diff --git a/.gitignore b/.gitignore index 51984f5..55cb85a 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.18.0.tar.gz +SOURCES/nss-3.19.1.tar.gz SOURCES/nss-config.xml SOURCES/nss-pem-20140125.tar.bz2 SOURCES/secmod.db.xml diff --git a/.nss.metadata b/.nss.metadata index f1cb2d2..07697ae 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -38889e39147cf4d6ccd46dbb28f24ee69b2033c1 SOURCES/nss-3.18.0.tar.gz +9e20dee2137265e61ce8a70daaf44fe0315fdb81 SOURCES/nss-3.19.1.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml diff --git a/SOURCES/expired-cert.patch b/SOURCES/expired-cert.patch deleted file mode 100644 index 2754190..0000000 --- a/SOURCES/expired-cert.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg ---- a/tests/chains/scenarios/realcerts.cfg -+++ b/tests/chains/scenarios/realcerts.cfg -@@ -16,14 +16,14 @@ import BrAirWaysBadSig:x: - - verify TestUser50:x - result pass - - verify TestUser51:x - result pass - - verify PayPalEE:x -- policy OID.2.16.840.1.113733.1.7.23.6 -+ policy OID.2.16.840.1.114412.1.1 - result pass - - verify BrAirWaysBadSig:x - result fail - -diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst ---- a/tests/libpkix/vfychain_test.lst -+++ b/tests/libpkix/vfychain_test.lst -@@ -1,4 +1,4 @@ - # Status | Leaf Cert | Policies | Others(undef) - 0 TestUser50 undef - 0 TestUser51 undef --0 PayPalEE OID.2.16.840.1.113733.1.7.23.6 -+0 PayPalEE OID.2.16.840.1.114412.1.1 diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index 6e03b38..02f9de8 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -187,3 +187,14 @@ diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile +--- ./nss/lib/ssl/Makefile.iquote 2015-06-05 15:42:16.661963153 -0700 ++++ ./nss/lib/ssl/Makefile 2015-06-05 15:43:25.862697604 -0700 +@@ -49,6 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss + + + ####################################################################### diff --git a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch deleted file mode 100644 index 3e95d9b..0000000 --- a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch +++ /dev/null @@ -1,326 +0,0 @@ -diff -up ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 ./nss/lib/ckfw/builtins/certdata.txt ---- ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100 -+++ ./nss/lib/ckfw/builtins/certdata.txt 2015-04-23 18:49:24.536940322 +0200 -@@ -187,9 +187,9 @@ END - CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\004\065\336\364\317 - END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements." -@@ -17341,149 +17341,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_ - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" --# --# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR --# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5 --# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR --# Not Valid Before: Thu Jan 04 11:32:48 2007 --# Not Valid After : Wed Jan 04 11:32:48 2017 --# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B --# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34 --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061 --\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162 --\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156 --\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125 --\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040 --\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151 --\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154 --\141\171\151\143\151\163\151 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061 --\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162 --\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156 --\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125 --\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040 --\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151 --\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154 --\141\171\151\143\151\163\151 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333 --\254\265 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\003\266\060\202\002\236\240\003\002\001\002\002\020\104 --\231\215\074\300\003\047\275\234\166\225\271\352\333\254\265\060 --\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\165 --\061\013\060\011\006\003\125\004\006\023\002\124\122\061\050\060 --\046\006\003\125\004\012\023\037\105\154\145\153\164\162\157\156 --\151\153\040\102\151\154\147\151\040\107\165\166\145\156\154\151 --\147\151\040\101\056\123\056\061\074\060\072\006\003\125\004\003 --\023\063\145\055\107\165\166\145\156\040\113\157\153\040\105\154 --\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151 --\153\141\040\110\151\172\155\145\164\040\123\141\147\154\141\171 --\151\143\151\163\151\060\036\027\015\060\067\060\061\060\064\061 --\061\063\062\064\070\132\027\015\061\067\060\061\060\064\061\061 --\063\062\064\070\132\060\165\061\013\060\011\006\003\125\004\006 --\023\002\124\122\061\050\060\046\006\003\125\004\012\023\037\105 --\154\145\153\164\162\157\156\151\153\040\102\151\154\147\151\040 --\107\165\166\145\156\154\151\147\151\040\101\056\123\056\061\074 --\060\072\006\003\125\004\003\023\063\145\055\107\165\166\145\156 --\040\113\157\153\040\105\154\145\153\164\162\157\156\151\153\040 --\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145\164 --\040\123\141\147\154\141\171\151\143\151\163\151\060\202\001\042 --\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 --\202\001\017\000\060\202\001\012\002\202\001\001\000\303\022\040 --\236\260\136\000\145\215\116\106\273\200\134\351\054\006\227\325 --\363\162\311\160\271\347\113\145\200\301\113\276\176\074\327\124 --\061\224\336\325\022\272\123\026\002\352\130\143\357\133\330\363 --\355\052\032\252\161\110\243\334\020\055\137\137\353\134\113\234 --\226\010\102\045\050\021\314\212\132\142\001\120\325\353\011\123 --\057\370\303\217\376\263\374\375\235\242\343\137\175\276\355\013 --\340\140\353\151\354\063\355\330\215\373\022\111\203\000\311\213 --\227\214\073\163\052\062\263\022\367\271\115\362\364\115\155\307 --\346\326\046\067\010\362\331\375\153\134\243\345\110\134\130\274 --\102\276\003\132\201\272\034\065\014\000\323\365\043\176\161\060 --\010\046\070\334\045\021\107\055\363\272\043\020\245\277\274\002 --\367\103\136\307\376\260\067\120\231\173\017\223\316\346\103\054 --\303\176\015\362\034\103\146\140\313\141\061\107\207\243\117\256 --\275\126\154\114\274\274\370\005\312\144\364\351\064\241\054\265 --\163\341\302\076\350\310\311\064\045\010\134\363\355\246\307\224 --\237\255\210\103\045\327\341\071\140\376\254\071\131\002\003\001 --\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377 --\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377 --\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 --\004\024\237\356\104\263\224\325\372\221\117\056\331\125\232\004 --\126\333\055\304\333\245\060\015\006\011\052\206\110\206\367\015 --\001\001\005\005\000\003\202\001\001\000\177\137\271\123\133\143 --\075\165\062\347\372\304\164\032\313\106\337\106\151\034\122\317 --\252\117\302\150\353\377\200\251\121\350\075\142\167\211\075\012 --\165\071\361\156\135\027\207\157\150\005\301\224\154\331\135\337 --\332\262\131\313\245\020\212\312\314\071\315\237\353\116\336\122 --\377\014\360\364\222\251\362\154\123\253\233\322\107\240\037\164 --\367\233\232\361\057\025\237\172\144\060\030\007\074\052\017\147 --\312\374\017\211\141\235\145\245\074\345\274\023\133\010\333\343 --\377\355\273\006\273\152\006\261\172\117\145\306\202\375\036\234 --\213\265\015\356\110\273\270\275\252\010\264\373\243\174\313\237 --\315\220\166\134\206\226\170\127\012\146\371\130\032\235\375\227 --\051\140\336\021\246\220\034\031\034\356\001\226\042\064\064\056 --\221\371\267\304\047\321\173\346\277\373\200\104\132\026\345\353 --\340\324\012\070\274\344\221\343\325\353\134\301\254\337\033\152 --\174\236\345\165\322\266\227\207\333\314\207\053\103\072\204\010 --\257\253\074\333\367\074\146\061\206\260\235\123\171\355\370\043 --\336\102\343\055\202\361\017\345\372\227 --END -- --# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" --# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR --# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5 --# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR --# Not Valid Before: Thu Jan 04 11:32:48 2007 --# Not Valid After : Wed Jan 04 11:32:48 2017 --# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B --# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\335\341\322\251\001\200\056\035\207\136\204\263\200\176\113\261 --\375\231\101\064 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\075\101\051\313\036\252\021\164\315\135\260\142\257\260\103\133 --END --CKA_ISSUER MULTILINE_OCTAL --\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061 --\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162 --\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156 --\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125 --\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040 --\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151 --\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154 --\141\171\151\143\151\163\151 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333 --\254\265 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "GlobalSign Root CA - R3" - # - # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 -@@ -31590,3 +31447,146 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_T - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -+ -+# -+# Certificate "Explicitly Distrusted MCSHOLDING CA" -+# -+# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN -+# Serial Number: 1228079246 (0x4933008e) -+# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG -+# Not Valid Before: Thu Mar 19 06:20:09 2015 -+# Not Valid After : Fri Apr 03 06:20:09 2015 -+# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61 -+# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76 -+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA" -+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -+CKA_SUBJECT MULTILINE_OCTAL -+\060\074\061\013\060\011\006\003\125\004\006\023\002\105\107\061 -+\023\060\021\006\003\125\004\012\014\012\115\103\123\110\117\114 -+\104\111\116\107\061\030\060\026\006\003\125\004\003\014\017\115 -+\103\123\110\117\114\104\111\116\107\040\124\105\123\124 -+END -+CKA_ID UTF8 "0" -+CKA_ISSUER MULTILINE_OCTAL -+\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -+\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 -+\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 -+\122\117\117\124 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\004\111\063\000\216 -+END -+CKA_VALUE MULTILINE_OCTAL -+\060\202\004\222\060\202\003\172\240\003\002\001\002\002\004\111 -+\063\000\216\060\015\006\011\052\206\110\206\367\015\001\001\013 -+\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103 -+\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111 -+\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111 -+\103\040\122\117\117\124\060\036\027\015\061\065\060\063\061\071 -+\060\066\062\060\060\071\132\027\015\061\065\060\064\060\063\060 -+\066\062\060\060\071\132\060\074\061\013\060\011\006\003\125\004 -+\006\023\002\105\107\061\023\060\021\006\003\125\004\012\014\012 -+\115\103\123\110\117\114\104\111\116\107\061\030\060\026\006\003 -+\125\004\003\014\017\115\103\123\110\117\114\104\111\116\107\040 -+\124\105\123\124\060\202\001\042\060\015\006\011\052\206\110\206 -+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012 -+\002\202\001\001\000\245\371\165\014\006\256\356\014\021\315\226 -+\063\115\153\316\300\112\014\075\135\353\322\113\011\177\347\107 -+\054\254\161\000\371\010\257\064\361\243\152\307\374\346\253\316 -+\320\276\312\315\052\230\230\271\320\216\063\111\007\141\040\321 -+\132\064\316\203\024\006\171\216\032\277\333\344\240\070\072\356 -+\224\271\243\240\130\072\211\024\254\140\076\003\324\307\315\073 -+\034\260\232\210\032\111\020\251\260\262\375\345\350\341\004\342 -+\352\202\155\376\014\121\105\221\255\165\042\256\377\117\220\013 -+\300\123\145\167\076\036\302\126\265\066\306\326\205\314\016\203 -+\032\063\037\166\231\133\053\227\053\213\327\321\024\025\114\235 -+\131\327\200\057\244\242\205\325\210\066\002\140\125\312\130\337 -+\223\374\112\142\007\226\323\304\372\277\215\001\047\227\057\246 -+\134\164\361\072\102\156\135\171\024\060\061\032\074\331\262\127 -+\115\340\270\077\017\151\061\242\235\145\231\331\326\061\207\265 -+\230\046\337\360\313\273\025\300\044\023\142\122\032\153\313\105 -+\007\227\343\304\224\136\311\015\107\054\351\317\351\364\217\376 -+\065\341\062\347\061\002\003\001\000\001\243\202\001\244\060\202 -+\001\240\060\166\006\010\053\006\001\005\005\007\001\001\004\152 -+\060\150\060\051\006\010\053\006\001\005\005\007\060\001\206\035 -+\150\164\164\160\072\057\057\157\143\163\160\143\156\156\151\143 -+\162\157\157\164\056\143\156\156\151\143\056\143\156\060\073\006 -+\010\053\006\001\005\005\007\060\002\206\057\150\164\164\160\072 -+\057\057\167\167\167\056\143\156\156\151\143\056\143\156\057\144 -+\157\167\156\154\157\141\144\057\143\145\162\164\057\103\116\116 -+\111\103\122\117\117\124\056\143\145\162\060\037\006\003\125\035 -+\043\004\030\060\026\200\024\145\362\061\255\052\367\367\335\122 -+\226\012\307\002\301\016\357\246\325\073\021\060\017\006\003\125 -+\035\023\001\001\377\004\005\060\003\001\001\377\060\077\006\003 -+\125\035\040\004\070\060\066\060\064\006\012\053\006\001\004\001 -+\201\351\014\001\006\060\046\060\044\006\010\053\006\001\005\005 -+\007\002\001\026\030\150\164\164\160\072\057\057\167\167\167\056 -+\143\156\156\151\143\056\143\156\057\143\160\163\057\060\201\206 -+\006\003\125\035\037\004\177\060\175\060\102\240\100\240\076\244 -+\074\060\072\061\013\060\011\006\003\125\004\006\023\002\103\116 -+\061\016\060\014\006\003\125\004\012\014\005\103\116\116\111\103 -+\061\014\060\012\006\003\125\004\013\014\003\143\162\154\061\015 -+\060\013\006\003\125\004\003\014\004\143\162\154\061\060\067\240 -+\065\240\063\206\061\150\164\164\160\072\057\057\143\162\154\056 -+\143\156\156\151\143\056\143\156\057\144\157\167\156\154\157\141 -+\144\057\162\157\157\164\163\150\141\062\143\162\154\057\103\122 -+\114\061\056\143\162\154\060\013\006\003\125\035\017\004\004\003 -+\002\001\006\060\035\006\003\125\035\016\004\026\004\024\104\244 -+\211\253\024\137\075\157\040\074\252\174\372\031\256\364\110\140 -+\005\265\060\015\006\011\052\206\110\206\367\015\001\001\013\005 -+\000\003\202\001\001\000\134\264\365\123\233\117\271\340\204\211 -+\061\276\236\056\352\236\041\113\245\217\155\241\246\363\057\110 -+\353\351\333\255\036\061\200\320\171\073\020\357\232\044\367\223 -+\033\065\363\032\302\307\302\054\012\177\157\133\361\137\163\221 -+\004\373\015\171\015\351\032\006\326\203\375\116\140\235\154\222 -+\103\114\352\144\230\104\253\327\373\107\320\257\037\144\114\342 -+\335\167\150\026\302\054\241\240\201\227\000\102\037\176\040\170 -+\350\306\120\035\013\177\025\223\131\130\100\024\204\360\247\220 -+\153\066\005\147\352\177\042\155\273\321\245\046\115\263\060\244 -+\130\324\133\265\032\214\120\214\270\015\341\240\007\263\017\130 -+\316\327\005\265\175\065\171\157\242\333\014\000\052\150\044\214 -+\176\234\301\166\111\272\174\146\021\336\362\107\316\376\320\316 -+\125\276\010\332\362\171\046\052\025\071\316\153\030\246\337\330 -+\207\050\231\224\016\055\150\241\232\316\122\066\234\053\354\264 -+\150\263\154\025\254\313\160\102\362\304\101\245\310\374\041\170 -+\123\167\062\040\251\041\114\162\342\323\262\311\166\033\030\130 -+\102\013\102\222\263\344 -+END -+ -+# Distrust "Explicitly Distrusted MCSHOLDING CA" -+# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN -+# Serial Number: 1228079246 (0x4933008e) -+# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG -+# Not Valid Before: Thu Mar 19 06:20:09 2015 -+# Not Valid After : Fri Apr 03 06:20:09 2015 -+# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61 -+# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76 -+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA" -+CKA_CERT_SHA1_HASH MULTILINE_OCTAL -+\341\363\131\036\166\230\145\304\344\107\254\303\176\257\311\342 -+\277\344\305\166 -+END -+CKA_CERT_MD5_HASH MULTILINE_OCTAL -+\366\212\253\024\076\326\060\045\267\111\015\167\205\160\231\313 -+END -+CKA_ISSUER MULTILINE_OCTAL -+\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -+\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 -+\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 -+\122\117\117\124 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\004\111\063\000\216 -+END -+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED -+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED -+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED -+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -diff -up ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 ./nss/lib/ckfw/builtins/nssckbi.h ---- ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100 -+++ ./nss/lib/ckfw/builtins/nssckbi.h 2015-04-23 18:49:24.575939481 +0200 -@@ -45,8 +45,8 @@ - * of the comment in the CK_VERSION type definition. - */ - #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 --#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3 --#define NSS_BUILTINS_LIBRARY_VERSION "2.3" -+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4 -+#define NSS_BUILTINS_LIBRARY_VERSION "2.4" - - /* These version numbers detail the semantic changes to the ckfw engine. */ - #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch index f24e91c..ab0b10a 100644 --- a/SOURCES/nss-revert-tls-version-defaults.patch +++ b/SOURCES/nss-revert-tls-version-defaults.patch @@ -1,37 +1,20 @@ - -# HG changeset patch -# User Martin Thomson -# Date 1425582301 -3600 -# Node ID 3c8e2b57803654f9cc74a37132d72fd0b8a59db5 -# Parent ad602a80ac1013dcd8b7508e0f8474d81e447d4a -Bug 1083900, Enable TLS 1.2 in the default NSS configuration, r=rrelyea - -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = { - PR_FALSE /* enableFallbackSCSV */ - }; - - /* +diff -up nss/lib/ssl/sslsock.c.keep_tls_default nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.keep_tls_default 2015-06-05 15:23:25.816895506 -0700 ++++ nss/lib/ssl/sslsock.c 2015-06-05 15:24:05.343176138 -0700 +@@ -89,13 +89,13 @@ static sslOptions ssl_defaults = { * default range of enabled SSL/TLS protocols */ static SSLVersionRange versions_defaults_stream = { - SSL_LIBRARY_VERSION_3_0, -- SSL_LIBRARY_VERSION_TLS_1_0 -+ SSL_LIBRARY_VERSION_TLS_1_2 +- SSL_LIBRARY_VERSION_TLS_1_0, +- SSL_LIBRARY_VERSION_TLS_1_2 ++ SSL_LIBRARY_VERSION_3_0, ++ SSL_LIBRARY_VERSION_TLS_1_0 }; static SSLVersionRange versions_defaults_datagram = { SSL_LIBRARY_VERSION_TLS_1_1, -- SSL_LIBRARY_VERSION_TLS_1_1 -+ SSL_LIBRARY_VERSION_TLS_1_2 +- SSL_LIBRARY_VERSION_TLS_1_2 ++ SSL_LIBRARY_VERSION_TLS_1_1 }; #define VERSIONS_DEFAULTS(variant) \ - (variant == ssl_variant_stream ? &versions_defaults_stream : \ - &versions_defaults_datagram) - - sslSessionIDLookupFunc ssl_sid_lookup; - sslSessionIDCacheFunc ssl_sid_cache; - diff --git a/SOURCES/ssl-server-min-key-sizes.patch b/SOURCES/ssl-server-min-key-sizes.patch new file mode 100644 index 0000000..1ed9a82 --- /dev/null +++ b/SOURCES/ssl-server-min-key-sizes.patch @@ -0,0 +1,47 @@ +diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.min_key_sizes 2015-06-08 11:38:41.154472496 -0700 ++++ nss/lib/ssl/ssl3con.c 2015-06-08 11:43:45.538294127 -0700 +@@ -6743,7 +6743,7 @@ ssl3_HandleServerKeyExchange(sslSocket * + goto loser; /* malformed. */ + } + dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); +- if (dh_p_bits < DH_MIN_P_BITS) { ++ if (dh_p_bits < SSL_DH_MIN_P_BITS) { + errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; + goto alert_loser; + } +@@ -10056,9 +10056,12 @@ ssl3_AuthCertificate(sslSocket *ss) + /* We aren't checking EC here on the understanding that we only + * support curves we like, a decision that might need revisiting. */ + if (((pubKeyType == rsaKey || pubKeyType == rsaPssKey || +- pubKeyType == rsaOaepKey) && ss->sec.authKeyBits < 1023) || +- (pubKeyType == dsaKey && ss->sec.authKeyBits < DSA_MIN_P_BITS) || +- (pubKeyType == dhKey && ss->sec.authKeyBits < DH_MIN_P_BITS)) { ++ pubKeyType == rsaOaepKey) && ++ ss->sec.authKeyBits < SSL_RSA_MIN_MODULUS_BITS) || ++ (pubKeyType == dsaKey && ++ ss->sec.authKeyBits < SSL_DSA_MIN_P_BITS) || ++ (pubKeyType == dhKey && ++ ss->sec.authKeyBits < SSL_DH_MIN_P_BITS)) { + PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY); + (void)SSL3_SendAlert(ss, alert_fatal, + ss->version >= SSL_LIBRARY_VERSION_TLS_1_0 +diff -up nss/lib/ssl/sslimpl.h.min_key_sizes nss/lib/ssl/sslimpl.h +--- nss/lib/ssl/sslimpl.h.min_key_sizes 2015-06-08 11:39:30.287475197 -0700 ++++ nss/lib/ssl/sslimpl.h 2015-06-08 11:46:14.262275334 -0700 +@@ -153,6 +153,15 @@ typedef enum { SSLAppOpRead = 0, + + #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ + ++/* The minimum server key sizes accepted by the clients. ++ * Not 1024 to be conservative. */ ++#define SSL_RSA_MIN_MODULUS_BITS 1023 ++/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be ++ * only 1023 bits and similar. We don't have good data on whether this ++ * happens because NSS used to count bit lengths incorrectly. */ ++#define SSL_DH_MIN_P_BITS 768 ++#define SSL_DSA_MIN_P_BITS 1023 ++ + #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/ + #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */ + #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */ diff --git a/SOURCES/syntaxfix.patch b/SOURCES/syntaxfix.patch deleted file mode 100644 index 91603a4..0000000 --- a/SOURCES/syntaxfix.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/tests/all.sh b/tests/all.sh ---- a/tests/all.sh -+++ b/tests/all.sh -@@ -297,17 +297,17 @@ fi - - # NOTE: - # Since in make at the top level, modutil is the last file - # created, we check for modutil to know whether the build - # is complete. If a new file is created after that, the - # following test for modutil should check for that instead. - # Exception: when building softoken only, shlibsign is the - # last file created. --if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then -+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then - LAST_FILE_BUILT=shlibsign - else - LAST_FILE_BUILT=modutil - fi - - if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then - echo "Build Incomplete. Aborting test." >> ${LOGFILE} - html_head "Testing Initialization" diff --git a/SPECS/nss.spec b/SPECS/nss.spec index e7ec2d8..6447fc5 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,8 +1,10 @@ %global nspr_version 4.10.8 -%global nss_util_version 3.18.0 +%global nss_util_version 3.19.1 # adjust to the version that gets submitted for FIPS validation %global nss_softokn_fips_version 3.16.2 %global nss_softokn_version 3.16.2.3 +%global required_softokn_build_version -9 + %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -20,15 +22,15 @@ Summary: Network Security Services Name: nss -Version: 3.18.0 -Release: 2.2%{?dist} +Version: 3.19.1 +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries Requires: nspr >= %{nspr_version} Requires: nss-util >= %{nss_util_version} # TODO: revert to same version as nss once we are done with the merge -Requires: nss-softokn%{_isa} >= %{nss_softokn_version} +Requires: nss-softokn%{_isa} >= %{nss_softokn_version}%{required_softokn_build_version} Requires: nss-system-init Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives @@ -36,7 +38,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: nspr-devel >= %{nspr_version} # TODO: revert to same version as nss once we are done with the merge # Using '>=' but on RHEL the requires should be '=' -BuildRequires: nss-softokn-devel >= %{nss_softokn_version} +BuildRequires: nss-softokn-devel >= %{nss_softokn_version}%{required_softokn_build_version} BuildRequires: nss-util-devel >= %{nss_util_version} BuildRequires: sqlite-devel BuildRequires: zlib-devel @@ -100,14 +102,9 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch Patch55: enable-fips-when-system-is-in-fips-mode.patch # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 Patch56: p-ignore-setpolicy.patch -# Update the root CA list to 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) -Patch91: nss-3.18.1-ca-2.3-to-2.4.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037 -Patch95: expired-cert.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1153994 -Patch96: syntaxfix.patch # Patch to keep the TLS protocol versions that are enabled by default Patch98: nss-revert-tls-version-defaults.patch +Patch99: ssl-server-min-key-sizes.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -205,13 +202,8 @@ pushd nss popd %patch55 -p0 -b .852023 %patch56 -p0 -b .1026677 -%patch91 -p1 -b .pre-ca-2.4 -pushd nss -%patch95 -p1 -b .renewed_paypal_cert -%patch96 -p1 -b .syntax_fix -# attention, reverting patch98, keep -R -%patch98 -p1 -R -b .keep_tls_default -popd +%patch98 -p0 -b .keep_tls_default +%patch99 -p0 -b .min_key_sizes ######################################################### # Higher-level libraries and test tools need access to @@ -224,7 +216,7 @@ for file in ${pemNeedsFromSoftoken}; do %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/ done -# Copying these header util the upstream bug is accepted +# Copying these header until the upstream bug is accepted # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf @@ -792,6 +784,18 @@ fi %changelog +* Wed Jun 10 2015 Elio Maldonado - 3.19.1-3 +- Reenable a patch that had been mistakenly disabled +- Resolves: Bug 1224451 + +* Wed Jun 10 2015 Elio Maldonado - 3.19.1-2 +- Build against nss-softokn-3.16.2.3-9 +- Resolves: Bug 1224451 + +* Fri Jun 05 2015 Elio Maldonado - 3.19.1-1 +- Rebase to nss-3.19.1 +- Resolves: Bug 1224451 + * Tue Apr 28 2015 Kai Engert - 3.18.0-2.2 - On RHEL 7.1 keep the TLS version defaults unchanged.