diff --git a/.gitignore b/.gitignore index 2eebac8..63bb458 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ SOURCES/PayPalEE.cert SOURCES/PayPalICA.cert +SOURCES/TestOldCA.p12 SOURCES/blank-cert8.db SOURCES/blank-cert9.db SOURCES/blank-key3.db diff --git a/.nss.metadata b/.nss.metadata index cf37dcc..17a1a7d 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,5 +1,6 @@ 83025bf9062b026aae49ef8775c6432507159bca SOURCES/PayPalEE.cert a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert +706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12 d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index 5c1ed4c..4908c00 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -1,6 +1,6 @@ diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile ---- ./nss/cmd/certutil/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/certutil/Makefile 2016-02-06 08:03:25.509936899 -0800 +--- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200 @@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -12,8 +12,8 @@ diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile ---- ./nss/cmd/httpserv/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/httpserv/Makefile 2016-02-06 08:00:39.403191706 -0800 +--- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200 @@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -25,8 +25,8 @@ diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile ---- ./nss/cmd/lib/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/lib/Makefile 2016-02-06 08:00:39.403191706 -0800 +--- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200 @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -38,9 +38,22 @@ diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile ---- ./nss/cmd/modutil/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/modutil/Makefile 2016-02-06 08:00:39.403191706 -0800 -@@ -41,7 +41,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk +--- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile +--- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200 ++++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -51,8 +64,8 @@ diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile ---- ./nss/cmd/selfserv/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/selfserv/Makefile 2016-02-06 08:00:39.403191706 -0800 +--- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200 @@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -64,8 +77,8 @@ diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile ---- ./nss/cmd/ssltap/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/ssltap/Makefile 2016-02-06 08:04:21.595228841 -0800 +--- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200 @@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -77,8 +90,8 @@ diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile ---- ./nss/cmd/strsclnt/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/strsclnt/Makefile 2016-02-06 08:00:39.404191687 -0800 +--- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -90,8 +103,8 @@ diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile ---- ./nss/cmd/tstclnt/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/tstclnt/Makefile 2016-02-06 08:04:40.506961353 -0800 +--- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### @@ -102,8 +115,8 @@ diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile ---- ./nss/cmd/vfyserv/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/vfyserv/Makefile 2016-02-06 08:04:55.758745631 -0800 +--- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### @@ -114,8 +127,8 @@ diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk ---- ./nss/coreconf/location.mk.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/coreconf/location.mk 2016-02-06 08:00:39.404191687 -0800 +--- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200 @@ -45,6 +45,10 @@ endif ifdef NSS_INCLUDE_DIR @@ -127,9 +140,21 @@ diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk endif ifndef NSS_LIB_DIR +diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile +--- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200 +@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile ---- ./nss/lib/certhigh/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/lib/certhigh/Makefile 2016-02-06 08:00:39.404191687 -0800 +--- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -140,8 +165,8 @@ diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile ---- ./nss/lib/cryptohi/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/lib/cryptohi/Makefile 2016-02-06 08:00:39.404191687 -0800 +--- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -152,8 +177,8 @@ diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile ---- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/lib/libpkix/pkix/checker/Makefile 2016-02-06 08:05:24.277342263 -0800 +--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -165,8 +190,8 @@ diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/c ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile ---- ./nss/lib/nss/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/lib/nss/Makefile 2016-02-06 08:00:39.404191687 -0800 +--- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200 @@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -177,26 +202,27 @@ diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile ---- ./nss/lib/ssl/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/lib/ssl/Makefile 2016-02-06 08:00:39.404191687 -0800 -@@ -49,6 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk +diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile +--- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200 ++++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200 +@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### +- +INCLUDES += -iquote $(DIST)/../public/nss - ++INCLUDES += -iquote $(DIST)/../private/nss ####################################################################### -diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile ---- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-18 21:51:23.746893964 -0500 -+++ ./nss/gtests/ssl_gtest/Makefile 2016-02-18 21:52:32.825583479 -0500 -@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile +--- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### +INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss + ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # diff --git a/SOURCES/nss-pk12util-faulty-aes.patch b/SOURCES/nss-pk12util-faulty-aes.patch new file mode 100644 index 0000000..c6d22cc --- /dev/null +++ b/SOURCES/nss-pk12util-faulty-aes.patch @@ -0,0 +1,43 @@ +From 0615bf4ad6c7e07cc1b7dee4bded01fe8974ad0b Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 27 Sep 2017 11:11:10 +0200 +Subject: [PATCH] pk11wrap: Add backward compatibility with faulty PBES2 AES + schemes + +--- + lib/pk11wrap/pk11pbe.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c +index bea9333f6..5f68f399e 100644 +--- a/lib/pk11wrap/pk11pbe.c ++++ b/lib/pk11wrap/pk11pbe.c +@@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) + cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); + + if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { +- length = sec_pkcs5v2_aes_key_length(cipherAlg); ++ /* Previously, the PKCS#12 files created with the old NSS ++ * releases encoded the maximum key size of AES (that is 32) ++ * in the keyLength field of PBKDF2-params. That resulted in ++ * always performing AES-256 even if AES-128-CBC or ++ * AES-192-CBC is specified in the encryptionScheme field of ++ * PBES2-params. This is wrong, but for compatibility reasons, ++ * check the keyLength field and use the value if it is 32. ++ */ ++ if (p5_param.keyLength.data != NULL) { ++ length = DER_GetInteger(&p5_param.keyLength); ++ } ++ /* If the keyLength field is present and contains a value ++ * other than 32, that means the file is created outside of ++ * NSS, which we don't care about. Note that the following ++ * also handles the case when the field is absent. */ ++ if (length != 32) { ++ length = sec_pkcs5v2_aes_key_length(cipherAlg); ++ } + } else if (p5_param.keyLength.data != NULL) { + length = DER_GetInteger(&p5_param.keyLength); + } else { +-- +2.13.5 + diff --git a/SOURCES/nss-pk12util-force-unicode.patch b/SOURCES/nss-pk12util-force-unicode.patch new file mode 100644 index 0000000..8aba8e7 --- /dev/null +++ b/SOURCES/nss-pk12util-force-unicode.patch @@ -0,0 +1,408 @@ +diff -up nss/cmd/pk12util/pk12util.c.pk12util-force-unicode nss/cmd/pk12util/pk12util.c +--- nss/cmd/pk12util/pk12util.c.pk12util-force-unicode 2017-09-21 09:49:22.371039588 +0200 ++++ nss/cmd/pk12util/pk12util.c 2017-09-21 09:49:22.389039181 +0200 +@@ -23,6 +23,7 @@ + static char *progName; + PRBool pk12_debugging = PR_FALSE; + PRBool dumpRawFile; ++static PRBool pk12uForceUnicode; + + PRIntn pk12uErrno = 0; + +@@ -357,6 +358,7 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha + SECItem p12file = { 0 }; + SECStatus rv = SECFailure; + PRBool swapUnicode = PR_FALSE; ++ PRBool forceUnicode = pk12uForceUnicode; + PRBool trypw; + int error; + +@@ -424,6 +426,18 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha + SEC_PKCS12DecoderFinish(p12dcx); + uniPwp->len = 0; + trypw = PR_TRUE; ++ } else if (forceUnicode == pk12uForceUnicode) { ++ /* try again with a different password encoding */ ++ forceUnicode = !pk12uForceUnicode; ++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, ++ forceUnicode); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "PKCS12 decoding failed to set option"); ++ pk12uErrno = PK12UERR_DECODEVERIFY; ++ break; ++ } ++ SEC_PKCS12DecoderFinish(p12dcx); ++ trypw = PR_TRUE; + } else { + SECU_PrintError(progName, "PKCS12 decode not verified"); + pk12uErrno = PK12UERR_DECODEVERIFY; +@@ -431,6 +445,15 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha + } + } + } while (trypw == PR_TRUE); ++ ++ /* revert the option setting */ ++ if (forceUnicode != pk12uForceUnicode) { ++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "PKCS12 decoding failed to set option"); ++ pk12uErrno = PK12UERR_DECODEVERIFY; ++ } ++ } + /* rv has been set at this point */ + + done: +@@ -470,6 +493,8 @@ P12U_ImportPKCS12Object(char *in_file, P + { + SEC_PKCS12DecoderContext *p12dcx = NULL; + SECItem uniPwitem = { 0 }; ++ PRBool forceUnicode = pk12uForceUnicode; ++ PRBool trypw; + SECStatus rv = SECFailure; + + rv = P12U_InitSlot(slot, slotPw); +@@ -480,31 +505,62 @@ P12U_ImportPKCS12Object(char *in_file, P + return rv; + } + +- rv = SECFailure; +- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); ++ do { ++ trypw = PR_FALSE; /* normally we do this once */ ++ rv = SECFailure; ++ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); + +- if (p12dcx == NULL) { +- goto loser; +- } ++ if (p12dcx == NULL) { ++ goto loser; ++ } + +- /* make sure the bags are okey dokey -- nicknames correct, etc. */ +- rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); +- if (rv != SECSuccess) { +- if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { +- pk12uErrno = PK12UERR_CERTALREADYEXISTS; +- } else { +- pk12uErrno = PK12UERR_DECODEVALIBAGS; ++ /* make sure the bags are okey dokey -- nicknames correct, etc. */ ++ rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); ++ if (rv != SECSuccess) { ++ if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { ++ pk12uErrno = PK12UERR_CERTALREADYEXISTS; ++ } else { ++ pk12uErrno = PK12UERR_DECODEVALIBAGS; ++ } ++ SECU_PrintError(progName, "PKCS12 decode validate bags failed"); ++ goto loser; + } +- SECU_PrintError(progName, "PKCS12 decode validate bags failed"); +- goto loser; +- } + +- /* stuff 'em in */ +- rv = SEC_PKCS12DecoderImportBags(p12dcx); +- if (rv != SECSuccess) { +- SECU_PrintError(progName, "PKCS12 decode import bags failed"); +- pk12uErrno = PK12UERR_DECODEIMPTBAGS; +- goto loser; ++ /* stuff 'em in */ ++ if (forceUnicode != pk12uForceUnicode) { ++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, ++ forceUnicode); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "PKCS12 decode set option failed"); ++ pk12uErrno = PK12UERR_DECODEIMPTBAGS; ++ goto loser; ++ } ++ } ++ rv = SEC_PKCS12DecoderImportBags(p12dcx); ++ if (rv != SECSuccess) { ++ if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY && ++ forceUnicode == pk12uForceUnicode) { ++ /* try again with a different password encoding */ ++ forceUnicode = !pk12uForceUnicode; ++ SEC_PKCS12DecoderFinish(p12dcx); ++ SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); ++ trypw = PR_TRUE; ++ } else { ++ SECU_PrintError(progName, "PKCS12 decode import bags failed"); ++ pk12uErrno = PK12UERR_DECODEIMPTBAGS; ++ goto loser; ++ } ++ } ++ } while (trypw); ++ ++ /* revert the option setting */ ++ if (forceUnicode != pk12uForceUnicode) { ++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "PKCS12 decode set option failed"); ++ pk12uErrno = PK12UERR_DECODEIMPTBAGS; ++ goto loser; ++ } + } + + fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName); +@@ -951,6 +1007,7 @@ main(int argc, char **argv) + int keyLen = 0; + int certKeyLen = 0; + secuCommand pk12util; ++ PRInt32 forceUnicode; + + #ifdef _CRTDBG_MAP_ALLOC + _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); +@@ -982,6 +1039,14 @@ main(int argc, char **argv) + Usage(progName); + } + ++ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, ++ "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option"); ++ Usage(progName); ++ } ++ pk12uForceUnicode = forceUnicode; ++ + slotname = SECU_GetOptionArg(&pk12util, opt_TokenName); + + import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List) +diff -up nss/lib/nss/nss.h.pk12util-force-unicode nss/lib/nss/nss.h +--- nss/lib/nss/nss.h.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200 ++++ nss/lib/nss/nss.h 2017-09-21 09:49:22.387039226 +0200 +@@ -291,6 +291,15 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu + #define NSS_DTLS_VERSION_MIN_POLICY 0x00a + #define NSS_DTLS_VERSION_MAX_POLICY 0x00b + ++/* Until NSS 3.30, the PKCS#12 implementation used BMPString encoding ++ * for all passwords. This changed to use UTF-8 for non-PKCS#12 PBEs ++ * in NSS 3.31. ++ * ++ * For backward compatibility, this option reverts the behavior to the ++ * old NSS versions. This option might be removed in the future NSS ++ * releases; don't rely on it. */ ++#define __NSS_PKCS12_DECODE_FORCE_UNICODE 0x00c ++ + /* + * Set and get global options for the NSS library. + */ +diff -up nss/lib/nss/nssoptions.c.pk12util-force-unicode nss/lib/nss/nssoptions.c +--- nss/lib/nss/nssoptions.c.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200 ++++ nss/lib/nss/nssoptions.c 2017-09-21 09:49:22.387039226 +0200 +@@ -23,6 +23,7 @@ struct nssOps { + PRInt32 tlsVersionMaxPolicy; + PRInt32 dtlsVersionMinPolicy; + PRInt32 dtlsVersionMaxPolicy; ++ PRInt32 pkcs12DecodeForceUnicode; + }; + + static struct nssOps nss_ops = { +@@ -33,6 +34,7 @@ static struct nssOps nss_ops = { + 0xffff, /* set TLS max to more than the largest legal SSL value */ + 1, + 0xffff, ++ PR_FALSE + }; + + SECStatus +@@ -62,6 +64,9 @@ NSS_OptionSet(PRInt32 which, PRInt32 val + case NSS_DTLS_VERSION_MAX_POLICY: + nss_ops.dtlsVersionMaxPolicy = value; + break; ++ case __NSS_PKCS12_DECODE_FORCE_UNICODE: ++ nss_ops.pkcs12DecodeForceUnicode = value; ++ break; + default: + rv = SECFailure; + } +@@ -96,6 +101,9 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va + case NSS_DTLS_VERSION_MAX_POLICY: + *value = nss_ops.dtlsVersionMaxPolicy; + break; ++ case __NSS_PKCS12_DECODE_FORCE_UNICODE: ++ *value = nss_ops.pkcs12DecodeForceUnicode; ++ break; + default: + rv = SECFailure; + } +diff -up nss/lib/pkcs12/p12d.c.pk12util-force-unicode nss/lib/pkcs12/p12d.c +--- nss/lib/pkcs12/p12d.c.pk12util-force-unicode 2017-09-21 09:49:22.374039520 +0200 ++++ nss/lib/pkcs12/p12d.c 2017-09-21 09:49:22.388039203 +0200 +@@ -3,6 +3,7 @@ + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #include "nssrenam.h" ++#include "nss.h" + #include "p12t.h" + #include "p12.h" + #include "plarena.h" +@@ -126,6 +127,7 @@ struct SEC_PKCS12DecoderContextStr { + SECKEYGetPasswordKey pwfn; + void *pwfnarg; + PRBool swapUnicodeBytes; ++ PRBool forceUnicode; + + /* import information */ + PRBool bagsVerified; +@@ -192,8 +194,18 @@ sec_pkcs12_decoder_get_decrypt_key(void + } + + algorithm = SECOID_GetAlgorithmTag(algid); +- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) +- return NULL; ++ ++ if (p12dcx->forceUnicode) { ++ if (SECITEM_CopyItem(NULL, &pwitem, p12dcx->pwitem) != SECSuccess) { ++ PK11_FreeSlot(slot); ++ return NULL; ++ } ++ } else { ++ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) { ++ PK11_FreeSlot(slot); ++ return NULL; ++ } ++ } + + bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); + /* some tokens can't generate PBE keys on their own, generate the +@@ -1164,6 +1176,8 @@ SEC_PKCS12DecoderStart(SECItem *pwitem, + { + SEC_PKCS12DecoderContext *p12dcx; + PLArenaPool *arena; ++ PRInt32 forceUnicode = PR_FALSE; ++ SECStatus rv; + + arena = PORT_NewArena(2048); /* different size? */ + if (!arena) { +@@ -1196,6 +1210,11 @@ SEC_PKCS12DecoderStart(SECItem *pwitem, + #else + p12dcx->swapUnicodeBytes = PR_FALSE; + #endif ++ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); ++ if (rv != SECSuccess) { ++ goto loser; ++ } ++ p12dcx->forceUnicode = forceUnicode; + p12dcx->errorValue = 0; + p12dcx->error = PR_FALSE; + +@@ -2428,7 +2447,7 @@ sec_pkcs12_get_public_value_and_type(SEC + static SECStatus + sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey, + unsigned int keyUsage, +- SECItem *nickName, void *wincx) ++ SECItem *nickName, PRBool forceUnicode, void *wincx) + { + SECStatus rv; + SECItem *publicValue = NULL; +@@ -2466,9 +2485,21 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke + &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; + SECOidTag algorithm = SECOID_GetAlgorithmTag(algid); + +- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, +- key->pwitem)) +- return SECFailure; ++ if (forceUnicode) { ++ if (SECITEM_CopyItem(NULL, &pwitem, key->pwitem) != SECSuccess) { ++ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; ++ key->problem = PR_TRUE; ++ return SECFailure; ++ } ++ } else { ++ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, ++ key->pwitem)) { ++ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY; ++ key->problem = PR_TRUE; ++ return SECFailure; ++ } ++ } ++ + rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot, + key->safeBagContent.pkcs8ShroudedKeyBag, + &pwitem, nickName, publicValue, +@@ -2923,7 +2954,8 @@ sec_pkcs12_get_public_value_and_type(SEC + * two passes in sec_pkcs12_validate_bags. + */ + static SECStatus +-sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx) ++sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, PRBool forceUnicode, ++ void *wincx) + { + sec_PKCS12SafeBag **keyList; + int i; +@@ -2976,7 +3008,8 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa + key->problem = PR_TRUE; + rv = SECFailure; + } else { +- rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, wincx); ++ rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, ++ forceUnicode, wincx); + } + if (pubKey) { + SECKEY_DestroyPublicKey(pubKey); +@@ -3053,6 +3086,9 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa + SECStatus + SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx) + { ++ PRBool forceUnicode = PR_FALSE; ++ SECStatus rv; ++ + if (!p12dcx || p12dcx->error) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +@@ -3062,7 +3098,16 @@ SEC_PKCS12DecoderImportBags(SEC_PKCS12De + return SECFailure; + } + +- return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx); ++ /* We need to check the option here as well as in ++ * SEC_PKCS12DecoderStart, because different PBE's could be used ++ * for PKCS #7 and PKCS #8 */ ++ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); ++ if (rv != SECSuccess) { ++ return SECFailure; ++ } ++ ++ return sec_pkcs12_install_bags(p12dcx->safeBags, forceUnicode, ++ p12dcx->wincx); + } + + PRBool +diff -up nss/tests/tools/tools.sh.pk12util-force-unicode nss/tests/tools/tools.sh +--- nss/tests/tools/tools.sh.pk12util-force-unicode 2017-09-21 09:49:22.373039542 +0200 ++++ nss/tests/tools/tools.sh 2017-09-21 09:50:06.593062871 +0200 +@@ -106,6 +106,8 @@ tools_init() + cp ${ALICEDIR}/* ${SIGNDIR}/ + mkdir -p ${TOOLSDIR}/html + cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html ++ mkdir -p ${TOOLSDIR}/data ++ cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data + + cd ${TOOLSDIR} + } +@@ -398,6 +400,16 @@ tools_p12_export_list_import_with_defaul + fi + } + ++tools_p12_import_old_files() ++{ ++ echo "$SCRIPTNAME: Importing CA cert & key created with NSS 3.21 --------------" ++ echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" ++ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ++ ret=$? ++ html_msg $ret 0 "Importing CA cert & key created with NSS 3.21" ++ check_tmpfile ++} ++ + ############################## tools_p12 ############################### + # local shell function to test basic functionality of pk12util + ######################################################################## +@@ -408,6 +420,7 @@ tools_p12() + tools_p12_export_list_import_all_pkcs5pbe_ciphers + tools_p12_export_list_import_all_pkcs12v2pbe_ciphers + tools_p12_export_with_null_ciphers ++ tools_p12_import_old_files + } + + ############################## tools_sign ############################## diff --git a/SPECS/nss.spec b/SPECS/nss.spec index c372718..635f246 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -27,7 +27,7 @@ Summary: Network Security Services Name: nss Version: 3.28.4 -Release: 12%{?dist} +Release: 15%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -88,6 +88,7 @@ Source27: secmod.db.xml Source30: PayPalRootCA.cert Source31: PayPalICA.cert Source32: nss-rhel7.config +Source33: TestOldCA.p12 Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch @@ -155,6 +156,11 @@ Patch140: nss-ssl3gthr.patch Patch141: nss-sysinit-getenv.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618 Patch142: nss-transcript.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1399867 +Patch143: nss-pk12util-force-unicode.patch +# Not upstreamed yet: +# https://bugzilla.redhat.com/show_bug.cgi?id=1493911 +Patch144: nss-pk12util-faulty-aes.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -231,6 +237,7 @@ low level services. %{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE33} -f ./nss/tests/tools %setup -q -T -D -n %{name}-%{version} %patch2 -p0 -b .relro @@ -269,6 +276,8 @@ pushd nss %patch140 -p1 -b .ssl3gthr %patch141 -p1 -b .sysinit-getenv %patch142 -p1 -b .transcript +%patch143 -p1 -b .pk12util-force-unicode +%patch144 -p1 -b .pk12util-faulty-aes popd ######################################################### @@ -859,6 +868,15 @@ fi %changelog +* Wed Sep 27 2017 Daiki Ueno - 3.28.4-15 +- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption + +* Thu Sep 21 2017 Daiki Ueno - 3.28.4-14 +- Update iquote.patch to prefer nss.h from the source + +* Wed Sep 20 2017 Daiki Ueno - 3.28.4-13 +- Add backward compatibility to pk12util regarding password encoding + * Fri Aug 4 2017 Daiki Ueno - 3.28.4-12 - Backport patch to simplify transcript calculation for CertificateVerify