=Amazon Root CA 1,O=Amazon,C=US - # Not Valid Before: Tue May 26 00:00:00 2015 - # Not Valid After : Sun Jan 17 00:00:00 2038 - # Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E -@@ -28875,16 +28378,17 @@ - \357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264 - \352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357 - \312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007 - \366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045 - \111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321 - \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323 - \340\373\011\140\154 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Amazon Root CA 2" - # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US - # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 - # Subject: CN=Amazon Root CA 2,O=Amazon,C=US - # Not Valid Before: Tue May 26 00:00:00 2015 - # Not Valid After : Sat May 26 00:00:00 2040 - # Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4 -@@ -28974,16 +28478,17 @@ - \266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031 - \261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003 - \111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053 - \006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170 - \140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234 - \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214 - \143\044\110\034\337\060\175\325\150\073 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Amazon Root CA 3" - # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US - # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a - # Subject: CN=Amazon Root CA 3,O=Amazon,C=US - # Not Valid Before: Tue May 26 00:00:00 2015 - # Not Valid After : Sat May 26 00:00:00 2040 - # Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4 -@@ -29077,16 +28582,17 @@ - \145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057 - \326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160 - \012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065 - \115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221 - \311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226 - \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265 - \012\166\324\245\274\020 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Amazon Root CA 4" - # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US - # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e - # Subject: CN=Amazon Root CA 4,O=Amazon,C=US - # Not Valid Before: Tue May 26 00:00:00 2015 - # Not Valid After : Sat May 26 00:00:00 2040 - # Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92 -@@ -29243,16 +28749,17 @@ - \105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376 - \307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377 - \170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175 - \110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072 - \240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125 - \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154 - \045\307\043\200\203\012\353 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "LuxTrust Global Root 2" - # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU - # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1 - # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU - # Not Valid Before: Thu Mar 05 13:21:57 2015 - # Not Valid After : Mon Mar 05 13:21:57 2035 - # Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5 -@@ -29391,16 +28898,17 @@ - \347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126 - \003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104 - \267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100 - \014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013 - \310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043 - \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364 - \322\063\340\377\275\321\124\071\051\017 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Symantec Class 1 Public Primary Certification Authority - G6" - # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98 - # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Not Valid Before: Tue Oct 18 00:00:00 2011 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9 -@@ -29544,16 +29052,17 @@ - \111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113 - \026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231 - \177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246 - \050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035 - \141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326 - \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376 - \157\374\132\344\202\125\131\257\061\251 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Symantec Class 2 Public Primary Certification Authority - G6" - # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41 - # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Not Valid Before: Tue Oct 18 00:00:00 2011 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0 -@@ -29676,16 +29185,17 @@ - \003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230 - \066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161 - \136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271 - \153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332 - \151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154 - \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150 - \362\014\105\111\071\277\231\004\034\323\020\240 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Symantec Class 1 Public Primary Certification Authority - G4" - # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8 - # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Not Valid Before: Wed Oct 05 00:00:00 2011 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF -@@ -29808,16 +29318,17 @@ - \003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265 - \311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177 - \220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172 - \113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206 - \316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216 - \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377 - \051\246\330\107\331\240\226\030\333\362\105\263 - END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - - # Trust for "Symantec Class 2 Public Primary Certification Authority - G4" - # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e - # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US - # Not Valid Before: Wed Oct 05 00:00:00 2011 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92 -@@ -29849,8 +29360,318 @@ - CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125 - \246\036 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -+ -+# -+# Certificate "D-TRUST Root CA 3 2013" -+# -+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Serial Number: 1039788 (0xfddac) -+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Not Valid Before: Fri Sep 20 08:25:51 2013 -+# Not Valid After : Wed Sep 20 08:25:51 2028 -+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 -+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97 -+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013" -+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -+CKA_SUBJECT MULTILINE_OCTAL -+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 -+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 -+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 -+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 -+\040\063\040\062\060\061\063 -+END -+CKA_ID UTF8 "0" -+CKA_ISSUER MULTILINE_OCTAL -+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 -+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 -+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 -+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 -+\040\063\040\062\060\061\063 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\003\017\335\254 -+END -+CKA_VALUE MULTILINE_OCTAL -+\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017 -+\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005 -+\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105 -+\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165 -+\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003 -+\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103 -+\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071 -+\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062 -+\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003 -+\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 -+\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037 -+\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124 -+\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060 -+\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 -+\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 -+\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337 -+\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341 -+\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046 -+\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154 -+\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340 -+\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011 -+\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274 -+\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323 -+\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352 -+\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121 -+\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075 -+\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256 -+\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077 -+\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357 -+\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174 -+\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263 -+\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006 -+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035 -+\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157 -+\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006 -+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276 -+\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240 -+\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164 -+\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057 -+\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157 -+\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061 -+\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155 -+\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143 -+\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163 -+\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057 -+\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057 -+\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164 -+\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015 -+\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001 -+\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234 -+\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237 -+\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317 -+\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175 -+\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040 -+\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065 -+\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210 -+\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157 -+\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246 -+\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303 -+\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115 -+\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223 -+\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113 -+\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147 -+\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155 -+\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111 -+\137\134 -+END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -+ -+# Trust for "D-TRUST Root CA 3 2013" -+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Serial Number: 1039788 (0xfddac) -+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Not Valid Before: Fri Sep 20 08:25:51 2013 -+# Not Valid After : Wed Sep 20 08:25:51 2028 -+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 -+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97 -+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013" -+CKA_CERT_SHA1_HASH MULTILINE_OCTAL -+\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170 -+\337\157\357\227 -+END -+CKA_CERT_MD5_HASH MULTILINE_OCTAL -+\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277 -+END -+CKA_ISSUER MULTILINE_OCTAL -+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 -+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 -+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 -+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 -+\040\063\040\062\060\061\063 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\003\017\335\254 -+END -+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -+ -+# -+# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+# -+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Serial Number: 1 (0x1) -+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Not Valid Before: Mon Nov 25 08:25:55 2013 -+# Not Valid After : Sun Oct 25 08:25:55 2043 -+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 -+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA -+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -+CKA_SUBJECT MULTILINE_OCTAL -+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 -+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 -+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 -+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 -+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 -+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 -+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 -+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 -+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 -+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 -+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 -+\162\165\155\040\061 -+END -+CKA_ID UTF8 "0" -+CKA_ISSUER MULTILINE_OCTAL -+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 -+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 -+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 -+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 -+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 -+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 -+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 -+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 -+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 -+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 -+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 -+\162\165\155\040\061 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\001\001 -+END -+CKA_VALUE MULTILINE_OCTAL -+\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001 -+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 -+\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061 -+\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040 -+\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125 -+\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151 -+\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152 -+\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162 -+\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060 -+\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162 -+\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145 -+\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064 -+\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113 -+\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123 -+\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162 -+\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070 -+\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062 -+\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006 -+\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107 -+\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102 -+\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145 -+\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153 -+\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155 -+\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124 -+\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155 -+\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040 -+\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123 -+\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111 -+\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040 -+\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040 -+\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006 -+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017 -+\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273 -+\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377 -+\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372 -+\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253 -+\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154 -+\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320 -+\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153 -+\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000 -+\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116 -+\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227 -+\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332 -+\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311 -+\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177 -+\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054 -+\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352 -+\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037 -+\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243 -+\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077 -+\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107 -+\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002 -+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003 -+\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013 -+\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230 -+\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175 -+\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341 -+\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260 -+\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355 -+\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337 -+\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027 -+\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235 -+\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270 -+\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226 -+\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223 -+\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334 -+\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177 -+\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255 -+\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237 -+\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302 -+\237\042\136\242\017\241\343 -+END -+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -+ -+# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Serial Number: 1 (0x1) -+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Not Valid Before: Mon Nov 25 08:25:55 2013 -+# Not Valid After : Sun Oct 25 08:25:55 2043 -+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 -+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA -+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+CKA_CERT_SHA1_HASH MULTILINE_OCTAL -+\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350 -+\221\335\356\312 -+END -+CKA_CERT_MD5_HASH MULTILINE_OCTAL -+\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111 -+END -+CKA_ISSUER MULTILINE_OCTAL -+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 -+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 -+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 -+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 -+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 -+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 -+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 -+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 -+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 -+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 -+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 -+\162\165\155\040\061 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\001\001 -+END -+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h ---- a/lib/ckfw/builtins/nssckbi.h -+++ b/lib/ckfw/builtins/nssckbi.h -@@ -17,41 +17,42 @@ - */ - #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2 - #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20 - - /* These version numbers detail the changes - * to the list of trusted certificates. - * - * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped -- * for each NSS minor release AND whenever we change the list of -- * trusted certificates. 10 minor versions are allocated for each -- * NSS 3.x branch as follows, allowing us to change the list of -- * trusted certificates up to 9 times on each branch. -- * - NSS 3.5 branch: 3-9 -- * - NSS 3.6 branch: 10-19 -- * - NSS 3.7 branch: 20-29 -- * - NSS 3.8 branch: 30-39 -- * - NSS 3.9 branch: 40-49 -- * - NSS 3.10 branch: 50-59 -- * - NSS 3.11 branch: 60-69 -- * ... -- * - NSS 3.12 branch: 70-89 -- * - NSS 3.13 branch: 90-99 -- * - NSS 3.14 branch: 100-109 -- * ... -- * - NSS 3.29 branch: 250-255 -+ * whenever we change the list of trusted certificates. -+ * -+ * Please use the following rules when increasing the version number: -+ * -+ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR -+ * must always be an EVEN number (e.g. 16, 18, 20 etc.) -+ * -+ * - whenever possible, if older branches require a modification to the -+ * list, these changes should be made on the main line of development (trunk), -+ * and the older branches should update to the most recent list. -+ * -+ * - ODD minor version numbers are reserved to indicate a snapshot that has -+ * deviated from the main line of development, e.g. if it was necessary -+ * to modify the list on a stable branch. -+ * Once the version has been changed to an odd number (e.g. 2.13) on a branch, -+ * it should remain unchanged on that branch, even if further changes are -+ * made on that branch. - * - * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear - * whether we may use its full range (0-255) or only 0-99 because - * of the comment in the CK_VERSION type definition. -+ * It's recommend to switch back to 0 after having reached version 98/99. - */ - #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 --#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11 --#define NSS_BUILTINS_LIBRARY_VERSION "2.11" -+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14 -+#define NSS_BUILTINS_LIBRARY_VERSION "2.14" - - /* These version numbers detail the semantic changes to the ckfw engine. */ - #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 - #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0 - - /* These version numbers detail the semantic changes to ckbi itself - * (new PKCS #11 objects), etc. */ - #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1 - -diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c ---- a/lib/certdb/genname.c -+++ b/lib/certdb/genname.c -@@ -1583,19 +1583,19 @@ done: - - #define NAME_CONSTRAINTS_ENTRY(CA) \ - { \ - STRING_TO_SECITEM(CA##_SUBJECT_DN) \ - , \ - STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \ - } - --/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */ -+/* clang-format off */ - --/* clang-format off */ -+/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */ - - #define ANSSI_SUBJECT_DN \ - "\x30\x81\x85" \ - "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR" /* C */ \ - "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France" /* ST */ \ - "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris" /* L */ \ - "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN" /* O */ \ - "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI" /* OU */ \ -@@ -1614,20 +1614,49 @@ done: - "\x30\x05\x82\x03" ".pm" \ - "\x30\x05\x82\x03" ".bl" \ - "\x30\x05\x82\x03" ".mf" \ - "\x30\x05\x82\x03" ".wf" \ - "\x30\x05\x82\x03" ".pf" \ - "\x30\x05\x82\x03" ".nc" \ - "\x30\x05\x82\x03" ".tf" - -+/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */ -+ -+#define TUBITAK1_SUBJECT_DN \ -+ "\x30\x81\xd2" \ -+ "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02" \ -+ /* C */ "TR" \ -+ "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f" \ -+ /* L */ "Gebze - Kocaeli" \ -+ "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39" \ -+ /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK" \ -+ "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24" \ -+ /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM" \ -+ "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d" \ -+ /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+ -+#define TUBITAK1_NAME_CONSTRAINTS \ -+ "\x30\x65\xa0\x63" \ -+ "\x30\x09\x82\x07" ".gov.tr" \ -+ "\x30\x09\x82\x07" ".k12.tr" \ -+ "\x30\x09\x82\x07" ".pol.tr" \ -+ "\x30\x09\x82\x07" ".mil.tr" \ -+ "\x30\x09\x82\x07" ".tsk.tr" \ -+ "\x30\x09\x82\x07" ".kep.tr" \ -+ "\x30\x09\x82\x07" ".bel.tr" \ -+ "\x30\x09\x82\x07" ".edu.tr" \ -+ "\x30\x09\x82\x07" ".org.tr" -+ - /* clang-format on */ - --static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY( -- ANSSI) }; -+static const SECItem builtInNameConstraints[][2] = { -+ NAME_CONSTRAINTS_ENTRY(ANSSI), -+ NAME_CONSTRAINTS_ENTRY(TUBITAK1) -+}; - - SECStatus - CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions) - { - size_t i; - - if (!extensions) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - -diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h ---- a/lib/cryptohi/keythi.h -+++ b/lib/cryptohi/keythi.h -@@ -204,17 +204,17 @@ typedef struct SECKEYPublicKeyStr SECKEY - - #define SECKEY_ATTRIBUTE_VALUE(key, attribute) \ - (0 != (key->staticflags & SECKEY_##attribute)) - - #define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE) - - #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \ -- (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) -+ (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) - - /* - ** A generic key structure - */ - struct SECKEYPrivateKeyStr { - PLArenaPool *arena; - KeyType keyType; - PK11SlotInfo *pkcs11Slot; /* pkcs11 slot this key lives in */ -diff --git a/lib/nss/nss.def b/lib/nss/nss.def ---- a/lib/nss/nss.def -+++ b/lib/nss/nss.def -@@ -1092,8 +1092,15 @@ SECMOD_CreateModuleEx; - ;+}; - ;+NSS_3.22 { # NSS 3.22 release - ;+ global: - PK11_SignWithMechanism; - PK11_VerifyWithMechanism; - ;+ local: - ;+ *; - ;+}; -+;+NSS_3.30 { # NSS 3.30 release -+;+ global: -+CERT_CompareAVA; -+PK11_HasAttributeSet; -+;+ local: -+;+ *; -+;+}; -diff --git a/lib/pk11wrap/pk11obj.c b/lib/pk11wrap/pk11obj.c ---- a/lib/pk11wrap/pk11obj.c -+++ b/lib/pk11wrap/pk11obj.c -@@ -151,18 +151,18 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl - } - return value; - } - - /* - * check to see if a bool has been set. - */ - CK_BBOOL --PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, -- CK_ATTRIBUTE_TYPE type, PRBool haslock) -+pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, -+ CK_ATTRIBUTE_TYPE type, PRBool haslock) - { - CK_BBOOL ckvalue = CK_FALSE; - CK_ATTRIBUTE theTemplate; - CK_RV crv; - - /* Prepare to retrieve the attribute. */ - PK11_SETATTRS(&theTemplate, type, &ckvalue, sizeof(CK_BBOOL)); - -@@ -176,16 +176,24 @@ PK11_HasAttributeSet(PK11SlotInfo *slot, - if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return CK_FALSE; - } - - return ckvalue; - } - -+CK_BBOOL -+PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, -+ CK_ATTRIBUTE_TYPE type, PRBool haslock) -+{ -+ PR_ASSERT(haslock == PR_FALSE); -+ return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE); -+} -+ - /* - * returns a full list of attributes. Allocate space for them. If an arena is - * provided, allocate space out of the arena. - */ - CK_RV - PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, - CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count) - { -diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h ---- a/lib/pk11wrap/pk11priv.h -+++ b/lib/pk11wrap/pk11priv.h -@@ -113,20 +113,20 @@ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo - SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot, - SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg); - SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx); - CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname, - PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, - void *wincx); - CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer, - CK_OBJECT_CLASS o_class); --CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, -- CK_OBJECT_HANDLE id, -- CK_ATTRIBUTE_TYPE type, -- PRBool haslock); -+CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, -+ CK_OBJECT_HANDLE id, -+ CK_ATTRIBUTE_TYPE type, -+ PRBool haslock); - CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, - CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count); - int PK11_NumberCertsForCertSubject(CERTCertificate *cert); - SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, - SECStatus (*callback)(CERTCertificate *, void *), void *arg); - SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, - PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2); - SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot, -diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h ---- a/lib/pk11wrap/pk11pub.h -+++ b/lib/pk11wrap/pk11pub.h -@@ -681,16 +681,20 @@ CK_OBJECT_HANDLE PK11_FindCertInSlot(PK1 - void *wincx); - SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, - PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *), - void *arg); - CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg); - CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot); - CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url, - int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions); -+CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, -+ CK_OBJECT_HANDLE id, -+ CK_ATTRIBUTE_TYPE type, -+ PRBool haslock /* must be set to PR_FALSE */); - - /********************************************************************** - * Sign/Verify - **********************************************************************/ - - /* - * Return the length in bytes of a signature generated with the - * private key. diff --git a/SOURCES/nss-3.16-token-init-race.patch b/SOURCES/nss-3.16-token-init-race.patch deleted file mode 100644 index f47f13f..0000000 --- a/SOURCES/nss-3.16-token-init-race.patch +++ /dev/null @@ -1,363 +0,0 @@ -diff -up nss/lib/pk11wrap/dev3hack.c.init-token-race nss/lib/pk11wrap/dev3hack.c ---- nss/lib/pk11wrap/dev3hack.c.init-token-race 2017-01-13 17:58:55.485868744 +0100 -+++ nss/lib/pk11wrap/dev3hack.c 2017-01-13 18:02:27.126675831 +0100 -@@ -231,6 +231,16 @@ nssSlot_Refresh(NSSSlot *slot) - if (slot->token && slot->token->base.name[0] == 0) { - doit = PR_TRUE; - } -+ /* invalidate the session in the nss3slot if we haven't done an init -+ * token since we noticed that the token->default session is invalid. -+ * This works because the monitor lock and the token session lock are the -+ * same locks */ -+ PK11_EnterSlotMonitor(nss3slot); -+ if ((slot->token == NULL) || (slot->token->defaultSession == NULL) || -+ (slot->token->defaultSession->handle == CK_INVALID_SESSION)) { -+ nss3slot->session = CK_INVALID_SESSION; -+ } -+ PK11_ExitSlotMonitor(nss3slot); - if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) { - return PR_FAILURE; - } -@@ -238,7 +248,8 @@ nssSlot_Refresh(NSSSlot *slot) - nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, - slot->token); - } -- return nssToken_Refresh(slot->token); -+ /* no need to call nssToken_Refresh since PK11_Init has already done so */ -+ return PR_SUCCESS; - } - - NSS_IMPLEMENT PRStatus -diff -up nss/lib/pk11wrap/pk11auth.c.init-token-race nss/lib/pk11wrap/pk11auth.c ---- nss/lib/pk11wrap/pk11auth.c.init-token-race 2017-01-13 17:58:55.485868744 +0100 -+++ nss/lib/pk11wrap/pk11auth.c 2017-01-13 18:05:07.650739842 +0100 -@@ -73,8 +73,6 @@ pk11_CheckPassword(PK11SlotInfo *slot, C - (unsigned char *)pw, len); - slot->lastLoginCheck = 0; - mustRetry = PR_FALSE; -- if (!alreadyLocked) -- PK11_ExitSlotMonitor(slot); - switch (crv) { - /* if we're already logged in, we're good to go */ - case CKR_OK: -@@ -101,7 +99,16 @@ pk11_CheckPassword(PK11SlotInfo *slot, C - break; - } - if (retry++ == 0) { -+ /* we already know the this session is invalid */ -+ slot->session = CK_INVALID_SESSION; -+ /* can't enter PK11_InitToken holding the lock -+ * This is safe because the only places that tries to -+ * hold the slot monitor over this call pass their own -+ * session, which would have failed above. -+ * (session != slot->session) */ -+ PK11_ExitSlotMonitor(slot); - rv = PK11_InitToken(slot, PR_FALSE); -+ PK11_EnterSlotMonitor(slot); - if (rv == SECSuccess) { - if (slot->session != CK_INVALID_SESSION) { - session = slot->session; /* we should have -@@ -119,6 +126,8 @@ pk11_CheckPassword(PK11SlotInfo *slot, C - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; /* some failure we can't fix by retrying */ - } -+ if (!alreadyLocked) -+ PK11_ExitSlotMonitor(slot); - } while (mustRetry); - return rv; - } -@@ -465,14 +474,18 @@ done: - slot->lastLoginCheck = 0; - PK11_RestoreROSession(slot, rwsession); - if (rv == SECSuccess) { -+ PK11_EnterSlotMonitor(slot); - /* update our view of the world */ -+ if (slot->session != CK_INVALID_SESSION) { -+ PK11_GETTAB(slot)->C_CloseSession(slot->session); -+ slot->session = CK_INVALID_SESSION; -+ } -+ PK11_ExitSlotMonitor(slot); - PK11_InitToken(slot, PR_TRUE); - if (slot->needLogin) { -- PK11_EnterSlotMonitor(slot); - PK11_GETTAB(slot)->C_Login(slot->session, CKU_USER, - (unsigned char *)userpw, len); - slot->lastLoginCheck = 0; -- PK11_ExitSlotMonitor(slot); - } - } - return rv; -@@ -520,7 +533,7 @@ PK11_ChangePW(PK11SlotInfo *slot, const - PK11_RestoreROSession(slot, rwsession); - - /* update our view of the world */ -- PK11_InitToken(slot, PR_TRUE); -+ /* PK11_InitToken(slot,PR_TRUE); */ - return rv; - } - -diff -up nss/lib/pk11wrap/pk11slot.c.init-token-race nss/lib/pk11wrap/pk11slot.c ---- nss/lib/pk11wrap/pk11slot.c.init-token-race 2017-01-13 17:58:55.486868720 +0100 -+++ nss/lib/pk11wrap/pk11slot.c 2017-01-13 18:12:50.869381900 +0100 -@@ -1085,6 +1085,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slo - CK_ULONG count; - CK_RV crv; - PRUint32 i; -+ char mechanismBits[sizeof(slot->mechanismBits)]; - - if (slot->mechanismList) { - PORT_Free(slot->mechanismList); -@@ -1092,12 +1093,8 @@ PK11_ReadMechanismList(PK11SlotInfo *slo - } - slot->mechanismCount = 0; - -- if (!slot->isThreadSafe) -- PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count); - if (crv != CKR_OK) { -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return SECFailure; - } -@@ -1105,14 +1102,10 @@ PK11_ReadMechanismList(PK11SlotInfo *slo - slot->mechanismList = (CK_MECHANISM_TYPE *) - PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE)); - if (slot->mechanismList == NULL) { -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); - return SECFailure; - } - crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, - slot->mechanismList, &count); -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); - if (crv != CKR_OK) { - PORT_Free(slot->mechanismList); - slot->mechanismList = NULL; -@@ -1120,14 +1113,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo - return SECSuccess; - } - slot->mechanismCount = count; -- PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits)); -+ PORT_Memset(mechanismBits, 0, sizeof(slot->mechanismBits)); - - for (i = 0; i < count; i++) { - CK_MECHANISM_TYPE mech = slot->mechanismList[i]; - if (mech < 0x7ff) { -- slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); -+ mechanismBits[mech & 0xff] |= 1 << (mech >> 8); - } - } -+ PORT_Memcpy(slot->mechanismBits, mechanismBits, -+ sizeof(slot->mechanismBits)); - return SECSuccess; - } - -@@ -1144,14 +1139,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - CK_RV crv; - SECStatus rv; - PRStatus status; -+ CK_SESSION_HANDLE session; -+ -+ PK11_EnterSlotMonitor(slot); -+ if (slot->session != CK_INVALID_SESSION) { -+ /* The reason for doing an InitToken has already been satisfied by -+ * another thread. Just return */ -+ PK11_ExitSlotMonitor(slot); -+ return SECSuccess; -+ } - - /* set the slot flags to the current token values */ -- if (!slot->isThreadSafe) -- PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo); -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); - if (crv != CKR_OK) { -+ PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return SECFailure; - } -@@ -1186,8 +1187,10 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - slot->defRWSession = (PRBool)((!slot->readOnly) && - (tokenInfo.ulMaxSessionCount == 1)); - rv = PK11_ReadMechanismList(slot); -- if (rv != SECSuccess) -- return rv; -+ if (rv != SECSuccess) { -+ PK11_ExitSlotMonitor(slot); -+ return rv; -+ } - - slot->hasRSAInfo = PR_FALSE; - slot->RSAInfoFlags = 0; -@@ -1202,56 +1205,23 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - slot->maxKeyCount = tokenInfo.ulMaxSessionCount / 2; - } - -- /* Make sure our session handle is valid */ -- if (slot->session == CK_INVALID_SESSION) { -- /* we know we don't have a valid session, go get one */ -- CK_SESSION_HANDLE session; -- -- /* session should be Readonly, serial */ -- if (!slot->isThreadSafe) -- PK11_EnterSlotMonitor(slot); -- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, -+ /* we know we don't have a valid session, go get one */ -+ /* session should be Readonly, serial */ -+ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, - (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, - slot, pk11_notify, &session); -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); -- if (crv != CKR_OK) { -- PORT_SetError(PK11_MapError(crv)); -- return SECFailure; -- } -- slot->session = session; -- } else { -- /* The session we have may be defunct (the token associated with it) -- * has been removed */ -- CK_SESSION_INFO sessionInfo; -- -- if (!slot->isThreadSafe) -- PK11_EnterSlotMonitor(slot); -- crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); -- if (crv == CKR_DEVICE_ERROR) { -- PK11_GETTAB(slot) -- ->C_CloseSession(slot->session); -- crv = CKR_SESSION_CLOSED; -- } -- if ((crv == CKR_SESSION_CLOSED) || (crv == CKR_SESSION_HANDLE_INVALID)) { -- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, -- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, -- slot, pk11_notify, &slot->session); -- if (crv != CKR_OK) { -- PORT_SetError(PK11_MapError(crv)); -- slot->session = CK_INVALID_SESSION; -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); -- return SECFailure; -- } -- } -- if (!slot->isThreadSafe) -- PK11_ExitSlotMonitor(slot); -+ if (crv != CKR_OK) { -+ PK11_ExitSlotMonitor(slot); -+ PORT_SetError(PK11_MapError(crv)); -+ return SECFailure; - } -+ slot->session = session; - - status = nssToken_Refresh(slot->nssToken); -- if (status != PR_SUCCESS) -+ if (status != PR_SUCCESS) { -+ PK11_ExitSlotMonitor(slot); - return SECFailure; -+ } - - if (!(slot->isInternal) && (slot->hasRandom)) { - /* if this slot has a random number generater, use it to add entropy -@@ -1264,28 +1234,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - /* if this slot can issue random numbers, get some entropy from - * that random number generater and give it to our internal token. - */ -- PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(slot); - if (crv == CKR_OK) { -- PK11_EnterSlotMonitor(int_slot); - PK11_GETTAB(int_slot) - ->C_SeedRandom(int_slot->session, - random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(int_slot); - } - - /* Now return the favor and send entropy to the token's random - * number generater */ -- PK11_EnterSlotMonitor(int_slot); - crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, - random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(int_slot); - if (crv == CKR_OK) { -- PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, - random_bytes, sizeof(random_bytes)); -- PK11_ExitSlotMonitor(slot); - } - PK11_FreeSlot(int_slot); - } -@@ -1318,6 +1280,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo - ->C_CloseSession(session); - } - } -+ PK11_ExitSlotMonitor(slot); - - return SECSuccess; - } -@@ -1433,6 +1396,8 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT - } - /* if the token is present, initialize it */ - if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { -+ /* session was initialized to CK_INVALID_SESSION when the slot -+ * was created */ - rv = PK11_InitToken(slot, PR_TRUE); - /* the only hard failures are on permanent devices, or function - * verify failures... function verify failures are already handled -@@ -1888,10 +1853,14 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C - return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE; - } - -+ PK11_EnterSlotMonitor(slot); - for (i = 0; i < (int)slot->mechanismCount; i++) { -- if (slot->mechanismList[i] == type) -- return PR_TRUE; -+ if (slot->mechanismList[i] == type) { -+ PK11_ExitSlotMonitor(slot); -+ return PR_TRUE; -+ } - } -+ PK11_ExitSlotMonitor(slot); - return PR_FALSE; - } - -diff -up nss/lib/pk11wrap/pk11util.c.init-token-race nss/lib/pk11wrap/pk11util.c ---- nss/lib/pk11wrap/pk11util.c.init-token-race 2017-01-13 17:58:55.487868695 +0100 -+++ nss/lib/pk11wrap/pk11util.c 2017-01-13 18:01:21.280291292 +0100 -@@ -1624,6 +1624,11 @@ SECMOD_RestartModules(PRBool force) - * older modules require it, and it doesn't hurt (compliant modules - * will return CKR_NOT_INITIALIZED */ - (void)PK11_GETTAB(mod)->C_Finalize(NULL); -+ /* finalize clears the session, mark them dead in the -+ * slot as well */ -+ for (i=0; i < mod->slotCount; i++) { -+ mod->slots[i]->session = CK_INVALID_SESSION; -+ } - /* now initialize the module, this function reinitializes - * a module in place, preserving existing slots (even if they - * no longer exist) */ -@@ -1643,17 +1648,18 @@ SECMOD_RestartModules(PRBool force) - /* get new token sessions, bump the series up so that - * we refresh other old sessions. This will tell much of - * NSS to flush cached handles it may hold as well */ -- rv = PK11_InitToken(mod->slots[i], PR_TRUE); -+ PK11SlotInfo *slot = mod->slots[i]; -+ rv = PK11_InitToken(slot,PR_TRUE); - /* PK11_InitToken could fail if the slot isn't present. - * If it is present, though, something is wrong and we should - * disable the slot and let the caller know. */ -- if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) { -+ if (rv != SECSuccess && PK11_IsPresent(slot)) { - /* save the last error code */ - lastError = PORT_GetError(); - rrv = rv; - /* disable the token */ -- mod->slots[i]->disabled = PR_TRUE; -- mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; -+ slot->disabled = PR_TRUE; -+ slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; - } - } - } diff --git a/SOURCES/nss-alert-handler.patch b/SOURCES/nss-alert-handler.patch deleted file mode 100644 index ca0b434..0000000 --- a/SOURCES/nss-alert-handler.patch +++ /dev/null @@ -1,461 +0,0 @@ -diff -up nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc ---- nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc 2017-03-14 11:01:42.563689719 +0100 -@@ -24,6 +24,8 @@ namespace nss_test { - - TEST_P(TlsConnectTls13, ZeroRtt) { - SetupForZeroRtt(); -+ client_->SetExpectedAlertSentCount(1); -+ server_->SetExpectedAlertReceivedCount(1); - client_->Set0RttEnabled(true); - server_->Set0RttEnabled(true); - ExpectResumption(RESUME_TICKET); -@@ -103,6 +105,8 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt - EnableAlpn(); - SetupForZeroRtt(); - EnableAlpn(); -+ client_->SetExpectedAlertSentCount(1); -+ server_->SetExpectedAlertReceivedCount(1); - client_->Set0RttEnabled(true); - server_->Set0RttEnabled(true); - ExpectResumption(RESUME_TICKET); -diff -up nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_exporter_unittest.cc ---- nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/ssl_exporter_unittest.cc 2017-03-14 11:01:42.563689719 +0100 -@@ -90,6 +90,8 @@ int32_t RegularExporterShouldFail(TlsAge - - TEST_P(TlsConnectTls13, EarlyExporter) { - SetupForZeroRtt(); -+ client_->SetExpectedAlertSentCount(1); -+ server_->SetExpectedAlertReceivedCount(1); - client_->Set0RttEnabled(true); - server_->Set0RttEnabled(true); - ExpectResumption(RESUME_TICKET); -diff -up nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_extension_unittest.cc ---- nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler 2017-03-14 11:01:42.563689719 +0100 -+++ nss/gtests/ssl_gtest/ssl_extension_unittest.cc 2017-03-14 11:06:39.215006989 +0100 -@@ -167,27 +167,69 @@ class TlsExtensionTestBase : public TlsC - : TlsConnectTestBase(mode, version) {} - - void ClientHelloErrorTest(PacketFilter* filter, -- uint8_t alert = kTlsAlertDecodeError) { -+ uint8_t desc = kTlsAlertDecodeError) { -+ SSLAlert alert; -+ - auto alert_recorder = new TlsAlertRecorder(); - server_->SetPacketFilter(alert_recorder); - if (filter) { - client_->SetPacketFilter(filter); - } - ConnectExpectFail(); -+ - EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -- EXPECT_EQ(alert, alert_recorder->description()); -+ EXPECT_EQ(desc, alert_recorder->description()); -+ -+ // verify no alerts received by the server -+ EXPECT_EQ(0U, server_->alert_received_count()); -+ -+ // verify the alert sent by the server -+ EXPECT_EQ(1U, server_->alert_sent_count()); -+ EXPECT_TRUE(server_->GetLastAlertSent(&alert)); -+ EXPECT_EQ(kTlsAlertFatal, alert.level); -+ EXPECT_EQ(desc, alert.description); -+ -+ // verify the alert received by the client -+ EXPECT_EQ(1U, client_->alert_received_count()); -+ EXPECT_TRUE(client_->GetLastAlertReceived(&alert)); -+ EXPECT_EQ(kTlsAlertFatal, alert.level); -+ EXPECT_EQ(desc, alert.description); -+ -+ // verify no alerts sent by the client -+ EXPECT_EQ(0U, client_->alert_sent_count()); - } - - void ServerHelloErrorTest(PacketFilter* filter, -- uint8_t alert = kTlsAlertDecodeError) { -+ uint8_t desc = kTlsAlertDecodeError) { -+ SSLAlert alert; -+ - auto alert_recorder = new TlsAlertRecorder(); - client_->SetPacketFilter(alert_recorder); - if (filter) { - server_->SetPacketFilter(filter); - } - ConnectExpectFail(); -+ - EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -- EXPECT_EQ(alert, alert_recorder->description()); -+ EXPECT_EQ(desc, alert_recorder->description()); -+ -+ // verify no alerts received by the client -+ EXPECT_EQ(0U, client_->alert_received_count()); -+ -+ // verify the alert sent by the client -+ EXPECT_EQ(1U, client_->alert_sent_count()); -+ EXPECT_TRUE(client_->GetLastAlertSent(&alert)); -+ EXPECT_EQ(kTlsAlertFatal, alert.level); -+ EXPECT_EQ(desc, alert.description); -+ -+ // verify the alert received by the server -+ EXPECT_EQ(1U, server_->alert_received_count()); -+ EXPECT_TRUE(server_->GetLastAlertReceived(&alert)); -+ EXPECT_EQ(kTlsAlertFatal, alert.level); -+ EXPECT_EQ(desc, alert.description); -+ -+ // verify no alerts sent by the server -+ EXPECT_EQ(0U, server_->alert_sent_count()); - } - - static void InitSimpleSni(DataBuffer* extension) { -diff -up nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_version_unittest.cc ---- nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/ssl_version_unittest.cc 2017-03-14 11:01:42.563689719 +0100 -@@ -225,6 +225,7 @@ TEST_F(TlsConnectTest, Tls13RejectsRehan - - TEST_P(TlsConnectGeneric, AlertBeforeServerHello) { - EnsureTlsSetup(); -+ client_->SetExpectedAlertReceivedCount(1); - client_->StartConnect(); - server_->StartConnect(); - client_->Handshake(); // Send ClientHello. -diff -up nss/gtests/ssl_gtest/tls_agent.cc.alert-handler nss/gtests/ssl_gtest/tls_agent.cc ---- nss/gtests/ssl_gtest/tls_agent.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/tls_agent.cc 2017-03-14 11:07:22.414890511 +0100 -@@ -61,6 +61,12 @@ TlsAgent::TlsAgent(const std::string& na - can_falsestart_hook_called_(false), - sni_hook_called_(false), - auth_certificate_hook_called_(false), -+ alert_received_count_(0), -+ expected_alert_received_count_(0), -+ last_alert_received_({0, 0}), -+ alert_sent_count_(0), -+ expected_alert_sent_count_(0), -+ last_alert_sent_({0, 0}), - handshake_callback_called_(false), - error_code_(0), - send_ctr_(0), -@@ -165,6 +171,14 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc - EXPECT_EQ(SECSuccess, rv); - if (rv != SECSuccess) return false; - -+ rv = SSL_AlertReceivedCallback(ssl_fd(), AlertReceivedCallback, this); -+ EXPECT_EQ(SECSuccess, rv); -+ if (rv != SECSuccess) return false; -+ -+ rv = SSL_AlertSentCallback(ssl_fd(), AlertSentCallback, this); -+ EXPECT_EQ(SECSuccess, rv); -+ if (rv != SECSuccess) return false; -+ - rv = SSL_HandshakeCallback(ssl_fd_, HandshakeCallback, this); - EXPECT_EQ(SECSuccess, rv); - if (rv != SECSuccess) return false; -@@ -578,6 +592,11 @@ void TlsAgent::CheckErrorCode(int32_t ex - << PORT_ErrorToName(expected) << std::endl; - } - -+void TlsAgent::CheckAlerts() const { -+ EXPECT_EQ(expected_alert_received_count_, alert_received_count_); -+ EXPECT_EQ(expected_alert_sent_count_, alert_sent_count_); -+} -+ - void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const { - ASSERT_EQ(0, error_code_); - WAIT_(error_code_ != 0, delay); -diff -up nss/gtests/ssl_gtest/tls_agent.h.alert-handler nss/gtests/ssl_gtest/tls_agent.h ---- nss/gtests/ssl_gtest/tls_agent.h.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/tls_agent.h 2017-03-14 11:01:42.564689693 +0100 -@@ -139,6 +139,7 @@ class TlsAgent : public PollTarget { - void EnableSrtp(); - void CheckSrtp() const; - void CheckErrorCode(int32_t expected) const; -+ void CheckAlerts() const; - void WaitForErrorCode(int32_t expected, uint32_t delay) const; - // Send data on the socket, encrypting it. - void SendData(size_t bytes, size_t blocksize = 1024); -@@ -239,6 +240,34 @@ class TlsAgent : public PollTarget { - sni_callback_ = sni_callback; - } - -+ size_t alert_received_count() const { return alert_received_count_; } -+ -+ void SetExpectedAlertReceivedCount(size_t count) { -+ expected_alert_received_count_ = count; -+ } -+ -+ bool GetLastAlertReceived(SSLAlert* alert) const { -+ if (!alert_received_count_) { -+ return false; -+ } -+ *alert = last_alert_received_; -+ return true; -+ } -+ -+ size_t alert_sent_count() const { return alert_sent_count_; } -+ -+ void SetExpectedAlertSentCount(size_t count) { -+ expected_alert_sent_count_ = count; -+ } -+ -+ bool GetLastAlertSent(SSLAlert* alert) const { -+ if (!alert_sent_count_) { -+ return false; -+ } -+ *alert = last_alert_sent_; -+ return true; -+ } -+ - private: - const static char* states[]; - -@@ -320,6 +349,30 @@ class TlsAgent : public PollTarget { - return SECSuccess; - } - -+ static void AlertReceivedCallback(const PRFileDesc* fd, void* arg, -+ const SSLAlert* alert) { -+ TlsAgent* agent = reinterpret_cast(arg); -+ -+ std::cerr << agent->role_str() -+ << ": Alert received: level=" << static_cast(alert->level) -+ << " desc=" << static_cast(alert->description) << std::endl; -+ -+ ++agent->alert_received_count_; -+ agent->last_alert_received_ = *alert; -+ } -+ -+ static void AlertSentCallback(const PRFileDesc* fd, void* arg, -+ const SSLAlert* alert) { -+ TlsAgent* agent = reinterpret_cast(arg); -+ -+ std::cerr << agent->role_str() -+ << ": Alert sent: level=" << static_cast(alert->level) -+ << " desc=" << static_cast(alert->description) << std::endl; -+ -+ ++agent->alert_sent_count_; -+ agent->last_alert_sent_ = *alert; -+ } -+ - static void HandshakeCallback(PRFileDesc* fd, void* arg) { - TlsAgent* agent = reinterpret_cast(arg); - agent->handshake_callback_called_ = true; -@@ -352,6 +405,12 @@ class TlsAgent : public PollTarget { - bool can_falsestart_hook_called_; - bool sni_hook_called_; - bool auth_certificate_hook_called_; -+ size_t alert_received_count_; -+ size_t expected_alert_received_count_; -+ SSLAlert last_alert_received_; -+ size_t alert_sent_count_; -+ size_t expected_alert_sent_count_; -+ SSLAlert last_alert_sent_; - bool handshake_callback_called_; - SSLChannelInfo info_; - SSLCipherSuiteInfo csinfo_; -diff -up nss/gtests/ssl_gtest/tls_connect.cc.alert-handler nss/gtests/ssl_gtest/tls_connect.cc ---- nss/gtests/ssl_gtest/tls_connect.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/tls_connect.cc 2017-03-14 11:01:42.564689693 +0100 -@@ -309,6 +309,9 @@ void TlsConnectTestBase::CheckConnected( - CheckResumption(expected_resumption_mode_); - client_->CheckSecretsDestroyed(); - server_->CheckSecretsDestroyed(); -+ -+ client_->CheckAlerts(); -+ server_->CheckAlerts(); - } - - void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type, SSLNamedGroup kea_group, -diff -up nss/lib/ssl/ssl3con.c.alert-handler nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.alert-handler 2017-03-14 11:01:42.551690030 +0100 -+++ nss/lib/ssl/ssl3con.c 2017-03-14 11:03:45.319510356 +0100 -@@ -3143,6 +3143,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertL - } - ssl_ReleaseXmitBufLock(ss); - ssl_ReleaseSSL3HandshakeLock(ss); -+ if (rv == SECSuccess && ss->alertSentCallback) { -+ SSLAlert alert = { level, desc }; -+ ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert); -+ } - return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ - } - -@@ -3255,6 +3259,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe - SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d", - SSL_GETPID(), ss->fd, level, desc)); - -+ if (ss->alertReceivedCallback) { -+ SSLAlert alert = { level, desc }; -+ ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert); -+ } -+ - switch (desc) { - case close_notify: - ss->recvdCloseNotify = 1; -diff -up nss/lib/ssl/ssl.def.alert-handler nss/lib/ssl/ssl.def ---- nss/lib/ssl/ssl.def.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/lib/ssl/ssl.def 2017-03-14 11:01:42.564689693 +0100 -@@ -221,3 +221,10 @@ SSL_SignatureSchemePrefGet; - ;+ local: - ;+*; - ;+}; -+;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release -+;+ global: -+SSL_AlertReceivedCallback; -+SSL_AlertSentCallback; -+;+ local: -+;+*; -+;+}; -diff -up nss/lib/ssl/ssl.h.alert-handler nss/lib/ssl/ssl.h ---- nss/lib/ssl/ssl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/lib/ssl/ssl.h 2017-03-14 11:01:42.564689693 +0100 -@@ -820,6 +820,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PR - SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a); - - /* -+** These are callbacks for dealing with SSL alerts. -+ */ -+ -+typedef PRUint8 SSLAlertLevel; -+typedef PRUint8 SSLAlertDescription; -+ -+typedef struct { -+ SSLAlertLevel level; -+ SSLAlertDescription description; -+} SSLAlert; -+ -+typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg, -+ const SSLAlert *alert); -+ -+SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, -+ void *arg); -+SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, -+ void *arg); -+/* - ** This is a callback for dealing with server certs that are not authenticated - ** by the client. The client app can decide that it actually likes the - ** cert by some external means and restart the connection. -diff -up nss/lib/ssl/sslimpl.h.alert-handler nss/lib/ssl/sslimpl.h ---- nss/lib/ssl/sslimpl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/lib/ssl/sslimpl.h 2017-03-14 11:01:42.566689641 +0100 -@@ -1121,6 +1121,10 @@ struct sslSocketStr { - void *getClientAuthDataArg; - SSLSNISocketConfig sniSocketConfig; - void *sniSocketConfigArg; -+ SSLAlertCallback alertReceivedCallback; -+ void *alertReceivedCallbackArg; -+ SSLAlertCallback alertSentCallback; -+ void *alertSentCallbackArg; - SSLBadCertHandler handleBadCert; - void *badCertArg; - SSLHandshakeCallback handshakeCallback; -diff -up nss/lib/ssl/sslsecur.c.alert-handler nss/lib/ssl/sslsecur.c ---- nss/lib/ssl/sslsecur.c.alert-handler 2017-02-17 14:20:06.000000000 +0100 -+++ nss/lib/ssl/sslsecur.c 2017-03-14 11:01:42.566689641 +0100 -@@ -994,6 +994,42 @@ ssl_SecureWrite(sslSocket *ss, const uns - } - - SECStatus -+SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg) -+{ -+ sslSocket *ss; -+ -+ ss = ssl_FindSocket(fd); -+ if (!ss) { -+ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback", -+ SSL_GETPID(), fd)); -+ return SECFailure; -+ } -+ -+ ss->alertReceivedCallback = cb; -+ ss->alertReceivedCallbackArg = arg; -+ -+ return SECSuccess; -+} -+ -+SECStatus -+SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg) -+{ -+ sslSocket *ss; -+ -+ ss = ssl_FindSocket(fd); -+ if (!ss) { -+ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback", -+ SSL_GETPID(), fd)); -+ return SECFailure; -+ } -+ -+ ss->alertSentCallback = cb; -+ ss->alertSentCallbackArg = arg; -+ -+ return SECSuccess; -+} -+ -+SECStatus - SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg) - { - sslSocket *ss; -diff -up nss/lib/ssl/sslsock.c.alert-handler nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.alert-handler 2017-03-14 11:01:42.538690367 +0100 -+++ nss/lib/ssl/sslsock.c 2017-03-14 11:01:42.566689641 +0100 -@@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os) - ss->getClientAuthDataArg = os->getClientAuthDataArg; - ss->sniSocketConfig = os->sniSocketConfig; - ss->sniSocketConfigArg = os->sniSocketConfigArg; -+ ss->alertReceivedCallback = os->alertReceivedCallback; -+ ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg; -+ ss->alertSentCallback = os->alertSentCallback; -+ ss->alertSentCallbackArg = os->alertSentCallbackArg; - ss->handleBadCert = os->handleBadCert; - ss->badCertArg = os->badCertArg; - ss->handshakeCallback = os->handshakeCallback; -@@ -2149,6 +2153,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile - ss->sniSocketConfig = sm->sniSocketConfig; - if (sm->sniSocketConfigArg) - ss->sniSocketConfigArg = sm->sniSocketConfigArg; -+ if (ss->alertReceivedCallback) { -+ ss->alertReceivedCallback = sm->alertReceivedCallback; -+ ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; -+ } -+ if (ss->alertSentCallback) { -+ ss->alertSentCallback = sm->alertSentCallback; -+ ss->alertSentCallbackArg = sm->alertSentCallbackArg; -+ } - if (sm->handleBadCert) - ss->handleBadCert = sm->handleBadCert; - if (sm->badCertArg) -@@ -3691,6 +3703,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto - ss->sniSocketConfig = NULL; - ss->sniSocketConfigArg = NULL; - ss->getClientAuthData = NULL; -+ ss->alertReceivedCallback = NULL; -+ ss->alertReceivedCallbackArg = NULL; -+ ss->alertSentCallback = NULL; -+ ss->alertSentCallbackArg = NULL; - ss->handleBadCert = NULL; - ss->badCertArg = NULL; - ss->pkcs11PinArg = NULL; -# HG changeset patch -# User Kai Engert -# Date 1493741561 -7200 -# Tue May 02 18:12:41 2017 +0200 -# Node ID 8804a0c65a08ee53096c07cc091536c7cf102b58 -# Parent 769f9ae07b103494af809620478e60256a344adc -Bug 1360207, Fix incorrect if (ss->...) in SSL_ReconfigFD, Patch contributed by Ian Goldberg, r=ttaubert - -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -2152,11 +2152,11 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile - ss->sniSocketConfig = sm->sniSocketConfig; - if (sm->sniSocketConfigArg) - ss->sniSocketConfigArg = sm->sniSocketConfigArg; -- if (ss->alertReceivedCallback) { -+ if (sm->alertReceivedCallback) { - ss->alertReceivedCallback = sm->alertReceivedCallback; - ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; - } -- if (ss->alertSentCallback) { -+ if (sm->alertSentCallback) { - ss->alertSentCallback = sm->alertSentCallback; - ss->alertSentCallbackArg = sm->alertSentCallbackArg; - } diff --git a/SOURCES/nss-certutil-suppress-password.patch b/SOURCES/nss-certutil-suppress-password.patch new file mode 100644 index 0000000..985ac21 --- /dev/null +++ b/SOURCES/nss-certutil-suppress-password.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1513770602 -3600 +# Wed Dec 20 12:50:02 2017 +0100 +# Node ID 29b2a346746fb03316cf97c8c7b0837b714c255b +# Parent 5a14f42384eb22b67e0465949c03555eff41e4af +Bug 1426361, certutil: check CKF_LOGIN_REQUIRED as well as CKF_USER_PIN_INITIALIZED, r=rrelyea + +diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c +--- a/cmd/certutil/certutil.c ++++ b/cmd/certutil/certutil.c +@@ -3171,7 +3171,7 @@ certutil_main(int argc, char **argv, PRB + certutil.commands[cmd_CreateAndAddCert].activated || + certutil.commands[cmd_AddCert].activated || + certutil.commands[cmd_AddEmailCert].activated) { +- if (PK11_NeedUserInit(slot)) { ++ if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { + char *password = NULL; + /* fetch the password from the command line or the file + * if no password is supplied, initialize the password to NULL */ diff --git a/SOURCES/nss-disable-pss-gtests.patch b/SOURCES/nss-disable-pss-gtests.patch deleted file mode 100644 index 2371c45..0000000 --- a/SOURCES/nss-disable-pss-gtests.patch +++ /dev/null @@ -1,156 +0,0 @@ -diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc ---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests 2017-02-17 14:20:06.000000000 +0100 -+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-03-24 17:45:58.439916101 +0100 -@@ -69,7 +69,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 - server_->ConfigNamedGroups(groups); - Connect(); - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - } - - // This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care. -@@ -82,7 +82,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 - server_->ConfigNamedGroups(groups); - Connect(); - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3, - hrr_capture->buffer().len() != 0); - } -@@ -112,7 +112,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority) - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - - std::vector shares = {ssl_grp_ec_secp384r1}; - CheckKEXDetails(groups, shares); -@@ -129,7 +129,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - - std::vector shares = {ssl_grp_ec_secp384r1}; - std::vector expectedGroups = {ssl_grp_ec_secp384r1, -@@ -147,7 +147,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - - if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { - std::vector shares = {ssl_grp_ec_secp384r1}; -@@ -172,7 +172,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - } - - TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) { -@@ -188,7 +188,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - } - - class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter { -@@ -276,7 +276,7 @@ TEST_P(TlsConnectStreamPre13, Configured - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - CheckConnected(); - - // The renegotiation has to use the same preferences as the original session. -@@ -284,7 +284,7 @@ TEST_P(TlsConnectStreamPre13, Configured - client_->StartRenegotiate(); - Handshake(); - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - } - - TEST_P(TlsKeyExchangeTest, Curve25519) { -@@ -318,7 +318,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - } - - #ifndef NSS_DISABLE_TLS_1_3 -@@ -337,7 +337,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_secp256r1}; - CheckKEXDetails(client_groups, shares); - } -@@ -357,7 +357,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_curve25519}; - CheckKEXDetails(client_groups, shares); - } -@@ -379,7 +379,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_curve25519}; - CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); - } -@@ -401,7 +401,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_curve25519}; - CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); - } -@@ -423,7 +423,7 @@ TEST_P(TlsKeyExchangeTest13, - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_curve25519}; - CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); - } -@@ -445,7 +445,7 @@ TEST_P(TlsKeyExchangeTest13, - Connect(); - - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_curve25519}; - CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); - } -@@ -507,7 +507,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli - - // The server would accept 25519 but its preferred group (P256) has to win. - CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, -- ssl_sig_rsa_pss_sha256); -+ ssl_sig_rsa_pkcs1_sha256); - const std::vector shares = {ssl_grp_ec_curve25519, - ssl_grp_ec_secp256r1}; - CheckKEXDetails(client_groups, shares); diff --git a/SOURCES/nss-disable-tls13-gtests.patch b/SOURCES/nss-disable-tls13-gtests.patch new file mode 100644 index 0000000..cc7b661 --- /dev/null +++ b/SOURCES/nss-disable-tls13-gtests.patch @@ -0,0 +1,12 @@ +diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc +--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests 2017-10-16 17:13:51.798825185 +0200 ++++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc 2017-10-16 17:14:08.238496409 +0200 +@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P( + INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, + TlsConnectTestBase::kTlsV11V12)); ++#if 0 + INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest, + TlsConnectTestBase::kTlsVariantsAll); ++#endif + } // namespace nss_test diff --git a/SOURCES/nss-increase-pkcs12-iterations.patch b/SOURCES/nss-increase-pkcs12-iterations.patch new file mode 100644 index 0000000..72fedd4 --- /dev/null +++ b/SOURCES/nss-increase-pkcs12-iterations.patch @@ -0,0 +1,26 @@ +# HG changeset patch +# User Kai Engert +# Date 1511356939 -3600 +# Wed Nov 22 14:22:19 2017 +0100 +# Node ID 93109d4cbedd397f5e75a2096257f9842a0ac5a1 +# Parent 6a27e4b4c92c8c3694132b75a1a54c23688789bd +Bug 1278071, increase number of iterations for export to PKCS #12, r=fkiefer + +diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c +--- a/lib/pkcs7/p7create.c ++++ b/lib/pkcs7/p7create.c +@@ -18,7 +18,13 @@ + #include "secder.h" + #include "secpkcs5.h" + +-const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */ ++const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */ ++#ifdef DEBUG ++ 10000 ++#else ++ 1000000 ++#endif ++ ; + + static SECStatus + sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp, diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch index 6f6fcb9..9c85f74 100644 --- a/SOURCES/nss-is-token-present-race.patch +++ b/SOURCES/nss-is-token-present-race.patch @@ -1,76 +1,191 @@ # HG changeset patch -# User Kamil Dudka -# Date 1484568851 -3600 -# Mon Jan 16 13:14:11 2017 +0100 -# Node ID 754a4a1f6220fa99e72197408726da14419fc187 -# Parent b6a26d34c0e354344f81a73137deeb682c7961e0 -Bug 1297397, avoid race condition in nssSlot_IsTokenPresent() that caused spurious SEC_ERROR_NO_TOKEN, r=rrelyea +# User Robert Relyea +# Date 1516007838 -3600 +# Mon Jan 15 10:17:18 2018 +0100 +# Node ID 33d9c969cd6548c335ce43fa8909b96ef323f670 +# Parent db32ef3be38eb06a91babbcbb48285284d704dbd +Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleevi diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c --- a/lib/dev/devslot.c +++ b/lib/dev/devslot.c -@@ -91,7 +91,7 @@ nssSlot_ResetDelay( - } - - static PRBool --within_token_delay_period(NSSSlot *slot) -+within_token_delay_period(const NSSSlot *slot) - { - PRIntervalTime time, lastTime; - /* Set the delay time for checking the token presence */ -@@ -103,7 +103,6 @@ within_token_delay_period(NSSSlot *slot) - if ((lastTime) && ((time - lastTime) < s_token_delay_time)) { - return PR_TRUE; +@@ -33,6 +33,8 @@ nssSlot_Destroy( + if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) { + PK11_FreeSlot(slot->pk11slot); + PZ_DestroyLock(slot->base.lock); ++ PZ_DestroyCondVar(slot->isPresentCondition); ++ PZ_DestroyLock(slot->isPresentLock); + return nssArena_Destroy(slot->base.arena); + } } -- slot->lastTokenPing = time; - return PR_FALSE; - } +@@ -117,35 +119,61 @@ nssSlot_IsTokenPresent( + nssSession *session; + CK_SLOT_INFO slotInfo; + void *epv; ++ PRBool isPresent = PR_FALSE; ++ + /* permanent slots are always present unless they're disabled */ + if (nssSlot_IsPermanent(slot)) { + return !PK11_IsDisabled(slot->pk11slot); + } ++ + /* avoid repeated calls to check token status within set interval */ ++ PZ_Lock(slot->isPresentLock); + if (within_token_delay_period(slot)) { +- return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0); ++ CK_FLAGS ckFlags = slot->ckFlags; ++ PZ_Unlock(slot->isPresentLock); ++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0); + } ++ PZ_Unlock(slot->isPresentLock); -@@ -136,6 +135,7 @@ nssSlot_IsTokenPresent( +- /* First obtain the slot info */ ++ /* First obtain the slot epv before we set up the condition ++ * variable, so we can just return if we couldn't get it. */ + epv = slot->epv; + if (!epv) { + return PR_FALSE; + } ++ ++ /* set up condition so only one thread is active in this part of the code at a time */ ++ PZ_Lock(slot->isPresentLock); ++ while (slot->inIsPresent) { ++ PR_WaitCondVar(slot->isPresentCondition, 0); ++ } ++ /* if we were one of multiple threads here, the first thread will have ++ * given us the answer, no need to make more queries of the token. */ ++ if (within_token_delay_period(slot)) { ++ CK_FLAGS ckFlags = slot->ckFlags; ++ PZ_Unlock(slot->isPresentLock); ++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0); ++ } ++ /* this is the winning thread, block all others until we've determined ++ * if the token is present and that it needs initialization. */ ++ slot->inIsPresent = PR_TRUE; ++ PZ_Unlock(slot->isPresentLock); ++ + nssSlot_EnterMonitor(slot); + ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo); nssSlot_ExitMonitor(slot); if (ckrv != CKR_OK) { slot->token->base.name[0] = 0; /* XXX */ -+ slot->lastTokenPing = PR_IntervalNow(); - return PR_FALSE; +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; ++ goto done; } slot->ckFlags = slotInfo.flags; -@@ -143,6 +143,7 @@ nssSlot_IsTokenPresent( + /* check for the presence of the token */ if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { if (!slot->token) { /* token was never present */ -+ slot->lastTokenPing = PR_IntervalNow(); - return PR_FALSE; +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; ++ goto done; } session = nssToken_GetDefaultSession(slot->token); -@@ -165,6 +166,7 @@ nssSlot_IsTokenPresent( + if (session) { +@@ -167,15 +195,15 @@ nssSlot_IsTokenPresent( slot->token->base.name[0] = 0; /* XXX */ /* clear the token cache */ nssToken_Remove(slot->token); -+ slot->lastTokenPing = PR_IntervalNow(); - return PR_FALSE; +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; ++ goto done; } /* token is present, use the session info to determine if the card -@@ -187,8 +189,10 @@ nssSlot_IsTokenPresent( - isPresent = session->handle != CK_INVALID_SESSION; + * has been removed and reinserted. + */ + session = nssToken_GetDefaultSession(slot->token); + if (session) { +- PRBool isPresent = PR_FALSE; ++ PRBool tokenRemoved; + nssSession_EnterMonitor(session); + if (session->handle != CK_INVALID_SESSION) { + CK_SESSION_INFO sessionInfo; +@@ -187,12 +215,12 @@ nssSlot_IsTokenPresent( + session->handle = CK_INVALID_SESSION; + } + } +- isPresent = session->handle != CK_INVALID_SESSION; ++ tokenRemoved = (session->handle == CK_INVALID_SESSION); nssSession_ExitMonitor(session); /* token not removed, finished */ -- if (isPresent) -+ if (isPresent) { -+ slot->lastTokenPing = PR_IntervalNow(); - return PR_TRUE; -+ } +- if (isPresent) { +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_TRUE; ++ if (!tokenRemoved) { ++ isPresent = PR_TRUE; ++ goto done; + } } /* the token has been removed, and reinserted, or the slot contains - * a token it doesn't recognize. invalidate all the old -@@ -201,8 +205,11 @@ nssSlot_IsTokenPresent( +@@ -203,15 +231,27 @@ nssSlot_IsTokenPresent( + nssToken_Remove(slot->token); + /* token has been removed, need to refresh with new session */ + nssrv = nssSlot_Refresh(slot); ++ isPresent = PR_TRUE; if (nssrv != PR_SUCCESS) { slot->token->base.name[0] = 0; /* XXX */ slot->ckFlags &= ~CKF_TOKEN_PRESENT; -+ /* TODO: insert a barrier here to avoid reordering of the assingments */ -+ slot->lastTokenPing = PR_IntervalNow(); - return PR_FALSE; +- /* TODO: insert a barrier here to avoid reordering of the assingments */ +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; } -+ slot->lastTokenPing = PR_IntervalNow(); - return PR_TRUE; ++done: ++ /* Once we've set up the condition variable, ++ * Before returning, it's necessary to: ++ * 1) Set the lastTokenPing time so that any other threads waiting on this ++ * initialization and any future calls within the initialization window ++ * return the just-computed status. ++ * 2) Indicate we're complete, waking up all other threads that may still ++ * be waiting on initialization can progress. ++ */ ++ PZ_Lock(slot->isPresentLock); + slot->lastTokenPing = PR_IntervalNow(); +- return PR_TRUE; ++ slot->inIsPresent = PR_FALSE; ++ PR_NotifyAllCondVar(slot->isPresentCondition); ++ PZ_Unlock(slot->isPresentLock); ++ return isPresent; + } + + NSS_IMPLEMENT void * +@@ -229,7 +269,7 @@ nssSlot_GetToken( + + if (nssSlot_IsTokenPresent(slot)) { + /* Even if a token should be present, check `slot->token` too as it +- * might be gone already. This would happen mostly on shutdown. */ ++ * might be gone already. This would happen mostly on shutdown. */ + nssSlot_EnterMonitor(slot); + if (slot->token) + rvToken = nssToken_AddRef(slot->token); +diff --git a/lib/dev/devt.h b/lib/dev/devt.h +--- a/lib/dev/devt.h ++++ b/lib/dev/devt.h +@@ -81,6 +81,9 @@ struct NSSSlotStr { + PZLock *lock; + void *epv; + PK11SlotInfo *pk11slot; ++ PZLock *isPresentLock; ++ PRCondVar *isPresentCondition; ++ PRBool inIsPresent; + }; + + struct nssSessionStr { +diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c +--- a/lib/pk11wrap/dev3hack.c ++++ b/lib/pk11wrap/dev3hack.c +@@ -120,6 +120,9 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD + /* Grab the slot name from the PKCS#11 fixed-length buffer */ + rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena); + rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; ++ rvSlot->isPresentLock = PZ_NewLock(nssiLockOther); ++ rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock); ++ rvSlot->inIsPresent = PR_FALSE; + return rvSlot; } diff --git a/SOURCES/nss-modutil-suppress-password.patch b/SOURCES/nss-modutil-suppress-password.patch new file mode 100644 index 0000000..160f995 --- /dev/null +++ b/SOURCES/nss-modutil-suppress-password.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1510244757 -3600 +# Thu Nov 09 17:25:57 2017 +0100 +# Node ID 523734e69b5cdd7c2c9047e705e858da352a3b24 +# Parent 54be8a4501d454b2b7454e4a44ea013738e0b693 +Bug 1415847, modutil: Suppress unnecessary password prompt, r=kaie + +diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c +--- a/cmd/modutil/pk11.c ++++ b/cmd/modutil/pk11.c +@@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile, + ret = BAD_PW_ERR; + goto loser; + } +- } else { ++ } else if (PK11_NeedLogin(slot)) { + for (matching = PR_FALSE; !matching;) { + oldpw = SECU_GetPasswordString(NULL, "Enter old password: "); + if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) { diff --git a/SOURCES/nss-pk12util-force-unicode.patch b/SOURCES/nss-pk12util-force-unicode.patch deleted file mode 100644 index 8aba8e7..0000000 --- a/SOURCES/nss-pk12util-force-unicode.patch +++ /dev/null @@ -1,408 +0,0 @@ -diff -up nss/cmd/pk12util/pk12util.c.pk12util-force-unicode nss/cmd/pk12util/pk12util.c ---- nss/cmd/pk12util/pk12util.c.pk12util-force-unicode 2017-09-21 09:49:22.371039588 +0200 -+++ nss/cmd/pk12util/pk12util.c 2017-09-21 09:49:22.389039181 +0200 -@@ -23,6 +23,7 @@ - static char *progName; - PRBool pk12_debugging = PR_FALSE; - PRBool dumpRawFile; -+static PRBool pk12uForceUnicode; - - PRIntn pk12uErrno = 0; - -@@ -357,6 +358,7 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha - SECItem p12file = { 0 }; - SECStatus rv = SECFailure; - PRBool swapUnicode = PR_FALSE; -+ PRBool forceUnicode = pk12uForceUnicode; - PRBool trypw; - int error; - -@@ -424,6 +426,18 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha - SEC_PKCS12DecoderFinish(p12dcx); - uniPwp->len = 0; - trypw = PR_TRUE; -+ } else if (forceUnicode == pk12uForceUnicode) { -+ /* try again with a different password encoding */ -+ forceUnicode = !pk12uForceUnicode; -+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, -+ forceUnicode); -+ if (rv != SECSuccess) { -+ SECU_PrintError(progName, "PKCS12 decoding failed to set option"); -+ pk12uErrno = PK12UERR_DECODEVERIFY; -+ break; -+ } -+ SEC_PKCS12DecoderFinish(p12dcx); -+ trypw = PR_TRUE; - } else { - SECU_PrintError(progName, "PKCS12 decode not verified"); - pk12uErrno = PK12UERR_DECODEVERIFY; -@@ -431,6 +445,15 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha - } - } - } while (trypw == PR_TRUE); -+ -+ /* revert the option setting */ -+ if (forceUnicode != pk12uForceUnicode) { -+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); -+ if (rv != SECSuccess) { -+ SECU_PrintError(progName, "PKCS12 decoding failed to set option"); -+ pk12uErrno = PK12UERR_DECODEVERIFY; -+ } -+ } - /* rv has been set at this point */ - - done: -@@ -470,6 +493,8 @@ P12U_ImportPKCS12Object(char *in_file, P - { - SEC_PKCS12DecoderContext *p12dcx = NULL; - SECItem uniPwitem = { 0 }; -+ PRBool forceUnicode = pk12uForceUnicode; -+ PRBool trypw; - SECStatus rv = SECFailure; - - rv = P12U_InitSlot(slot, slotPw); -@@ -480,31 +505,62 @@ P12U_ImportPKCS12Object(char *in_file, P - return rv; - } - -- rv = SECFailure; -- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); -+ do { -+ trypw = PR_FALSE; /* normally we do this once */ -+ rv = SECFailure; -+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); - -- if (p12dcx == NULL) { -- goto loser; -- } -+ if (p12dcx == NULL) { -+ goto loser; -+ } - -- /* make sure the bags are okey dokey -- nicknames correct, etc. */ -- rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); -- if (rv != SECSuccess) { -- if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { -- pk12uErrno = PK12UERR_CERTALREADYEXISTS; -- } else { -- pk12uErrno = PK12UERR_DECODEVALIBAGS; -+ /* make sure the bags are okey dokey -- nicknames correct, etc. */ -+ rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); -+ if (rv != SECSuccess) { -+ if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { -+ pk12uErrno = PK12UERR_CERTALREADYEXISTS; -+ } else { -+ pk12uErrno = PK12UERR_DECODEVALIBAGS; -+ } -+ SECU_PrintError(progName, "PKCS12 decode validate bags failed"); -+ goto loser; - } -- SECU_PrintError(progName, "PKCS12 decode validate bags failed"); -- goto loser; -- } - -- /* stuff 'em in */ -- rv = SEC_PKCS12DecoderImportBags(p12dcx); -- if (rv != SECSuccess) { -- SECU_PrintError(progName, "PKCS12 decode import bags failed"); -- pk12uErrno = PK12UERR_DECODEIMPTBAGS; -- goto loser; -+ /* stuff 'em in */ -+ if (forceUnicode != pk12uForceUnicode) { -+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, -+ forceUnicode); -+ if (rv != SECSuccess) { -+ SECU_PrintError(progName, "PKCS12 decode set option failed"); -+ pk12uErrno = PK12UERR_DECODEIMPTBAGS; -+ goto loser; -+ } -+ } -+ rv = SEC_PKCS12DecoderImportBags(p12dcx); -+ if (rv != SECSuccess) { -+ if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY && -+ forceUnicode == pk12uForceUnicode) { -+ /* try again with a different password encoding */ -+ forceUnicode = !pk12uForceUnicode; -+ SEC_PKCS12DecoderFinish(p12dcx); -+ SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); -+ trypw = PR_TRUE; -+ } else { -+ SECU_PrintError(progName, "PKCS12 decode import bags failed"); -+ pk12uErrno = PK12UERR_DECODEIMPTBAGS; -+ goto loser; -+ } -+ } -+ } while (trypw); -+ -+ /* revert the option setting */ -+ if (forceUnicode != pk12uForceUnicode) { -+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); -+ if (rv != SECSuccess) { -+ SECU_PrintError(progName, "PKCS12 decode set option failed"); -+ pk12uErrno = PK12UERR_DECODEIMPTBAGS; -+ goto loser; -+ } - } - - fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName); -@@ -951,6 +1007,7 @@ main(int argc, char **argv) - int keyLen = 0; - int certKeyLen = 0; - secuCommand pk12util; -+ PRInt32 forceUnicode; - - #ifdef _CRTDBG_MAP_ALLOC - _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); -@@ -982,6 +1039,14 @@ main(int argc, char **argv) - Usage(progName); - } - -+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); -+ if (rv != SECSuccess) { -+ SECU_PrintError(progName, -+ "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option"); -+ Usage(progName); -+ } -+ pk12uForceUnicode = forceUnicode; -+ - slotname = SECU_GetOptionArg(&pk12util, opt_TokenName); - - import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List) -diff -up nss/lib/nss/nss.h.pk12util-force-unicode nss/lib/nss/nss.h ---- nss/lib/nss/nss.h.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200 -+++ nss/lib/nss/nss.h 2017-09-21 09:49:22.387039226 +0200 -@@ -291,6 +291,15 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu - #define NSS_DTLS_VERSION_MIN_POLICY 0x00a - #define NSS_DTLS_VERSION_MAX_POLICY 0x00b - -+/* Until NSS 3.30, the PKCS#12 implementation used BMPString encoding -+ * for all passwords. This changed to use UTF-8 for non-PKCS#12 PBEs -+ * in NSS 3.31. -+ * -+ * For backward compatibility, this option reverts the behavior to the -+ * old NSS versions. This option might be removed in the future NSS -+ * releases; don't rely on it. */ -+#define __NSS_PKCS12_DECODE_FORCE_UNICODE 0x00c -+ - /* - * Set and get global options for the NSS library. - */ -diff -up nss/lib/nss/nssoptions.c.pk12util-force-unicode nss/lib/nss/nssoptions.c ---- nss/lib/nss/nssoptions.c.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200 -+++ nss/lib/nss/nssoptions.c 2017-09-21 09:49:22.387039226 +0200 -@@ -23,6 +23,7 @@ struct nssOps { - PRInt32 tlsVersionMaxPolicy; - PRInt32 dtlsVersionMinPolicy; - PRInt32 dtlsVersionMaxPolicy; -+ PRInt32 pkcs12DecodeForceUnicode; - }; - - static struct nssOps nss_ops = { -@@ -33,6 +34,7 @@ static struct nssOps nss_ops = { - 0xffff, /* set TLS max to more than the largest legal SSL value */ - 1, - 0xffff, -+ PR_FALSE - }; - - SECStatus -@@ -62,6 +64,9 @@ NSS_OptionSet(PRInt32 which, PRInt32 val - case NSS_DTLS_VERSION_MAX_POLICY: - nss_ops.dtlsVersionMaxPolicy = value; - break; -+ case __NSS_PKCS12_DECODE_FORCE_UNICODE: -+ nss_ops.pkcs12DecodeForceUnicode = value; -+ break; - default: - rv = SECFailure; - } -@@ -96,6 +101,9 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va - case NSS_DTLS_VERSION_MAX_POLICY: - *value = nss_ops.dtlsVersionMaxPolicy; - break; -+ case __NSS_PKCS12_DECODE_FORCE_UNICODE: -+ *value = nss_ops.pkcs12DecodeForceUnicode; -+ break; - default: - rv = SECFailure; - } -diff -up nss/lib/pkcs12/p12d.c.pk12util-force-unicode nss/lib/pkcs12/p12d.c ---- nss/lib/pkcs12/p12d.c.pk12util-force-unicode 2017-09-21 09:49:22.374039520 +0200 -+++ nss/lib/pkcs12/p12d.c 2017-09-21 09:49:22.388039203 +0200 -@@ -3,6 +3,7 @@ - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - - #include "nssrenam.h" -+#include "nss.h" - #include "p12t.h" - #include "p12.h" - #include "plarena.h" -@@ -126,6 +127,7 @@ struct SEC_PKCS12DecoderContextStr { - SECKEYGetPasswordKey pwfn; - void *pwfnarg; - PRBool swapUnicodeBytes; -+ PRBool forceUnicode; - - /* import information */ - PRBool bagsVerified; -@@ -192,8 +194,18 @@ sec_pkcs12_decoder_get_decrypt_key(void - } - - algorithm = SECOID_GetAlgorithmTag(algid); -- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) -- return NULL; -+ -+ if (p12dcx->forceUnicode) { -+ if (SECITEM_CopyItem(NULL, &pwitem, p12dcx->pwitem) != SECSuccess) { -+ PK11_FreeSlot(slot); -+ return NULL; -+ } -+ } else { -+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) { -+ PK11_FreeSlot(slot); -+ return NULL; -+ } -+ } - - bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); - /* some tokens can't generate PBE keys on their own, generate the -@@ -1164,6 +1176,8 @@ SEC_PKCS12DecoderStart(SECItem *pwitem, - { - SEC_PKCS12DecoderContext *p12dcx; - PLArenaPool *arena; -+ PRInt32 forceUnicode = PR_FALSE; -+ SECStatus rv; - - arena = PORT_NewArena(2048); /* different size? */ - if (!arena) { -@@ -1196,6 +1210,11 @@ SEC_PKCS12DecoderStart(SECItem *pwitem, - #else - p12dcx->swapUnicodeBytes = PR_FALSE; - #endif -+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); -+ if (rv != SECSuccess) { -+ goto loser; -+ } -+ p12dcx->forceUnicode = forceUnicode; - p12dcx->errorValue = 0; - p12dcx->error = PR_FALSE; - -@@ -2428,7 +2447,7 @@ sec_pkcs12_get_public_value_and_type(SEC - static SECStatus - sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey, - unsigned int keyUsage, -- SECItem *nickName, void *wincx) -+ SECItem *nickName, PRBool forceUnicode, void *wincx) - { - SECStatus rv; - SECItem *publicValue = NULL; -@@ -2466,9 +2485,21 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke - &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; - SECOidTag algorithm = SECOID_GetAlgorithmTag(algid); - -- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, -- key->pwitem)) -- return SECFailure; -+ if (forceUnicode) { -+ if (SECITEM_CopyItem(NULL, &pwitem, key->pwitem) != SECSuccess) { -+ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; -+ key->problem = PR_TRUE; -+ return SECFailure; -+ } -+ } else { -+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, -+ key->pwitem)) { -+ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; -+ key->problem = PR_TRUE; -+ return SECFailure; -+ } -+ } -+ - rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot, - key->safeBagContent.pkcs8ShroudedKeyBag, - &pwitem, nickName, publicValue, -@@ -2923,7 +2954,8 @@ sec_pkcs12_get_public_value_and_type(SEC - * two passes in sec_pkcs12_validate_bags. - */ - static SECStatus --sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx) -+sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, PRBool forceUnicode, -+ void *wincx) - { - sec_PKCS12SafeBag **keyList; - int i; -@@ -2976,7 +3008,8 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa - key->problem = PR_TRUE; - rv = SECFailure; - } else { -- rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, wincx); -+ rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, -+ forceUnicode, wincx); - } - if (pubKey) { - SECKEY_DestroyPublicKey(pubKey); -@@ -3053,6 +3086,9 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa - SECStatus - SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx) - { -+ PRBool forceUnicode = PR_FALSE; -+ SECStatus rv; -+ - if (!p12dcx || p12dcx->error) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; -@@ -3062,7 +3098,16 @@ SEC_PKCS12DecoderImportBags(SEC_PKCS12De - return SECFailure; - } - -- return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx); -+ /* We need to check the option here as well as in -+ * SEC_PKCS12DecoderStart, because different PBE's could be used -+ * for PKCS #7 and PKCS #8 */ -+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); -+ if (rv != SECSuccess) { -+ return SECFailure; -+ } -+ -+ return sec_pkcs12_install_bags(p12dcx->safeBags, forceUnicode, -+ p12dcx->wincx); - } - - PRBool -diff -up nss/tests/tools/tools.sh.pk12util-force-unicode nss/tests/tools/tools.sh ---- nss/tests/tools/tools.sh.pk12util-force-unicode 2017-09-21 09:49:22.373039542 +0200 -+++ nss/tests/tools/tools.sh 2017-09-21 09:50:06.593062871 +0200 -@@ -106,6 +106,8 @@ tools_init() - cp ${ALICEDIR}/* ${SIGNDIR}/ - mkdir -p ${TOOLSDIR}/html - cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html -+ mkdir -p ${TOOLSDIR}/data -+ cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data - - cd ${TOOLSDIR} - } -@@ -398,6 +400,16 @@ tools_p12_export_list_import_with_defaul - fi - } - -+tools_p12_import_old_files() -+{ -+ echo "$SCRIPTNAME: Importing CA cert & key created with NSS 3.21 --------------" -+ echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" -+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 -+ ret=$? -+ html_msg $ret 0 "Importing CA cert & key created with NSS 3.21" -+ check_tmpfile -+} -+ - ############################## tools_p12 ############################### - # local shell function to test basic functionality of pk12util - ######################################################################## -@@ -408,6 +420,7 @@ tools_p12() - tools_p12_export_list_import_all_pkcs5pbe_ciphers - tools_p12_export_list_import_all_pkcs12v2pbe_ciphers - tools_p12_export_with_null_ciphers -+ tools_p12_import_old_files - } - - ############################## tools_sign ############################## diff --git a/SOURCES/nss-pk12util.patch b/SOURCES/nss-pk12util.patch deleted file mode 100644 index e2f7f99..0000000 --- a/SOURCES/nss-pk12util.patch +++ /dev/null @@ -1,765 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1481829086 -3600 -# Thu Dec 15 20:11:26 2016 +0100 -# Node ID 6d66c2c24e4d9d1ad12a7065c55ef1c9fe143057 -# Parent 35ecce23718136f99ca9537007481b4774c57e68 -Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r=rrelyea - -diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c ---- a/lib/pk11wrap/pk11mech.c -+++ b/lib/pk11wrap/pk11mech.c -@@ -612,6 +612,10 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE - case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: - case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: - case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: -+ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: -+ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: -+ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: -+ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: -diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c ---- a/lib/pkcs12/p12d.c -+++ b/lib/pkcs12/p12d.c -@@ -1335,11 +1335,23 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12 - case SEC_OID_MD2: - integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; - break; -+ case SEC_OID_SHA224: -+ integrityMech = CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN; -+ break; -+ case SEC_OID_SHA256: -+ integrityMech = CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN; -+ break; -+ case SEC_OID_SHA384: -+ integrityMech = CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN; -+ break; -+ case SEC_OID_SHA512: -+ integrityMech = CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN; -+ break; - default: - goto loser; - } - -- symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); -+ symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL); - PK11_DestroyPBEParams(params); - params = NULL; - if (!symKey) -diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c ---- a/lib/softoken/lowpbe.c -+++ b/lib/softoken/lowpbe.c -@@ -408,7 +408,6 @@ loser: - return result; - } - --#define HMAC_BUFFER 64 - #define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y)) - #define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y)) - /* -@@ -430,6 +429,7 @@ nsspkcs5_PKCS12PBE(const SECHashObject * - int iter; - unsigned char *iterBuf; - void *hash = NULL; -+ unsigned int bufferLength; - - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (!arena) { -@@ -439,8 +439,11 @@ nsspkcs5_PKCS12PBE(const SECHashObject * - /* how many hash object lengths are needed */ - c = (bytesNeeded + (hashLength - 1)) / hashLength; - -+ /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */ -+ bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64); -+ - /* initialize our buffers */ -- D.len = HMAC_BUFFER; -+ D.len = bufferLength; - /* B and D are the same length, use one alloc go get both */ - D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2); - B.len = D.len; -@@ -452,8 +455,8 @@ nsspkcs5_PKCS12PBE(const SECHashObject * - goto loser; - } - -- SLen = NSSPBE_ROUNDUP(salt->len, HMAC_BUFFER); -- PLen = NSSPBE_ROUNDUP(pwitem->len, HMAC_BUFFER); -+ SLen = NSSPBE_ROUNDUP(salt->len, bufferLength); -+ PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength); - I.len = SLen + PLen; - I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len); - if (I.data == NULL) { -# HG changeset patch -# User Daiki Ueno -# Date 1485768835 -3600 -# Mon Jan 30 10:33:55 2017 +0100 -# Node ID 09d1a0757431fa52ae025138da654c698141971b -# Parent 806c3106536feea0827ec54729a52b5cbac8a496 -Bug 1268141 - pk12util can't import PKCS#12 files encrypted with AES-128-CBC, r=rrelyea - -diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c ---- a/cmd/pk12util/pk12util.c -+++ b/cmd/pk12util/pk12util.c -@@ -861,6 +861,9 @@ p12u_EnableAllCiphers() - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); - SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); - SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); -+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1); -+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1); -+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1); - SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); - } - -diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c ---- a/lib/pk11wrap/pk11pbe.c -+++ b/lib/pk11wrap/pk11pbe.c -@@ -4,6 +4,7 @@ - - #include "plarena.h" - -+#include "blapit.h" - #include "seccomon.h" - #include "secitem.h" - #include "secport.h" -@@ -301,17 +302,49 @@ SEC_PKCS5GetPBEAlgorithm(SECOidTag algTa - return SEC_OID_UNKNOWN; - } - -+static PRBool -+sec_pkcs5_is_algorithm_v2_aes_algorithm(SECOidTag algorithm) -+{ -+ switch (algorithm) { -+ case SEC_OID_AES_128_CBC: -+ case SEC_OID_AES_192_CBC: -+ case SEC_OID_AES_256_CBC: -+ return PR_TRUE; -+ default: -+ return PR_FALSE; -+ } -+} -+ -+static int -+sec_pkcs5v2_aes_key_length(SECOidTag algorithm) -+{ -+ switch (algorithm) { -+ /* The key length for the AES-CBC-Pad algorithms are -+ * determined from the undelying cipher algorithm. */ -+ case SEC_OID_AES_128_CBC: -+ return AES_128_KEY_LENGTH; -+ case SEC_OID_AES_192_CBC: -+ return AES_192_KEY_LENGTH; -+ case SEC_OID_AES_256_CBC: -+ return AES_256_KEY_LENGTH; -+ default: -+ break; -+ } -+ return 0; -+} -+ - /* - * get the key length in bytes from a PKCS5 PBE - */ --int --sec_pkcs5v2_key_length(SECAlgorithmID *algid) -+static int -+sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) - { - SECOidTag algorithm; - PLArenaPool *arena = NULL; - SEC_PKCS5PBEParameter p5_param; - SECStatus rv; - int length = -1; -+ SECOidTag cipherAlg = SEC_OID_UNKNOWN; - - algorithm = SECOID_GetAlgorithmTag(algid); - /* sanity check, they should all be PBKDF2 here */ -@@ -330,7 +363,12 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a - goto loser; - } - -- if (p5_param.keyLength.data != NULL) { -+ if (cipherAlgId) -+ cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); -+ -+ if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { -+ length = sec_pkcs5v2_aes_key_length(cipherAlg); -+ } else if (p5_param.keyLength.data != NULL) { - length = DER_GetInteger(&p5_param.keyLength); - } - -@@ -375,14 +413,15 @@ SEC_PKCS5GetKeyLength(SECAlgorithmID *al - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - return 16; - case SEC_OID_PKCS5_PBKDF2: -- return sec_pkcs5v2_key_length(algid); -+ return sec_pkcs5v2_key_length(algid, NULL); - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: { - sec_pkcs5V2Parameter *pbeV2_param; - int length = -1; - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param != NULL) { -- length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); -+ length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId, -+ &pbeV2_param->cipherAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - } - return length; -@@ -614,6 +653,8 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg - SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); - if (hashAlg != SEC_OID_UNKNOWN) { - keyLength = HASH_ResultLenByOidTag(hashAlg); -+ } else if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlgorithm)) { -+ keyLength = sec_pkcs5v2_aes_key_length(cipherAlgorithm); - } else { - CK_MECHANISM_TYPE cryptoMech; - cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); -diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c ---- a/lib/pkcs12/p12d.c -+++ b/lib/pkcs12/p12d.c -@@ -177,6 +177,9 @@ sec_pkcs12_decoder_get_decrypt_key(void - SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; - PK11SlotInfo *slot; - PK11SymKey *bulkKey; -+ SECItem *pwitem; -+ SECItem decodedPwitem = { 0 }; -+ SECOidTag algorithm; - - if (!p12dcx) { - return NULL; -@@ -189,7 +192,24 @@ sec_pkcs12_decoder_get_decrypt_key(void - slot = PK11_GetInternalKeySlot(); - } - -- bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, -+ algorithm = SECOID_GetAlgorithmTag(algid); -+ pwitem = p12dcx->pwitem; -+ -+ /* here we assume that the password is already encoded into -+ * BMPString by the caller. if the encryption scheme is not the -+ * one defined in PKCS #12, decode the password back into -+ * UTF-8. */ -+ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) { -+ if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem, -+ p12dcx->pwitem, -+ PR_TRUE, PR_FALSE, PR_FALSE)) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ return NULL; -+ } -+ pwitem = &decodedPwitem; -+ } -+ -+ bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, - PR_FALSE, p12dcx->wincx); - /* some tokens can't generate PBE keys on their own, generate the - * key in the internal slot, and let the Import code deal with it, -@@ -198,7 +218,7 @@ sec_pkcs12_decoder_get_decrypt_key(void - if (!bulkKey && !PK11_IsInternal(slot)) { - PK11_FreeSlot(slot); - slot = PK11_GetInternalKeySlot(); -- bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, -+ bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, - PR_FALSE, p12dcx->wincx); - } - PK11_FreeSlot(slot); -@@ -208,6 +228,10 @@ sec_pkcs12_decoder_get_decrypt_key(void - PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL); - } - -+ if (decodedPwitem.data) { -+ SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE); -+ } -+ - return bulkKey; - } - -diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c ---- a/lib/pkcs12/p12e.c -+++ b/lib/pkcs12/p12e.c -@@ -10,6 +10,7 @@ - #include "seccomon.h" - #include "secport.h" - #include "cert.h" -+#include "secpkcs5.h" - #include "secpkcs7.h" - #include "secasn1.h" - #include "secerr.h" -@@ -378,19 +379,36 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC - safeInfo->itemCount = 0; - - /* create the encrypted safe */ -- safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, -- p12ctxt->pwfnarg); -+ if (!SEC_PKCS5IsAlgorithmPBEAlgTag(privAlg) && -+ PK11_AlgtagToMechanism(privAlg) == CKM_AES_CBC) { -+ safeInfo->cinfo = SEC_PKCS7CreateEncryptedDataWithPBEV2(SEC_OID_PKCS5_PBES2, -+ privAlg, -+ SEC_OID_UNKNOWN, -+ 0, -+ p12ctxt->pwfn, -+ p12ctxt->pwfnarg); -+ } else { -+ safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, -+ p12ctxt->pwfnarg); -+ } - if (!safeInfo->cinfo) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - goto loser; - } - safeInfo->arena = p12ctxt->arena; - -- /* convert the password to unicode */ -- if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, -- PR_TRUE, PR_TRUE, PR_TRUE)) { -- PORT_SetError(SEC_ERROR_NO_MEMORY); -- goto loser; -+ if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) { -+ /* convert the password to unicode */ -+ if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, -+ PR_TRUE, PR_TRUE, PR_TRUE)) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ goto loser; -+ } -+ } else { -+ if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ goto loser; -+ } - } - if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) { - PORT_SetError(SEC_ERROR_NO_MEMORY); -diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c ---- a/lib/pkcs12/p12local.c -+++ b/lib/pkcs12/p12local.c -@@ -949,6 +949,33 @@ sec_pkcs12_convert_item_to_unicode(PLAre - return PR_TRUE; - } - -+PRBool -+sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm) -+{ -+ switch (algorithm) { -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: -+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: -+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: -+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: -+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: -+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: -+ /* those are actually PKCS #5 v1.5 PBEs, but we -+ * historically treat them in the same way as PKCS #12 -+ * PBEs */ -+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: -+ case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: -+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: -+ return PR_TRUE; -+ default: -+ return PR_FALSE; -+ } -+} -+ - /* pkcs 12 templates */ - static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser = - sec_pkcs12_choose_shroud_type; -diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h ---- a/lib/pkcs12/p12local.h -+++ b/lib/pkcs12/p12local.h -@@ -55,4 +55,6 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo - void *wincx, SEC_PKCS12SafeContents *safe, - SEC_PKCS12Baggage *baggage); - -+extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm); -+ - #endif -diff --git a/lib/pkcs12/p12plcy.c b/lib/pkcs12/p12plcy.c ---- a/lib/pkcs12/p12plcy.c -+++ b/lib/pkcs12/p12plcy.c -@@ -24,6 +24,9 @@ static pkcs12SuiteMap pkcs12SuiteMaps[] - { SEC_OID_RC2_CBC, 128, PKCS12_RC2_CBC_128, PR_FALSE, PR_FALSE }, - { SEC_OID_DES_CBC, 64, PKCS12_DES_56, PR_FALSE, PR_FALSE }, - { SEC_OID_DES_EDE3_CBC, 192, PKCS12_DES_EDE3_168, PR_FALSE, PR_FALSE }, -+ { SEC_OID_AES_128_CBC, 128, PKCS12_AES_CBC_128, PR_FALSE, PR_FALSE }, -+ { SEC_OID_AES_192_CBC, 192, PKCS12_AES_CBC_192, PR_FALSE, PR_FALSE }, -+ { SEC_OID_AES_256_CBC, 256, PKCS12_AES_CBC_256, PR_FALSE, PR_FALSE }, - { SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE }, - { SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE } - }; -diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c ---- a/lib/pkcs7/p7create.c -+++ b/lib/pkcs7/p7create.c -@@ -1245,3 +1245,56 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a - - return cinfo; - } -+ -+SEC_PKCS7ContentInfo * -+SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm, -+ SECOidTag cipher_algorithm, -+ SECOidTag prf_algorithm, -+ int keysize, -+ SECKEYGetPasswordKey pwfn, void *pwfn_arg) -+{ -+ SEC_PKCS7ContentInfo *cinfo; -+ SECAlgorithmID *algid; -+ SEC_PKCS7EncryptedData *enc_data; -+ SECStatus rv; -+ -+ PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm)); -+ -+ cinfo = sec_pkcs7_create_content_info(SEC_OID_PKCS7_ENCRYPTED_DATA, -+ PR_FALSE, pwfn, pwfn_arg); -+ if (cinfo == NULL) -+ return NULL; -+ -+ enc_data = cinfo->content.encryptedData; -+ algid = &(enc_data->encContentInfo.contentEncAlg); -+ -+ SECAlgorithmID *pbe_algid; -+ pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm, -+ cipher_algorithm, -+ prf_algorithm, -+ keysize, -+ NSS_PBE_DEFAULT_ITERATION_COUNT, -+ NULL); -+ if (pbe_algid == NULL) { -+ rv = SECFailure; -+ } else { -+ rv = SECOID_CopyAlgorithmID(cinfo->poolp, algid, pbe_algid); -+ SECOID_DestroyAlgorithmID(pbe_algid, PR_TRUE); -+ } -+ -+ if (rv != SECSuccess) { -+ SEC_PKCS7DestroyContentInfo(cinfo); -+ return NULL; -+ } -+ -+ rv = sec_pkcs7_init_encrypted_content_info(&(enc_data->encContentInfo), -+ cinfo->poolp, -+ SEC_OID_PKCS7_DATA, PR_FALSE, -+ cipher_algorithm, keysize); -+ if (rv != SECSuccess) { -+ SEC_PKCS7DestroyContentInfo(cinfo); -+ return NULL; -+ } -+ -+ return cinfo; -+} -diff --git a/lib/pkcs7/secpkcs7.h b/lib/pkcs7/secpkcs7.h ---- a/lib/pkcs7/secpkcs7.h -+++ b/lib/pkcs7/secpkcs7.h -@@ -287,6 +287,26 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a - SECKEYGetPasswordKey pwfn, void *pwfn_arg); - - /* -+ * Create an empty PKCS7 encrypted content info. -+ * -+ * Similar to SEC_PKCS7CreateEncryptedData(), but this is capable of -+ * creating encrypted content for PKCS #5 v2 algorithms. -+ * -+ * "pbe_algorithm" specifies the PBE algorithm to use. -+ * "cipher_algorithm" specifies the bulk encryption algorithm to use. -+ * "prf_algorithm" specifies the PRF algorithm which pbe_algorithm uses. -+ * -+ * An error results in a return value of NULL and an error set. -+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().) -+ */ -+extern SEC_PKCS7ContentInfo * -+SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm, -+ SECOidTag cipher_algorithm, -+ SECOidTag prf_algorithm, -+ int keysize, -+ SECKEYGetPasswordKey pwfn, void *pwfn_arg); -+ -+/* - * All of the following things return SECStatus to signal success or failure. - * Failure should have a more specific error status available via - * PORT_GetError()/XP_GetError(). -diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh ---- a/tests/tools/tools.sh -+++ b/tests/tools/tools.sh -@@ -273,12 +273,9 @@ tools_p12_export_list_import_all_pkcs5v2 - CAMELLIA-256-CBC; do - - #--------------------------------------------------------------- --# Bug 452464 - pk12util -o fails when -C option specifies AES or -+# Bug 452464 - pk12util -o fails when -C option specifies - # Camellia ciphers - # FIXME Restore these to the list --# AES-128-CBC, \ --# AES-192-CBC, \ --# AES-256-CBC, \ - # CAMELLIA-128-CBC, \ - # CAMELLIA-192-CBC, \ - # CAMELLIA-256-CBC, \ -@@ -287,6 +284,9 @@ tools_p12_export_list_import_all_pkcs5v2 - for cert_cipher in \ - RC2-CBC \ - DES-EDE3-CBC \ -+ AES-128-CBC \ -+ AES-192-CBC \ -+ AES-256-CBC \ - null; do - export_list_import ${key_cipher} ${cert_cipher} - done -# HG changeset patch -# User Daiki Ueno -# Date 1491303138 -7200 -# Tue Apr 04 12:52:18 2017 +0200 -# Node ID ef11922df67881332f1fa200c7ae21b9c30cec76 -# Parent 7228445b43ac095ebc0eee330d6a351b898ebbdd -Bug 1353325, pkcs12: don't encode password if non-PKCS12 PBEs is used, r=rrelyea - -diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c ---- a/lib/pkcs12/p12d.c -+++ b/lib/pkcs12/p12d.c -@@ -177,8 +177,7 @@ sec_pkcs12_decoder_get_decrypt_key(void - SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; - PK11SlotInfo *slot; - PK11SymKey *bulkKey; -- SECItem *pwitem; -- SECItem decodedPwitem = { 0 }; -+ SECItem pwitem = { 0 }; - SECOidTag algorithm; - - if (!p12dcx) { -@@ -193,24 +192,10 @@ sec_pkcs12_decoder_get_decrypt_key(void - } - - algorithm = SECOID_GetAlgorithmTag(algid); -- pwitem = p12dcx->pwitem; -- -- /* here we assume that the password is already encoded into -- * BMPString by the caller. if the encryption scheme is not the -- * one defined in PKCS #12, decode the password back into -- * UTF-8. */ -- if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) { -- if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem, -- p12dcx->pwitem, -- PR_TRUE, PR_FALSE, PR_FALSE)) { -- PORT_SetError(SEC_ERROR_NO_MEMORY); -- return NULL; -- } -- pwitem = &decodedPwitem; -- } -- -- bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, -- PR_FALSE, p12dcx->wincx); -+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) -+ return NULL; -+ -+ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); - /* some tokens can't generate PBE keys on their own, generate the - * key in the internal slot, and let the Import code deal with it, - * (if the slot can't generate PBEs, then we need to use the internal -@@ -218,8 +203,7 @@ sec_pkcs12_decoder_get_decrypt_key(void - if (!bulkKey && !PK11_IsInternal(slot)) { - PK11_FreeSlot(slot); - slot = PK11_GetInternalKeySlot(); -- bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, -- PR_FALSE, p12dcx->wincx); -+ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); - } - PK11_FreeSlot(slot); - -@@ -228,8 +212,8 @@ sec_pkcs12_decoder_get_decrypt_key(void - PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL); - } - -- if (decodedPwitem.data) { -- SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE); -+ if (pwitem.data) { -+ SECITEM_ZfreeItem(&pwitem, PR_FALSE); - } - - return bulkKey; -@@ -2476,13 +2460,25 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke - nickName, publicValue, PR_TRUE, PR_TRUE, - keyUsage, wincx); - break; -- case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: -+ case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: { -+ SECItem pwitem = { 0 }; -+ SECAlgorithmID *algid = -+ &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; -+ SECOidTag algorithm = SECOID_GetAlgorithmTag(algid); -+ -+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, -+ key->pwitem)) -+ return SECFailure; - rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot, - key->safeBagContent.pkcs8ShroudedKeyBag, -- key->pwitem, nickName, publicValue, -+ &pwitem, nickName, publicValue, - PR_TRUE, PR_TRUE, keyType, keyUsage, - wincx); -+ if (pwitem.data) { -+ SECITEM_ZfreeItem(&pwitem, PR_FALSE); -+ } - break; -+ } - default: - key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION; - key->problem = PR_TRUE; -diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c ---- a/lib/pkcs12/p12e.c -+++ b/lib/pkcs12/p12e.c -@@ -397,18 +397,9 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC - } - safeInfo->arena = p12ctxt->arena; - -- if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) { -- /* convert the password to unicode */ -- if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, -- PR_TRUE, PR_TRUE, PR_TRUE)) { -- PORT_SetError(SEC_ERROR_NO_MEMORY); -- goto loser; -- } -- } else { -- if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) { -- PORT_SetError(SEC_ERROR_NO_MEMORY); -- goto loser; -- } -+ if (!sec_pkcs12_encode_password(NULL, &uniPwitem, privAlg, pwitem)) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ goto loser; - } - if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) { - PORT_SetError(SEC_ERROR_NO_MEMORY); -@@ -1221,8 +1212,8 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12Export - SECKEYEncryptedPrivateKeyInfo *epki = NULL; - PK11SlotInfo *slot = NULL; - -- if (!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem, -- pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) { -+ if (!sec_pkcs12_encode_password(p12ctxt->arena, &uniPwitem, algorithm, -+ pwitem)) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - goto loser; - } -diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c ---- a/lib/pkcs12/p12local.c -+++ b/lib/pkcs12/p12local.c -@@ -976,6 +976,46 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi - } - } - -+/* this function decodes a password from Unicode if necessary, -+ * according to the PBE algorithm. -+ * -+ * we assume that the pwitem is already encoded in Unicode by the -+ * caller. if the encryption scheme is not the one defined in PKCS -+ * #12, decode the pwitem back into UTF-8. */ -+PRBool -+sec_pkcs12_decode_password(PLArenaPool *arena, -+ SECItem *result, -+ SECOidTag algorithm, -+ const SECItem *pwitem) -+{ -+ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) -+ return sec_pkcs12_convert_item_to_unicode(arena, result, -+ (SECItem *)pwitem, -+ PR_TRUE, PR_FALSE, PR_FALSE); -+ -+ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; -+} -+ -+/* this function encodes a password into Unicode if necessary, -+ * according to the PBE algorithm. -+ * -+ * we assume that the pwitem holds a raw password. if the encryption -+ * scheme is the one defined in PKCS #12, encode the password into -+ * BMPString. */ -+PRBool -+sec_pkcs12_encode_password(PLArenaPool *arena, -+ SECItem *result, -+ SECOidTag algorithm, -+ const SECItem *pwitem) -+{ -+ if (sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) -+ return sec_pkcs12_convert_item_to_unicode(arena, result, -+ (SECItem *)pwitem, -+ PR_TRUE, PR_TRUE, PR_TRUE); -+ -+ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; -+} -+ - /* pkcs 12 templates */ - static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser = - sec_pkcs12_choose_shroud_type; -diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h ---- a/lib/pkcs12/p12local.h -+++ b/lib/pkcs12/p12local.h -@@ -57,4 +57,13 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo - - extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm); - -+extern PRBool sec_pkcs12_decode_password(PLArenaPool *arena, -+ SECItem *result, -+ SECOidTag algorithm, -+ const SECItem *pwitem); -+extern PRBool sec_pkcs12_encode_password(PLArenaPool *arena, -+ SECItem *result, -+ SECOidTag algorithm, -+ const SECItem *pwitem); -+ - #endif -# HG changeset patch -# User Daiki Ueno -# Date 1491397923 -7200 -# Wed Apr 05 15:12:03 2017 +0200 -# Node ID c9af3144ac8cd7e2203817a334a9f814649e86b0 -# Parent 769f9ae07b103494af809620478e60256a344adc -fix key length calculation for PKCS#5 DES-EDE3-CBC-Pad - -diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c ---- a/lib/pk11wrap/pk11pbe.c -+++ b/lib/pk11wrap/pk11pbe.c -@@ -370,6 +370,13 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a - length = sec_pkcs5v2_aes_key_length(cipherAlg); - } else if (p5_param.keyLength.data != NULL) { - length = DER_GetInteger(&p5_param.keyLength); -+ } else { -+ CK_MECHANISM_TYPE cipherMech; -+ cipherMech = PK11_AlgtagToMechanism(cipherAlg); -+ if (cipherMech == CKM_INVALID_MECHANISM) { -+ goto loser; -+ } -+ length = PK11_GetMaxKeyLength(cipherMech); - } - - loser: -diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h ---- a/lib/pk11wrap/pk11priv.h -+++ b/lib/pk11wrap/pk11priv.h -@@ -106,6 +106,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert( - void *wincx, PK11SlotInfo **pSlot); - PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); -+unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType); - - /********************************************************************** - * Certs -diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c ---- a/lib/pk11wrap/pk11slot.c -+++ b/lib/pk11wrap/pk11slot.c -@@ -2291,6 +2291,14 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE m - } - } - } -+ -+ /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */ -+ if (keyLength == 0) { -+ CK_KEY_TYPE keyType; -+ keyType = PK11_GetKeyType(mechanism, 0); -+ keyLength = pk11_GetPredefinedKeyLength(keyType); -+ } -+ - if (le) - PK11_FreeSlotListElement(list, le); - if (freeit) diff --git a/SOURCES/nss-pss-fixes.patch b/SOURCES/nss-pss-fixes.patch new file mode 100644 index 0000000..964e792 --- /dev/null +++ b/SOURCES/nss-pss-fixes.patch @@ -0,0 +1,649 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1510136005 -3600 +# Wed Nov 08 11:13:25 2017 +0100 +# Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62 +# Parent d515199921dd703087f7e0e03eb71058a015934d +Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt + +Reviewers: mt, rrelyea + +Reviewed By: mt + +Bug #: 1415171 + +Differential Revision: https://phabricator.services.mozilla.com/D202 + +diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c +--- a/cmd/lib/secutil.c ++++ b/cmd/lib/secutil.c +@@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte + SECU_Indent(out, level + 1); + fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); + } else { +- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1); ++ SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); + } + } else { + SECU_Indent(out, level + 1); +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ + } + +- rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); +- if (rv != SECSuccess) { +- return rv; ++ if (params->saltLength.data) { ++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); ++ if (rv != SECSuccess) { ++ return rv; ++ } ++ } else { ++ saltLength = 20; /* default, 20 */ + } + mech->sLen = saltLength; + +diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c +--- a/lib/cryptohi/secsign.c ++++ b/lib/cryptohi/secsign.c +@@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * + SECKEYRSAPSSParams pssParams; + int modBytes, hashLength; + unsigned long saltLength; ++ PRBool defaultSHA1 = PR_FALSE; + SECStatus rv; + + if (key->keyType != rsaKey && key->keyType != rsaPssKey) { +@@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * + if (rv != SECSuccess) { + return NULL; + } ++ defaultSHA1 = PR_TRUE; + } + + if (pssParams.trailerField.data) { +@@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool * + /* Determine the hash algorithm to use, based on hashAlgTag and + * pssParams.hashAlg; there are four cases */ + if (hashAlgTag != SEC_OID_UNKNOWN) { ++ SECOidTag tag = SEC_OID_UNKNOWN; ++ + if (pssParams.hashAlg) { +- if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) { +- PORT_SetError(SEC_ERROR_INVALID_ARGS); +- return NULL; +- } ++ tag = SECOID_GetAlgorithmTag(pssParams.hashAlg); ++ } else if (defaultSHA1) { ++ tag = SEC_OID_SHA1; ++ } ++ ++ if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return NULL; + } + } else if (hashAlgTag == SEC_OID_UNKNOWN) { + if (pssParams.hashAlg) { + hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); ++ } else if (defaultSHA1) { ++ hashAlgTag = SEC_OID_SHA1; + } else { + /* Find a suitable hash algorithm based on the NIST recommendation */ + if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ +@@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool * + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } ++ } else if (defaultSHA1) { ++ if (hashAlgTag != SEC_OID_SHA1) { ++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); ++ return NULL; ++ } + } + + hashLength = HASH_ResultLenByOidTag(hashAlgTag); +@@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool * + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } ++ } else if (defaultSHA1) { ++ saltLength = 20; + } + + /* Fill in the parameters */ +diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh +--- a/tests/cert/cert.sh ++++ b/tests/cert/cert.sh +@@ -516,6 +516,9 @@ cert_all_CA() + cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 + rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert + ++ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 ++ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert + + # + # Create EC version of TestCA +@@ -2054,7 +2057,7 @@ check_sign_algo() + { + certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ + sed -n '/^ *Data:/,/^$/{ +-/^ Signature Algorithm/,/^ *Salt Length/s/^ //p ++/^ Signature Algorithm/,/^ *Salt length/s/^ //p + }' > ${TMP}/signalgo.txt + + diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt +@@ -2088,6 +2091,12 @@ cert_test_rsapss() + CU_ACTION="Verify RSA-PSS CA Cert" + certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" + ++ CU_ACTION="Import RSA-PSS CA Cert (SHA1)" ++ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 ++ ++ CERTSERIAL=200 ++ + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explicit, with --pss-sign) +@@ -2098,7 +2107,7 @@ cert_test_rsapss() + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) +@@ -2127,7 +2138,7 @@ EOF + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-512 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-512 +- Salt Length: 64 (0x40) ++ Salt length: 64 (0x40) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS +@@ -2156,7 +2169,69 @@ EOF + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's Cert" ++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${CERTNAME}.cert" 2>&1 ++ ++ CU_ACTION="Verify $CERTNAME's Cert" ++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" ++ cat > ${TMP}/signalgo.exp <&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's Cert" ++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${CERTNAME}.cert" 2>&1 ++ ++ CU_ACTION="Verify $CERTNAME's Cert" ++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" ++ cat > ${TMP}/signalgo.exp <&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA-PSS +- # Issuer certificate: RSA +- # Signature: RSA-PSS (explicit, with --pss-sign) +- CERTNAME="TestUser-rsa-pss4" ++ # Issuer certificate: RSA-PSS ++ # Signature: RSA-PSS (implicit, without --pss-sign) ++ CERTNAME="TestUser-rsa-pss6" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \ ++ # Sign without --pss-sign nor -Z option ++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS +- # Signature: RSA-PSS (explicit, with --pss-sign) +- CERTNAME="TestUser-rsa-pss5" ++ # Signature: RSA-PSS (with conflicting hash algorithm) ++ CERTNAME="TestUser-rsa-pss7" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \ ++ RETEXPECTED=255 ++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ RETEXPECTED=0 ++ ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ ++ # Subject certificate: RSA-PSS ++ # Issuer certificate: RSA-PSS ++ # Signature: RSA-PSS (with compatible hash algorithm) ++ CERTNAME="TestUser-rsa-pss8" ++ ++ CU_ACTION="Generate Cert Request for $CERTNAME" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + +- # Subject certificate: RSA-PSS +- # Issuer certificate: RSA-PSS +- # Signature: RSA-PSS (implicit, without --pss-sign) +- CERTNAME="TestUser-rsa-pss6" ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ ++ # Subject certificate: RSA ++ # Issuer certificate: RSA ++ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) ++ CERTNAME="TestUser-rsa-pss9" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" +- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 ++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2255,39 +2354,27 @@ EOF + cat > ${TMP}/signalgo.exp <&1 ++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- RETEXPECTED=255 +- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \ +- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 +- RETEXPECTED=0 +- +- # Subject certificate: RSA-PSS +- # Issuer certificate: RSA-PSS +- # Signature: RSA-PSS (with compatible hash algorithm) +- CERTNAME="TestUser-rsa-pss8" +- +- CU_ACTION="Generate Cert Request for $CERTNAME" +- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" +- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 +- +- CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \ ++ # Sign without --pss-sign nor -Z option ++ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2299,12 +2386,29 @@ EOF + cat > ${TMP}/signalgo.exp <&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ RETEXPECTED=255 ++ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ RETEXPECTED=0 + } + + ############################## cert_cleanup ############################ +# HG changeset patch +# User Daiki Ueno +# Date 1514884761 -3600 +# Tue Jan 02 10:19:21 2018 +0100 +# Node ID 5a14f42384eb22b67e0465949c03555eff41e4af +# Parent e577b1df8dabb31466cebad07fdbe0883290bede +Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt + +Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification. It also add missing support for SHA224 as underlying hash algorithm. + +Reviewers: mt + +Reviewed By: mt + +Bug #: 1423557 + +Differential Revision: https://phabricator.services.mozilla.com/D322 + +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t + return CKM_SHA384; + case SEC_OID_SHA256: + return CKM_SHA256; ++ case SEC_OID_SHA224: ++ return CKM_SHA224; ++ case SEC_OID_SHA1: ++ return CKM_SHA_1; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); +- /* fallthrough */ +- case SEC_OID_SHA1: +- break; ++ return CKM_INVALID_MECHANISM; + } +- return CKM_SHA_1; + } + + static CK_RSA_PKCS_MGF_TYPE +@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag) + return CKG_MGF1_SHA384; + case SEC_OID_SHA256: + return CKG_MGF1_SHA256; ++ case SEC_OID_SHA224: ++ return CKG_MGF1_SHA224; ++ case SEC_OID_SHA1: ++ return CKG_MGF1_SHA1; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); +- /* fallthrough */ +- case SEC_OID_SHA1: +- break; ++ return 0; + } +- return CKG_MGF1_SHA1; + } + + SECStatus +@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + SECStatus rv = SECSuccess; + SECOidTag hashAlgTag; + unsigned long saltLength; ++ unsigned long trailerField; + + PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); + +@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */ + } + mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag); ++ if (mech->hashAlg == CKM_INVALID_MECHANISM) { ++ return SECFailure; ++ } + + if (params->maskAlg) { + SECAlgorithmID maskHashAlg; +@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + } + maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg); + mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag); ++ if (mech->mgf == 0) { ++ return SECFailure; ++ } + } else { + mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ + } +@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + } + mech->sLen = saltLength; + ++ if (params->trailerField.data) { ++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField); ++ if (rv != SECSuccess) { ++ return rv; ++ } ++ if (trailerField != 1) { ++ /* the value must be 1, which represents the trailer field ++ * with hexadecimal value 0xBC */ ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return SECFailure; ++ } ++ } ++ + return rv; + } +diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt +new file mode 100644 +--- /dev/null ++++ b/tests/cert/TestCA-bogus-rsa-pss1.crt +@@ -0,0 +1,26 @@ ++-----BEGIN CERTIFICATE----- ++MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA ++oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ ++BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp ++biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB ++IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa ++GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp ++Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO ++U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl ++ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG ++CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB ++AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX ++yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo ++SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK ++xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07 ++/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK ++Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC ++BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow ++OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA ++ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8 ++HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba ++nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh ++pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA ++hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh ++uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA= ++-----END CERTIFICATE----- +diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt +new file mode 100644 +--- /dev/null ++++ b/tests/cert/TestCA-bogus-rsa-pss2.crt +@@ -0,0 +1,24 @@ ++-----BEGIN CERTIFICATE----- ++MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh ++GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT ++MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw ++EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT ++IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2 ++NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH ++Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T ++UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3 ++DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6 ++7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x ++Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj ++sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa ++eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu ++aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg ++hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E ++BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN ++AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY ++fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D ++difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+ ++4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2 ++g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT ++0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ== ++-----END CERTIFICATE----- +diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh +--- a/tests/cert/cert.sh ++++ b/tests/cert/cert.sh +@@ -2095,6 +2095,20 @@ cert_test_rsapss() + certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 + ++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" ++ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 ++ RETEXPECTED=255 ++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 ++ RETEXPECTED=0 ++ ++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" ++ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 ++ RETEXPECTED=255 ++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 ++ RETEXPECTED=0 ++ + CERTSERIAL=200 + + # Subject certificate: RSA diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch new file mode 100644 index 0000000..7a75e50 --- /dev/null +++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch @@ -0,0 +1,47 @@ +diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc +--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2017-10-06 16:41:39.223713982 +0200 +@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3 + // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and + // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so + // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519. +- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) { ++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ++ // a higher priority than AES-128 GCM. ++ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) { + return ssl_grp_ec_secp384r1; + } + return ssl_grp_ec_curve25519; +@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P( + ::testing::Values(TlsAgent::kServerEcdsa256), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256))); ++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ++ // a higher priority than AES-128 GCM, and that causes the following ++ // 3 TLS 1.2 tests to fail. + INSTANTIATE_TEST_CASE_P( + SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, +- TlsConnectTestBase::kTlsV12Plus, ++ TlsConnectTestBase::kTlsV13, + ::testing::Values(TlsAgent::kServerEcdsa384), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384))); + INSTANTIATE_TEST_CASE_P( + SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, +- TlsConnectTestBase::kTlsV12Plus, ++ TlsConnectTestBase::kTlsV13, + ::testing::Values(TlsAgent::kServerEcdsa521), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512))); ++#if 0 + INSTANTIATE_TEST_CASE_P( + SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, +@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P( + TlsAgent::kServerEcdsa384), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_sha1))); ++#endif + } diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch index 6c7fb1d..02bf308 100644 --- a/SOURCES/nss-skip-util-gtest.patch +++ b/SOURCES/nss-skip-util-gtest.patch @@ -1,34 +1,33 @@ diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn ---- nss/gtests/manifest.mn.skip-util-gtests 2017-01-30 02:06:08.000000000 +0100 -+++ nss/gtests/manifest.mn 2017-02-17 12:55:55.064026636 +0100 -@@ -9,7 +9,6 @@ DIRS = \ - google_test \ - common \ - der_gtest \ -- util_gtest \ - pk11_gtest \ - ssl_gtest \ - nss_bogo_shim \ -diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn ---- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-02-17 12:55:55.063026657 +0100 -+++ nss/gtests/ssl_gtest/manifest.mn 2017-02-17 12:55:55.064026636 +0100 -@@ -48,6 +48,6 @@ REQUIRES = nspr nss libdbm gtest +--- nss/gtests/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/gtests/manifest.mn 2017-10-19 11:02:27.773910909 +0200 +@@ -32,6 +32,5 @@ endif - PROGRAM = ssl_gtest - EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ -- $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) -+ -lsoftokn3 + DIRS = \ + $(LIB_SRCDIRS) \ +- $(UTIL_SRCDIRS) \ + $(NSS_SRCDIRS) \ + $(NULL) +diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn +--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/gtests/ssl_gtest/manifest.mn 2017-10-19 11:02:27.773910909 +0200 +@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest + EXTRA_LIBS += \ + $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ ++ -lsoftokn3 + $(NULL) USE_STATIC_LIBS = 1 diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh ---- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-02-17 12:56:49.434880888 +0100 -+++ nss/tests/gtests/gtests.sh 2017-02-17 12:56:54.677770408 +0100 -@@ -82,7 +82,7 @@ gtest_cleanup() +--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/tests/gtests/gtests.sh 2017-10-19 11:03:57.473976538 +0200 +@@ -83,7 +83,7 @@ gtest_cleanup() } ################## main ################################################# --GTESTS="der_gtest pk11_gtest util_gtest" -+GTESTS="der_gtest pk11_gtest" +-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest" ++GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest" + SOURCE_DIR="$PWD"/../.. gtest_init $0 gtest_start - gtest_cleanup diff --git a/SOURCES/nss-ssl3gthr.patch b/SOURCES/nss-ssl3gthr.patch deleted file mode 100644 index 438b0f2..0000000 --- a/SOURCES/nss-ssl3gthr.patch +++ /dev/null @@ -1,301 +0,0 @@ -diff -up nss/gtests/ssl_gtest/ssl_gather_unittest.cc.ssl3gthr nss/gtests/ssl_gtest/ssl_gather_unittest.cc ---- nss/gtests/ssl_gtest/ssl_gather_unittest.cc.ssl3gthr 2017-04-28 14:40:23.579583263 +0200 -+++ nss/gtests/ssl_gtest/ssl_gather_unittest.cc 2017-04-28 14:40:23.579583263 +0200 -@@ -0,0 +1,153 @@ -+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -+/* vim: set ts=2 et sw=2 tw=80: */ -+/* This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this file, -+ * You can obtain one at http://mozilla.org/MPL/2.0/. */ -+ -+#include "gtest_utils.h" -+#include "tls_connect.h" -+ -+namespace nss_test { -+ -+class GatherV2ClientHelloTest : public TlsConnectTestBase { -+ public: -+ GatherV2ClientHelloTest() : TlsConnectTestBase(STREAM, 0) {} -+ -+ void ConnectExpectMalformedClientHello(const DataBuffer &data) { -+ EnsureTlsSetup(); -+ -+ auto alert_recorder = new TlsAlertRecorder(); -+ server_->SetPacketFilter(alert_recorder); -+ -+ client_->SendDirect(data); -+ server_->StartConnect(); -+ server_->Handshake(); -+ ASSERT_TRUE_WAIT( -+ (server_->error_code() == SSL_ERROR_RX_MALFORMED_CLIENT_HELLO), 2000); -+ -+ EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -+ EXPECT_EQ(illegal_parameter, alert_recorder->description()); -+ } -+}; -+ -+// Gather a 5-byte v3 record, with a zero fragment length. The empty handshake -+// message should be ignored, and the connection will succeed afterwards. -+TEST_F(TlsConnectTest, GatherEmptyV3Record) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x16, 1); // handshake -+ idx = buffer.Write(idx, 0x0301, 2); // record_version -+ (void)buffer.Write(idx, 0U, 2); // length=0 -+ -+ EnsureTlsSetup(); -+ client_->SendDirect(buffer); -+ Connect(); -+} -+ -+// Gather a 5-byte v3 record, with a fragment length exceeding the maximum. -+TEST_F(TlsConnectTest, GatherExcessiveV3Record) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x16, 1); // handshake -+ idx = buffer.Write(idx, 0x0301, 2); // record_version -+ (void)buffer.Write(idx, MAX_FRAGMENT_LENGTH + 2048 + 1, 2); // length=max+1 -+ -+ EnsureTlsSetup(); -+ auto alert_recorder = new TlsAlertRecorder(); -+ server_->SetPacketFilter(alert_recorder); -+ client_->SendDirect(buffer); -+ server_->StartConnect(); -+ server_->Handshake(); -+ ASSERT_TRUE_WAIT((server_->error_code() == SSL_ERROR_RX_RECORD_TOO_LONG), -+ 2000); -+ -+ EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); -+ EXPECT_EQ(record_overflow, alert_recorder->description()); -+} -+ -+// Gather a 3-byte v2 header, with a fragment length of 2. -+TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x0002, 2); // length=2 (long header) -+ idx = buffer.Write(idx, 0U, 1); // padding=0 -+ (void)buffer.Write(idx, 0U, 2); // data -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+// Gather a 3-byte v2 header, with a fragment length of 1. -+TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader2) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x0001, 2); // length=1 (long header) -+ idx = buffer.Write(idx, 0U, 1); // padding=0 -+ idx = buffer.Write(idx, 0U, 1); // data -+ (void)buffer.Write(idx, 0U, 1); // surplus (need 5 bytes total) -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+// Gather a 3-byte v2 header, with a zero fragment length. -+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordLongHeader) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0U, 2); // length=0 (long header) -+ idx = buffer.Write(idx, 0U, 1); // padding=0 -+ (void)buffer.Write(idx, 0U, 2); // surplus (need 5 bytes total) -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+// Gather a 2-byte v2 header, with a fragment length of 3. -+TEST_F(GatherV2ClientHelloTest, GatherV2RecordShortHeader) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x8003, 2); // length=3 (short header) -+ (void)buffer.Write(idx, 0U, 3); // data -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+// Gather a 2-byte v2 header, with a fragment length of 2. -+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader2) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x8002, 2); // length=2 (short header) -+ idx = buffer.Write(idx, 0U, 2); // data -+ (void)buffer.Write(idx, 0U, 1); // surplus (need 5 bytes total) -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+// Gather a 2-byte v2 header, with a fragment length of 1. -+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader3) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x8001, 2); // length=1 (short header) -+ idx = buffer.Write(idx, 0U, 1); // data -+ (void)buffer.Write(idx, 0U, 2); // surplus (need 5 bytes total) -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+// Gather a 2-byte v2 header, with a zero fragment length. -+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x8000, 2); // length=0 (short header) -+ (void)buffer.Write(idx, 0U, 3); // surplus (need 5 bytes total) -+ -+ ConnectExpectMalformedClientHello(buffer); -+} -+ -+} // namespace nss_test -diff -up nss/gtests/ssl_gtest/ssl_gtest.gyp.ssl3gthr nss/gtests/ssl_gtest/ssl_gtest.gyp ---- nss/gtests/ssl_gtest/ssl_gtest.gyp.ssl3gthr 2017-04-28 14:40:23.579583263 +0200 -+++ nss/gtests/ssl_gtest/ssl_gtest.gyp 2017-04-28 14:42:07.853153503 +0200 -@@ -25,6 +25,7 @@ - 'ssl_exporter_unittest.cc', - 'ssl_extension_unittest.cc', - 'ssl_fuzz_unittest.cc', -+ 'ssl_gather_unittest.cc', - 'ssl_gtest.cc', - 'ssl_hrr_unittest.cc', - 'ssl_loopback_unittest.cc', -diff -up nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.ssl3gthr nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc ---- nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.ssl3gthr 2017-04-05 14:23:56.000000000 +0200 -+++ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc 2017-04-28 14:40:23.579583263 +0200 -@@ -202,6 +202,28 @@ TEST_P(SSLv2ClientHelloTest, Connect) { - Connect(); - } - -+// Sending a v2 ClientHello after a no-op v3 record must fail. -+TEST_P(SSLv2ClientHelloTest, ConnectAfterEmptyV3Record) { -+ DataBuffer buffer; -+ -+ size_t idx = 0; -+ idx = buffer.Write(idx, 0x16, 1); // handshake -+ idx = buffer.Write(idx, 0x0301, 2); // record_version -+ (void)buffer.Write(idx, 0U, 2); // length=0 -+ -+ SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA); -+ EnsureTlsSetup(); -+ client_->SendDirect(buffer); -+ -+ // Need padding so the connection doesn't just time out. With a v2 -+ // ClientHello parsed as a v3 record we will use the record version -+ // as the record length. -+ SetPadding(255); -+ -+ ConnectExpectFail(); -+ EXPECT_EQ(SSL_ERROR_BAD_CLIENT, server_->error_code()); -+} -+ - // Test negotiating TLS 1.3. - TEST_F(SSLv2ClientHelloTestF, Connect13) { - EnsureTlsSetup(); -diff -up nss/lib/ssl/ssl3gthr.c.ssl3gthr nss/lib/ssl/ssl3gthr.c ---- nss/lib/ssl/ssl3gthr.c.ssl3gthr 2017-04-05 14:23:56.000000000 +0200 -+++ nss/lib/ssl/ssl3gthr.c 2017-04-28 14:40:23.579583263 +0200 -@@ -32,6 +32,7 @@ ssl3_InitGather(sslGather *gs) - gs->readOffset = 0; - gs->dtlsPacketOffset = 0; - gs->dtlsPacket.len = 0; -+ gs->rejectV2Records = PR_FALSE; - status = sslBuffer_Grow(&gs->buf, 4096); - return status; - } -@@ -147,8 +148,11 @@ ssl3_GatherData(sslSocket *ss, sslGather - switch (gs->state) { - case GS_HEADER: - /* Check for SSLv2 handshakes. Always assume SSLv3 on clients, -- * support SSLv2 handshakes only when ssl2gs != NULL. */ -- if (!ssl2gs || ssl3_isLikelyV3Hello(gs->hdr)) { -+ * support SSLv2 handshakes only when ssl2gs != NULL. -+ * Always assume v3 after we received the first record. */ -+ if (!ssl2gs || -+ ss->gs.rejectV2Records || -+ ssl3_isLikelyV3Hello(gs->hdr)) { - /* Should have a non-SSLv2 record header in gs->hdr. Extract - * the length of the following encrypted data, and then - * read in the rest of the record into gs->inbuf. */ -@@ -183,7 +187,7 @@ ssl3_GatherData(sslSocket *ss, sslGather - /* This is the max length for an encrypted SSLv3+ fragment. */ - if (!v2HdrLength && - gs->remainder > (MAX_FRAGMENT_LENGTH + 2048)) { -- SSL3_SendAlert(ss, alert_fatal, unexpected_message); -+ SSL3_SendAlert(ss, alert_fatal, record_overflow); - gs->state = GS_INIT; - PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); - return SECFailure; -@@ -205,13 +209,28 @@ ssl3_GatherData(sslSocket *ss, sslGather - * many into the gs->hdr[] buffer. Copy them over into inbuf so - * that we can properly process the hello record later. */ - if (v2HdrLength) { -+ /* Reject v2 records that don't even carry enough data to -+ * resemble a valid ClientHello header. */ -+ if (gs->remainder < SSL_HL_CLIENT_HELLO_HBYTES) { -+ SSL3_SendAlert(ss, alert_fatal, illegal_parameter); -+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); -+ return SECFailure; -+ } -+ -+ PORT_Assert(lbp); - gs->inbuf.len = 5 - v2HdrLength; - PORT_Memcpy(lbp, gs->hdr + v2HdrLength, gs->inbuf.len); - gs->remainder -= gs->inbuf.len; - lbp += gs->inbuf.len; - } - -- break; /* End this case. Continue around the loop. */ -+ if (gs->remainder > 0) { -+ break; /* End this case. Continue around the loop. */ -+ } -+ -+ /* FALL THROUGH if (gs->remainder == 0) as we just received -+ * an empty record and there's really no point in calling -+ * ssl_DefRecv() with buf=NULL and len=0. */ - - case GS_DATA: - /* -@@ -219,6 +238,10 @@ ssl3_GatherData(sslSocket *ss, sslGather - */ - SSL_TRC(10, ("%d: SSL[%d]: got record of %d bytes", - SSL_GETPID(), ss->fd, gs->inbuf.len)); -+ -+ /* reject any v2 records from now on */ -+ ss->gs.rejectV2Records = PR_TRUE; -+ - gs->state = GS_INIT; - return 1; - } -diff -up nss/lib/ssl/ssldef.c.ssl3gthr nss/lib/ssl/ssldef.c ---- nss/lib/ssl/ssldef.c.ssl3gthr 2017-04-05 14:23:56.000000000 +0200 -+++ nss/lib/ssl/ssldef.c 2017-04-28 14:40:23.579583263 +0200 -@@ -66,6 +66,8 @@ ssl_DefRecv(sslSocket *ss, unsigned char - PRFileDesc *lower = ss->fd->lower; - int rv; - -+ PORT_Assert(buf && len > 0); -+ - rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout); - if (rv < 0) { - DEFINE_ERROR -diff -up nss/lib/ssl/sslimpl.h.ssl3gthr nss/lib/ssl/sslimpl.h ---- nss/lib/ssl/sslimpl.h.ssl3gthr 2017-04-28 14:40:23.566583566 +0200 -+++ nss/lib/ssl/sslimpl.h 2017-04-28 14:40:23.580583240 +0200 -@@ -367,6 +367,10 @@ struct sslGatherStr { - - /* the start of the buffered DTLS record in dtlsPacket */ - unsigned int dtlsPacketOffset; -+ -+ /* tracks whether we've seen a v3-type record before and must reject -+ * any further v2-type records. */ -+ PRBool rejectV2Records; - }; - - /* sslGather.state */ diff --git a/SOURCES/nss-tools-sha256-default.patch b/SOURCES/nss-tools-sha256-default.patch deleted file mode 100644 index 288d5d8..0000000 --- a/SOURCES/nss-tools-sha256-default.patch +++ /dev/null @@ -1,107 +0,0 @@ -# HG changeset patch -# User Kai Engert -# Date 1489096275 -3600 -# Thu Mar 09 22:51:15 2017 +0100 -# Node ID 848abc2061a45b8387893891e814b80db1e2bd53 -# Parent 482e9cbb16f13cd22f9ef7b5a73a4e3ea68ecf82 -Bug 1345106, Don't use SHA1 by default for signatures in the NSS library and in certutil, crlutil and cmsutil, r=rrelyea - -diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c ---- a/cmd/smimetools/cmsutil.c -+++ b/cmd/smimetools/cmsutil.c -@@ -84,7 +84,7 @@ Usage(char *progName) - " where id can be a certificate nickname or email address\n" - " -S create a CMS signed data message\n" - " -G include a signing time attribute\n" -- " -H hash use hash (default:SHA1)\n" -+ " -H hash use hash (default:SHA256)\n" - " -N nick use certificate named \"nick\" for signing\n" - " -P include a SMIMECapabilities attribute\n" - " -T do not include content in CMS message\n" -@@ -1097,7 +1097,7 @@ main(int argc, char **argv) - signOptions.signingTime = PR_FALSE; - signOptions.smimeProfile = PR_FALSE; - signOptions.encryptionKeyPreferenceNick = NULL; -- signOptions.hashAlgTag = SEC_OID_SHA1; -+ signOptions.hashAlgTag = SEC_OID_SHA256; - envelopeOptions.recipients = NULL; - encryptOptions.recipients = NULL; - encryptOptions.envmsg = NULL; -diff --git a/cmd/smimetools/smime b/cmd/smimetools/smime ---- a/cmd/smimetools/smime -+++ b/cmd/smimetools/smime -@@ -199,8 +199,8 @@ sub signentity($$) - # construct a new multipart/signed MIME entity consisting of the original content and - # the signature - # -- # (we assume that cmsutil generates a SHA1 digest) -- $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n"; -+ # (we assume that cmsutil generates a SHA256 digest) -+ $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n"; - $out .= "\n"; # end of entity header - $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment - $out .= "\n--${boundary}\n"; -diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c ---- a/lib/cryptohi/secsign.c -+++ b/lib/cryptohi/secsign.c -@@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECI - if (algID == SEC_OID_UNKNOWN) { - switch (pk->keyType) { - case rsaKey: -- algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; -+ algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; - break; - case dsaKey: - /* get Signature length (= q_len*2) and work from there */ - switch (PK11_SignatureLen(pk)) { -+ case 320: -+ algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; -+ break; - case 448: - algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; - break; - case 512: -+ default: - algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; - break; -- default: -- algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; -- break; - } - break; - case ecKey: -- algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; -+ algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); -@@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType - break; - case dsaKey: - switch (hashAlgTag) { -- case SEC_OID_UNKNOWN: /* default for DSA if not specified */ - case SEC_OID_SHA1: - sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; - break; - case SEC_OID_SHA224: - sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; - break; -+ case SEC_OID_UNKNOWN: /* default for DSA if not specified */ - case SEC_OID_SHA256: - sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; - break; -@@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType - break; - case ecKey: - switch (hashAlgTag) { -- case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ - case SEC_OID_SHA1: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; - break; - case SEC_OID_SHA224: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; - break; -+ case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ - case SEC_OID_SHA256: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; - break; diff --git a/SOURCES/nss-transcript.patch b/SOURCES/nss-transcript.patch deleted file mode 100644 index 170b3bc..0000000 --- a/SOURCES/nss-transcript.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User Martin Thomson -# Date 1501813647 -36000 -# Fri Aug 04 12:27:27 2017 +1000 -# Node ID 839200ce0943166a079284bdf45dcc37bb672925 -# Parent 6254e8431392863fd0aa7e70c311add48af05775 -Bug 1377618 - Simplify handling of CertificateVerify, r=kaie - -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -9758,13 +9758,12 @@ ssl3_HandleCertificateVerify(sslSocket * - - hashAlg = ssl_SignatureSchemeToHashType(sigScheme); - -- if (hashes->u.pointer_to_hash_input.data) { -- rv = ssl3_ComputeHandshakeHash(hashes->u.pointer_to_hash_input.data, -- hashes->u.pointer_to_hash_input.len, -- hashAlg, &localHashes); -- } else { -- rv = SECFailure; -- } -+ /* Read from the message buffer, but we need to use only up to the end -+ * of the previous handshake message. The length of the transcript up to -+ * that point is saved in |hashes->u.transcriptLen|. */ -+ rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf, -+ hashes->u.transcriptLen, -+ hashAlg, &localHashes); - - if (rv == SECSuccess) { - hashesForVerify = &localHashes; -@@ -11664,15 +11663,15 @@ ssl3_HandleHandshakeMessage(sslSocket *s - * additional handshake messages will have been added to the - * buffer, e.g. the certificate_verify message itself.) - * -- * Therefore, we use SSL3Hashes.u.pointer_to_hash_input -- * to signal the current state of the buffer. -+ * Therefore, we use SSL3Hashes.u.transcriptLen to save how much -+ * data there is and read directly from ss->ssl3.hs.messages -+ * when calculating the hashes. - * - * ssl3_HandleCertificateVerify will detect - * hashType == handshake_hash_record - * and use that information to calculate the hash. - */ -- hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf; -- hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len; -+ hashes.u.transcriptLen = ss->ssl3.hs.messages.len; - hashesPtr = &hashes; - } else { - computeHashes = PR_TRUE; -diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h ---- a/lib/ssl/ssl3prot.h -+++ b/lib/ssl/ssl3prot.h -@@ -236,7 +236,7 @@ typedef struct { - union { - PRUint8 raw[64]; - SSL3HashesIndividually s; -- SECItem pointer_to_hash_input; -+ unsigned int transcriptLen; - } u; - } SSL3Hashes; - diff --git a/SOURCES/nss-tstclnt-optspec.patch b/SOURCES/nss-tstclnt-optspec.patch deleted file mode 100644 index e76dba0..0000000 --- a/SOURCES/nss-tstclnt-optspec.patch +++ /dev/null @@ -1,21 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1487602422 -3600 -# Mon Feb 20 15:53:42 2017 +0100 -# Branch wip/dueno/tstclnt-optstate -# Node ID ec284d402a5a691e2694fe27d8ab2e95d525f5ab -# Parent ec6b5abc4187459458779d1e90bc8500a011eb3a -tstclnt: use correct option spec for -W - -diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c ---- a/cmd/tstclnt/tstclnt.c -+++ b/cmd/tstclnt/tstclnt.c -@@ -1509,7 +1509,7 @@ main(int argc, char **argv) - /* XXX: 'B' was used in the past but removed in 3.28, - * please leave some time before resuing it. */ - optstate = PL_CreateOptState(argc, argv, -- "46A:CDFGHI:KL:M:OR:STUV:WYZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); -+ "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); - while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { - switch (optstate->option) { - case '?': diff --git a/SOURCES/race.patch b/SOURCES/race.patch deleted file mode 100644 index 3ffb787..0000000 --- a/SOURCES/race.patch +++ /dev/null @@ -1,123 +0,0 @@ -diff -up nss/lib/pk11wrap/pk11util.c.race nss/lib/pk11wrap/pk11util.c ---- nss/lib/pk11wrap/pk11util.c.race 2017-01-13 17:43:25.829686952 +0100 -+++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:47:56.374041802 +0100 -@@ -1297,7 +1297,7 @@ SECMOD_HasRemovableSlots(SECMODModule *m - */ - static SECStatus - secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass, -- const char *sendSpec) -+ const char *sendSpec, PRBool needlock) - { - CK_OBJECT_HANDLE dummy; - CK_ATTRIBUTE template[2]; -@@ -1312,16 +1312,16 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O - - PORT_Assert(attrs - template <= 2); - -- PK11_EnterSlotMonitor(slot); -+ if (needlock) PK11_EnterSlotMonitor(slot); - crv = PK11_CreateNewObject(slot, slot->session, - template, attrs - template, PR_FALSE, &dummy); -- PK11_ExitSlotMonitor(slot); -+ if (needlock) PK11_ExitSlotMonitor(slot); - - if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; - } -- return SECMOD_UpdateSlotList(slot->module); -+ return SECSuccess; - } - - /* -@@ -1330,11 +1330,20 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O - static PRBool - secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID) - { -- PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID); -+ PK11SlotInfo *slot = SECMOD_FindSlotByID(mod, slotID); - if (slot) { -- PRBool present = PK11_IsPresent(slot); -+ CK_SLOT_INFO slotInfo; -+ CK_RV crv; -+ /* check if the slot is present, skip any slot reinit stuff, -+ * or cached present values, or locking. (we don't need to lock -+ * even if the module is not thread safe because we are already -+ * holding the module refLock, which is the same as the slot -+ * sessionLock if the module isn't thread safe. */ -+ crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo); - PK11_FreeSlot(slot); -- if (present) { -+ if ((crv == CKR_OK) && -+ ((slotInfo.flags & CKF_TOKEN_PRESENT) == CKF_TOKEN_PRESENT)) { -+ /* slot is present, so it's not empty */ - return PR_FALSE; - } - } -@@ -1390,24 +1399,29 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co - char *sendSpec; - SECStatus rv; - -+ PZ_Lock(mod->refLock); /* don't reuse a slot on the fly */ - slotID = secmod_FindFreeSlot(mod); - if (slotID == (CK_SLOT_ID)-1) { -+ PZ_Unlock(mod->refLock); - return NULL; - } - - if (mod->slotCount == 0) { -+ PZ_Unlock(mod->refLock); - return NULL; - } - - /* just grab the first slot in the module, any present slot should work */ - slot = PK11_ReferenceSlot(mod->slots[0]); - if (slot == NULL) { -+ PZ_Unlock(mod->refLock); - return NULL; - } - - /* we've found the slot, now build the moduleSpec */ - escSpec = NSSUTIL_DoubleEscape(moduleSpec, '>', ']'); - if (escSpec == NULL) { -+ PZ_Unlock(mod->refLock); - PK11_FreeSlot(slot); - return NULL; - } -@@ -1416,16 +1430,26 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co - - if (sendSpec == NULL) { - /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */ -+ PZ_Unlock(mod->refLock); - PK11_FreeSlot(slot); - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; - } -- rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec); -+ rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec, -+ /* If the module isn't thread safe, the slot sessionLock == mod->refLock -+ * since we already hold the refLock we don't need to lock the sessionLock -+ */ -+ mod->isThreadSafe); -+ PZ_Unlock(mod->refLock); - PR_smprintf_free(sendSpec); - PK11_FreeSlot(slot); - if (rv != SECSuccess) { - return NULL; - } -+ rv = SECMOD_UpdateSlotList(mod); /* don't call holding the mod->reflock */ -+ if (rv != SECSuccess) { -+ return NULL; -+ } - - slot = SECMOD_FindSlotByID(mod, slotID); - if (slot) { -@@ -1558,7 +1582,7 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot) - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; - } -- rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec); -+ rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec, PR_TRUE); - PR_smprintf_free(sendSpec); - /* if we are in the delay period for the "isPresent" call, reset - * the delay since we know things have probably changed... */ diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 635f246..ad8821b 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,13 +1,13 @@ -%global nspr_version 4.13.1 -%global nss_util_version 3.28.4 -%global nss_util_build -2 +%global nspr_version 4.17.0 +%global nss_util_version 3.34.0 +%global nss_util_build -1 # adjust to the version that gets submitted for FIPS validation -%global nss_softokn_fips_version 3.16.2 -%global nss_softokn_version 3.28.3 +%global nss_softokn_fips_version 3.34.0 +%global nss_softokn_version 3.34.0 # Attention: Separate softokn versions for build and runtime. -%global runtime_required_softokn_build_version -4 -# Building NSS doesn't require the softokn -13 build. -%global build_required_softokn_build_version -4 +%global runtime_required_softokn_build_version -1 +# Building NSS doesn't require the same version of softokn built for runtime. +%global build_required_softokn_build_version -1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -26,8 +26,8 @@ Summary: Network Security Services Name: nss -Version: 3.28.4 -Release: 15%{?dist} +Version: 3.34.0 +Release: 4%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -113,54 +113,34 @@ Patch55: enable-fips-when-system-is-in-fips-mode.patch Patch56: p-ignore-setpolicy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144 Patch62: nss-fix-deadlock-squash.patch -# Two patches from from rhel6.8 that are also needed for rhel-7 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373 -Patch74: race.patch -Patch94: nss-3.16-token-init-race.patch Patch100: fix-min-library-version-in-SSLVersionRange.patch Patch108: nss-sni-c-v-fix.patch Patch123: nss-skip-util-gtest.patch Patch126: nss-reorder-cipher-suites.patch Patch127: nss-disable-cipher-suites.patch Patch128: nss-enable-cipher-suites.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932 -Patch129: moz-1320932.patch -# Disable RSA-PSS until the feature is complete -Patch130: disable-pss.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054 -Patch132: nss-tstclnt-optspec.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1336487 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345083 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1350859 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1349705 -Patch133: nss-1334976-1336487-1345083-ca-2.14.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=956866 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1360207 -Patch134: nss-alert-handler.patch +Patch130: nss-reorder-cipher-suites-gtests.patch +Patch131: nss-disable-tls13-gtests.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch135: nss-check-policy-file.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345106 -Patch136: nss-tools-sha256-default.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1297397 -Patch137: nss-is-token-present-race.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1353724 -Patch138: nss-pk12util.patch -Patch139: nss-disable-pss-gtests.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1328122 -Patch140: nss-ssl3gthr.patch # Work around for yum # https://bugzilla.redhat.com/show_bug.cgi?id=1469526 Patch141: nss-sysinit-getenv.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618 -Patch142: nss-transcript.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1399867 -Patch143: nss-pk12util-force-unicode.patch -# Not upstreamed yet: -# https://bugzilla.redhat.com/show_bug.cgi?id=1493911 + +# Patches backported from 3.35: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265 Patch144: nss-pk12util-faulty-aes.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071 +Patch145: nss-increase-pkcs12-iterations.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847 +Patch146: nss-modutil-suppress-password.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361 +Patch147: nss-certutil-suppress-password.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557 +# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171 +Patch148: nss-pss-fixes.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373 +Patch149: nss-is-token-present-race.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -254,30 +234,23 @@ pushd nss %patch56 -p1 -b .1026677_ignore_set_policy %patch62 -p1 -b .fix_deadlock %patch100 -p0 -b .1171318 -%patch74 -p1 -b .race popd -%patch94 -p0 -b .init-token-race %patch108 -p0 -b .sni_c_v_fix pushd nss %patch123 -p1 -b .skip-util-gtests %patch126 -p1 -b .reorder-cipher-suites %patch127 -p1 -b .disable-cipher-suites %patch128 -p1 -b .enable-cipher-suites -%patch129 -p1 -b .fix_ssl_sh_typo -%patch130 -p1 -b .disable_pss -%patch132 -p1 -b .tstclnt-optspec -%patch133 -p1 -b .mozilla-ca-policy-plus-ca-2.14 -%patch134 -p1 -b .alert-handler +%patch130 -p1 -b .reorder-cipher-suites-gtests +%patch131 -p1 -b .disable-tls13-gtests %patch135 -p1 -b .check_policy_file -%patch136 -p1 -b .tools-sha256-default -%patch137 -p1 -b .is-token-present-race -%patch138 -p1 -b .pk12util -%patch139 -p1 -b .disable-pss-gtests -%patch140 -p1 -b .ssl3gthr %patch141 -p1 -b .sysinit-getenv -%patch142 -p1 -b .transcript -%patch143 -p1 -b .pk12util-force-unicode %patch144 -p1 -b .pk12util-faulty-aes +%patch145 -p1 -b .increase-pkcs12-iterations +%patch146 -p1 -b .suppress-modutil-password +%patch147 -p1 -b .suppress-certutil-password +%patch148 -p1 -b .pss-fixes +%patch149 -p1 -b .is-token-present-race popd ######################################################### @@ -381,6 +354,9 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1 ##### phase 2: build the rest of nss export NSS_BLTEST_NOT_AVAILABLE=1 + +export NSS_DISABLE_TLS_1_3=1 + %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm @@ -492,6 +468,10 @@ export USE_64 export NSS_BLTEST_NOT_AVAILABLE=1 +export NSS_DISABLE_TLS_1_3=1 + +export NSS_FORCE_FIPS=1 + # needed for the fips mangling test export SOFTOKEN_LIB_DIR=%{_libdir} @@ -846,6 +826,7 @@ fi %{_includedir}/nss3/smime.h %{_includedir}/nss3/ssl.h %{_includedir}/nss3/sslerr.h +%{_includedir}/nss3/sslexp.h %{_includedir}/nss3/sslproto.h %{_includedir}/nss3/sslt.h @@ -868,20 +849,51 @@ fi %changelog -* Wed Sep 27 2017 Daiki Ueno - 3.28.4-15 +* Mon Jan 15 2018 Daiki Ueno - 3.34.0-4 +- Re-enable nss-is-token-present-race.patch + +* Fri Jan 5 2018 Daiki Ueno - 3.34.0-3 +- Temporarily disable nss-is-token-present-race.patch + +* Thu Jan 4 2018 Daiki Ueno - 3.34.0-2 +- Backport necessary changes from 3.35 + +* Fri Nov 24 2017 Daiki Ueno - 3.34.0-1 +- Rebase to NSS 3.34 + +* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1 +- Rebase to NSS 3.34.BETA1 + +* Wed Oct 25 2017 Daiki Ueno - 3.33.0-3 +- Disable TLS 1.3 + +* Wed Oct 18 2017 Daiki Ueno - 3.33.0-2 +- Enable TLS 1.3 + +* Mon Oct 16 2017 Daiki Ueno - 3.33.0-1 +- Rebase to NSS 3.33 +- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants) +- Temporarily disable race.patch and nss-3.16-token-init-race.patch, + which causes a deadlock in newly added test cases +- Remove upstreamed patches: moz-1320932.patch, + nss-tstclnt-optspec.patch, + nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch, + nss-tools-sha256-default.patch, nss-is-token-present-race.patch, + nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch + +* Mon Oct 16 2017 Daiki Ueno - 3.28.4-14 - Add backward compatibility to pk12util regarding faulty PBES2 AES encryption -* Thu Sep 21 2017 Daiki Ueno - 3.28.4-14 +* Mon Oct 16 2017 Daiki Ueno - 3.28.4-13 - Update iquote.patch to prefer nss.h from the source -* Wed Sep 20 2017 Daiki Ueno - 3.28.4-13 +* Mon Oct 16 2017 Daiki Ueno - 3.28.4-12 - Add backward compatibility to pk12util regarding password encoding -* Fri Aug 4 2017 Daiki Ueno - 3.28.4-12 +* Thu Aug 10 2017 Daiki Ueno - 3.28.4-11 - Backport patch to simplify transcript calculation for CertificateVerify - -* Fri Jul 14 2017 Daiki Ueno - 3.28.4-11 -- Rebuild to get correct release suffix (.el7 -> .el7_4) +- Enable TLS 1.3 and RSA-PSS +- Disable some upstream tests failing due to downstream ciphersuites changes * Thu Jul 13 2017 Daiki Ueno - 3.28.4-10 - Work around yum crash due to new NSPR symbol being used in nss-sysinit,