diff --git a/.gitignore b/.gitignore
index 2eebac8..63bb458 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
SOURCES/PayPalEE.cert
SOURCES/PayPalICA.cert
+SOURCES/TestOldCA.p12
SOURCES/blank-cert8.db
SOURCES/blank-cert9.db
SOURCES/blank-key3.db
diff --git a/.nss.metadata b/.nss.metadata
index cf37dcc..17a1a7d 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,5 +1,6 @@
83025bf9062b026aae49ef8775c6432507159bca SOURCES/PayPalEE.cert
a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert
+706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 5c1ed4c..4908c00 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -1,6 +1,6 @@
diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
---- ./nss/cmd/certutil/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/certutil/Makefile 2016-02-06 08:03:25.509936899 -0800
+--- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -12,8 +12,8 @@ diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
---- ./nss/cmd/httpserv/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/httpserv/Makefile 2016-02-06 08:00:39.403191706 -0800
+--- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200
@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -25,8 +25,8 @@ diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
---- ./nss/cmd/lib/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/lib/Makefile 2016-02-06 08:00:39.403191706 -0800
+--- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -38,9 +38,22 @@ diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
---- ./nss/cmd/modutil/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/modutil/Makefile 2016-02-06 08:00:39.403191706 -0800
-@@ -41,7 +41,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+--- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile
+--- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200
++++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -51,8 +64,8 @@ diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
---- ./nss/cmd/selfserv/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/selfserv/Makefile 2016-02-06 08:00:39.403191706 -0800
+--- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200
@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -64,8 +77,8 @@ diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
---- ./nss/cmd/ssltap/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/ssltap/Makefile 2016-02-06 08:04:21.595228841 -0800
+--- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200
@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -77,8 +90,8 @@ diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
---- ./nss/cmd/strsclnt/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/strsclnt/Makefile 2016-02-06 08:00:39.404191687 -0800
+--- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -90,8 +103,8 @@ diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
---- ./nss/cmd/tstclnt/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/tstclnt/Makefile 2016-02-06 08:04:40.506961353 -0800
+--- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
@@ -102,8 +115,8 @@ diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
---- ./nss/cmd/vfyserv/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/vfyserv/Makefile 2016-02-06 08:04:55.758745631 -0800
+--- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
@@ -114,8 +127,8 @@ diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
---- ./nss/coreconf/location.mk.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/coreconf/location.mk 2016-02-06 08:00:39.404191687 -0800
+--- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200
@@ -45,6 +45,10 @@ endif
ifdef NSS_INCLUDE_DIR
@@ -127,9 +140,21 @@ diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
endif
ifndef NSS_LIB_DIR
+diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
+--- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200
+@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
---- ./nss/lib/certhigh/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/lib/certhigh/Makefile 2016-02-06 08:00:39.404191687 -0800
+--- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -140,8 +165,8 @@ diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
---- ./nss/lib/cryptohi/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/lib/cryptohi/Makefile 2016-02-06 08:00:39.404191687 -0800
+--- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -152,8 +177,8 @@ diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
---- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/lib/libpkix/pkix/checker/Makefile 2016-02-06 08:05:24.277342263 -0800
+--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -165,8 +190,8 @@ diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/c
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
---- ./nss/lib/nss/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/lib/nss/Makefile 2016-02-06 08:00:39.404191687 -0800
+--- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -177,26 +202,27 @@ diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
---- ./nss/lib/ssl/Makefile.iquote 2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/lib/ssl/Makefile 2016-02-06 08:00:39.404191687 -0800
-@@ -49,6 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile
+--- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200
++++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
+-
+INCLUDES += -iquote $(DIST)/../public/nss
-
++INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
-diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
---- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-18 21:51:23.746893964 -0500
-+++ ./nss/gtests/ssl_gtest/Makefile 2016-02-18 21:52:32.825583479 -0500
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
+
#######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
diff --git a/SOURCES/nss-pk12util-faulty-aes.patch b/SOURCES/nss-pk12util-faulty-aes.patch
new file mode 100644
index 0000000..c6d22cc
--- /dev/null
+++ b/SOURCES/nss-pk12util-faulty-aes.patch
@@ -0,0 +1,43 @@
+From 0615bf4ad6c7e07cc1b7dee4bded01fe8974ad0b Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Wed, 27 Sep 2017 11:11:10 +0200
+Subject: [PATCH] pk11wrap: Add backward compatibility with faulty PBES2 AES
+ schemes
+
+---
+ lib/pk11wrap/pk11pbe.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
+index bea9333f6..5f68f399e 100644
+--- a/lib/pk11wrap/pk11pbe.c
++++ b/lib/pk11wrap/pk11pbe.c
+@@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
+ cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId);
+
+ if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) {
+- length = sec_pkcs5v2_aes_key_length(cipherAlg);
++ /* Previously, the PKCS#12 files created with the old NSS
++ * releases encoded the maximum key size of AES (that is 32)
++ * in the keyLength field of PBKDF2-params. That resulted in
++ * always performing AES-256 even if AES-128-CBC or
++ * AES-192-CBC is specified in the encryptionScheme field of
++ * PBES2-params. This is wrong, but for compatibility reasons,
++ * check the keyLength field and use the value if it is 32.
++ */
++ if (p5_param.keyLength.data != NULL) {
++ length = DER_GetInteger(&p5_param.keyLength);
++ }
++ /* If the keyLength field is present and contains a value
++ * other than 32, that means the file is created outside of
++ * NSS, which we don't care about. Note that the following
++ * also handles the case when the field is absent. */
++ if (length != 32) {
++ length = sec_pkcs5v2_aes_key_length(cipherAlg);
++ }
+ } else if (p5_param.keyLength.data != NULL) {
+ length = DER_GetInteger(&p5_param.keyLength);
+ } else {
+--
+2.13.5
+
diff --git a/SOURCES/nss-pk12util-force-unicode.patch b/SOURCES/nss-pk12util-force-unicode.patch
new file mode 100644
index 0000000..8aba8e7
--- /dev/null
+++ b/SOURCES/nss-pk12util-force-unicode.patch
@@ -0,0 +1,408 @@
+diff -up nss/cmd/pk12util/pk12util.c.pk12util-force-unicode nss/cmd/pk12util/pk12util.c
+--- nss/cmd/pk12util/pk12util.c.pk12util-force-unicode 2017-09-21 09:49:22.371039588 +0200
++++ nss/cmd/pk12util/pk12util.c 2017-09-21 09:49:22.389039181 +0200
+@@ -23,6 +23,7 @@
+ static char *progName;
+ PRBool pk12_debugging = PR_FALSE;
+ PRBool dumpRawFile;
++static PRBool pk12uForceUnicode;
+
+ PRIntn pk12uErrno = 0;
+
+@@ -357,6 +358,7 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
+ SECItem p12file = { 0 };
+ SECStatus rv = SECFailure;
+ PRBool swapUnicode = PR_FALSE;
++ PRBool forceUnicode = pk12uForceUnicode;
+ PRBool trypw;
+ int error;
+
+@@ -424,6 +426,18 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
+ SEC_PKCS12DecoderFinish(p12dcx);
+ uniPwp->len = 0;
+ trypw = PR_TRUE;
++ } else if (forceUnicode == pk12uForceUnicode) {
++ /* try again with a different password encoding */
++ forceUnicode = !pk12uForceUnicode;
++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE,
++ forceUnicode);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName, "PKCS12 decoding failed to set option");
++ pk12uErrno = PK12UERR_DECODEVERIFY;
++ break;
++ }
++ SEC_PKCS12DecoderFinish(p12dcx);
++ trypw = PR_TRUE;
+ } else {
+ SECU_PrintError(progName, "PKCS12 decode not verified");
+ pk12uErrno = PK12UERR_DECODEVERIFY;
+@@ -431,6 +445,15 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
+ }
+ }
+ } while (trypw == PR_TRUE);
++
++ /* revert the option setting */
++ if (forceUnicode != pk12uForceUnicode) {
++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName, "PKCS12 decoding failed to set option");
++ pk12uErrno = PK12UERR_DECODEVERIFY;
++ }
++ }
+ /* rv has been set at this point */
+
+ done:
+@@ -470,6 +493,8 @@ P12U_ImportPKCS12Object(char *in_file, P
+ {
+ SEC_PKCS12DecoderContext *p12dcx = NULL;
+ SECItem uniPwitem = { 0 };
++ PRBool forceUnicode = pk12uForceUnicode;
++ PRBool trypw;
+ SECStatus rv = SECFailure;
+
+ rv = P12U_InitSlot(slot, slotPw);
+@@ -480,31 +505,62 @@ P12U_ImportPKCS12Object(char *in_file, P
+ return rv;
+ }
+
+- rv = SECFailure;
+- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
++ do {
++ trypw = PR_FALSE; /* normally we do this once */
++ rv = SECFailure;
++ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
+
+- if (p12dcx == NULL) {
+- goto loser;
+- }
++ if (p12dcx == NULL) {
++ goto loser;
++ }
+
+- /* make sure the bags are okey dokey -- nicknames correct, etc. */
+- rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
+- if (rv != SECSuccess) {
+- if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
+- pk12uErrno = PK12UERR_CERTALREADYEXISTS;
+- } else {
+- pk12uErrno = PK12UERR_DECODEVALIBAGS;
++ /* make sure the bags are okey dokey -- nicknames correct, etc. */
++ rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
++ if (rv != SECSuccess) {
++ if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
++ pk12uErrno = PK12UERR_CERTALREADYEXISTS;
++ } else {
++ pk12uErrno = PK12UERR_DECODEVALIBAGS;
++ }
++ SECU_PrintError(progName, "PKCS12 decode validate bags failed");
++ goto loser;
+ }
+- SECU_PrintError(progName, "PKCS12 decode validate bags failed");
+- goto loser;
+- }
+
+- /* stuff 'em in */
+- rv = SEC_PKCS12DecoderImportBags(p12dcx);
+- if (rv != SECSuccess) {
+- SECU_PrintError(progName, "PKCS12 decode import bags failed");
+- pk12uErrno = PK12UERR_DECODEIMPTBAGS;
+- goto loser;
++ /* stuff 'em in */
++ if (forceUnicode != pk12uForceUnicode) {
++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE,
++ forceUnicode);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName, "PKCS12 decode set option failed");
++ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
++ goto loser;
++ }
++ }
++ rv = SEC_PKCS12DecoderImportBags(p12dcx);
++ if (rv != SECSuccess) {
++ if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY &&
++ forceUnicode == pk12uForceUnicode) {
++ /* try again with a different password encoding */
++ forceUnicode = !pk12uForceUnicode;
++ SEC_PKCS12DecoderFinish(p12dcx);
++ SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
++ trypw = PR_TRUE;
++ } else {
++ SECU_PrintError(progName, "PKCS12 decode import bags failed");
++ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
++ goto loser;
++ }
++ }
++ } while (trypw);
++
++ /* revert the option setting */
++ if (forceUnicode != pk12uForceUnicode) {
++ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName, "PKCS12 decode set option failed");
++ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
++ goto loser;
++ }
+ }
+
+ fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName);
+@@ -951,6 +1007,7 @@ main(int argc, char **argv)
+ int keyLen = 0;
+ int certKeyLen = 0;
+ secuCommand pk12util;
++ PRInt32 forceUnicode;
+
+ #ifdef _CRTDBG_MAP_ALLOC
+ _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
+@@ -982,6 +1039,14 @@ main(int argc, char **argv)
+ Usage(progName);
+ }
+
++ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName,
++ "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option");
++ Usage(progName);
++ }
++ pk12uForceUnicode = forceUnicode;
++
+ slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
+
+ import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List)
+diff -up nss/lib/nss/nss.h.pk12util-force-unicode nss/lib/nss/nss.h
+--- nss/lib/nss/nss.h.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200
++++ nss/lib/nss/nss.h 2017-09-21 09:49:22.387039226 +0200
+@@ -291,6 +291,15 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
+ #define NSS_DTLS_VERSION_MIN_POLICY 0x00a
+ #define NSS_DTLS_VERSION_MAX_POLICY 0x00b
+
++/* Until NSS 3.30, the PKCS#12 implementation used BMPString encoding
++ * for all passwords. This changed to use UTF-8 for non-PKCS#12 PBEs
++ * in NSS 3.31.
++ *
++ * For backward compatibility, this option reverts the behavior to the
++ * old NSS versions. This option might be removed in the future NSS
++ * releases; don't rely on it. */
++#define __NSS_PKCS12_DECODE_FORCE_UNICODE 0x00c
++
+ /*
+ * Set and get global options for the NSS library.
+ */
+diff -up nss/lib/nss/nssoptions.c.pk12util-force-unicode nss/lib/nss/nssoptions.c
+--- nss/lib/nss/nssoptions.c.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200
++++ nss/lib/nss/nssoptions.c 2017-09-21 09:49:22.387039226 +0200
+@@ -23,6 +23,7 @@ struct nssOps {
+ PRInt32 tlsVersionMaxPolicy;
+ PRInt32 dtlsVersionMinPolicy;
+ PRInt32 dtlsVersionMaxPolicy;
++ PRInt32 pkcs12DecodeForceUnicode;
+ };
+
+ static struct nssOps nss_ops = {
+@@ -33,6 +34,7 @@ static struct nssOps nss_ops = {
+ 0xffff, /* set TLS max to more than the largest legal SSL value */
+ 1,
+ 0xffff,
++ PR_FALSE
+ };
+
+ SECStatus
+@@ -62,6 +64,9 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
+ case NSS_DTLS_VERSION_MAX_POLICY:
+ nss_ops.dtlsVersionMaxPolicy = value;
+ break;
++ case __NSS_PKCS12_DECODE_FORCE_UNICODE:
++ nss_ops.pkcs12DecodeForceUnicode = value;
++ break;
+ default:
+ rv = SECFailure;
+ }
+@@ -96,6 +101,9 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
+ case NSS_DTLS_VERSION_MAX_POLICY:
+ *value = nss_ops.dtlsVersionMaxPolicy;
+ break;
++ case __NSS_PKCS12_DECODE_FORCE_UNICODE:
++ *value = nss_ops.pkcs12DecodeForceUnicode;
++ break;
+ default:
+ rv = SECFailure;
+ }
+diff -up nss/lib/pkcs12/p12d.c.pk12util-force-unicode nss/lib/pkcs12/p12d.c
+--- nss/lib/pkcs12/p12d.c.pk12util-force-unicode 2017-09-21 09:49:22.374039520 +0200
++++ nss/lib/pkcs12/p12d.c 2017-09-21 09:49:22.388039203 +0200
+@@ -3,6 +3,7 @@
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ #include "nssrenam.h"
++#include "nss.h"
+ #include "p12t.h"
+ #include "p12.h"
+ #include "plarena.h"
+@@ -126,6 +127,7 @@ struct SEC_PKCS12DecoderContextStr {
+ SECKEYGetPasswordKey pwfn;
+ void *pwfnarg;
+ PRBool swapUnicodeBytes;
++ PRBool forceUnicode;
+
+ /* import information */
+ PRBool bagsVerified;
+@@ -192,8 +194,18 @@ sec_pkcs12_decoder_get_decrypt_key(void
+ }
+
+ algorithm = SECOID_GetAlgorithmTag(algid);
+- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem))
+- return NULL;
++
++ if (p12dcx->forceUnicode) {
++ if (SECITEM_CopyItem(NULL, &pwitem, p12dcx->pwitem) != SECSuccess) {
++ PK11_FreeSlot(slot);
++ return NULL;
++ }
++ } else {
++ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) {
++ PK11_FreeSlot(slot);
++ return NULL;
++ }
++ }
+
+ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
+ /* some tokens can't generate PBE keys on their own, generate the
+@@ -1164,6 +1176,8 @@ SEC_PKCS12DecoderStart(SECItem *pwitem,
+ {
+ SEC_PKCS12DecoderContext *p12dcx;
+ PLArenaPool *arena;
++ PRInt32 forceUnicode = PR_FALSE;
++ SECStatus rv;
+
+ arena = PORT_NewArena(2048); /* different size? */
+ if (!arena) {
+@@ -1196,6 +1210,11 @@ SEC_PKCS12DecoderStart(SECItem *pwitem,
+ #else
+ p12dcx->swapUnicodeBytes = PR_FALSE;
+ #endif
++ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
++ if (rv != SECSuccess) {
++ goto loser;
++ }
++ p12dcx->forceUnicode = forceUnicode;
+ p12dcx->errorValue = 0;
+ p12dcx->error = PR_FALSE;
+
+@@ -2428,7 +2447,7 @@ sec_pkcs12_get_public_value_and_type(SEC
+ static SECStatus
+ sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey,
+ unsigned int keyUsage,
+- SECItem *nickName, void *wincx)
++ SECItem *nickName, PRBool forceUnicode, void *wincx)
+ {
+ SECStatus rv;
+ SECItem *publicValue = NULL;
+@@ -2466,9 +2485,21 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke
+ &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm;
+ SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
+
+- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
+- key->pwitem))
+- return SECFailure;
++ if (forceUnicode) {
++ if (SECITEM_CopyItem(NULL, &pwitem, key->pwitem) != SECSuccess) {
++ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
++ key->problem = PR_TRUE;
++ return SECFailure;
++ }
++ } else {
++ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
++ key->pwitem)) {
++ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
++ key->problem = PR_TRUE;
++ return SECFailure;
++ }
++ }
++
+ rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
+ key->safeBagContent.pkcs8ShroudedKeyBag,
+ &pwitem, nickName, publicValue,
+@@ -2923,7 +2954,8 @@ sec_pkcs12_get_public_value_and_type(SEC
+ * two passes in sec_pkcs12_validate_bags.
+ */
+ static SECStatus
+-sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx)
++sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, PRBool forceUnicode,
++ void *wincx)
+ {
+ sec_PKCS12SafeBag **keyList;
+ int i;
+@@ -2976,7 +3008,8 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa
+ key->problem = PR_TRUE;
+ rv = SECFailure;
+ } else {
+- rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, wincx);
++ rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName,
++ forceUnicode, wincx);
+ }
+ if (pubKey) {
+ SECKEY_DestroyPublicKey(pubKey);
+@@ -3053,6 +3086,9 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa
+ SECStatus
+ SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
+ {
++ PRBool forceUnicode = PR_FALSE;
++ SECStatus rv;
++
+ if (!p12dcx || p12dcx->error) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+@@ -3062,7 +3098,16 @@ SEC_PKCS12DecoderImportBags(SEC_PKCS12De
+ return SECFailure;
+ }
+
+- return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
++ /* We need to check the option here as well as in
++ * SEC_PKCS12DecoderStart, because different PBE's could be used
++ * for PKCS #7 and PKCS #8 */
++ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
++ if (rv != SECSuccess) {
++ return SECFailure;
++ }
++
++ return sec_pkcs12_install_bags(p12dcx->safeBags, forceUnicode,
++ p12dcx->wincx);
+ }
+
+ PRBool
+diff -up nss/tests/tools/tools.sh.pk12util-force-unicode nss/tests/tools/tools.sh
+--- nss/tests/tools/tools.sh.pk12util-force-unicode 2017-09-21 09:49:22.373039542 +0200
++++ nss/tests/tools/tools.sh 2017-09-21 09:50:06.593062871 +0200
+@@ -106,6 +106,8 @@ tools_init()
+ cp ${ALICEDIR}/* ${SIGNDIR}/
+ mkdir -p ${TOOLSDIR}/html
+ cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
++ mkdir -p ${TOOLSDIR}/data
++ cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
+
+ cd ${TOOLSDIR}
+ }
+@@ -398,6 +400,16 @@ tools_p12_export_list_import_with_defaul
+ fi
+ }
+
++tools_p12_import_old_files()
++{
++ echo "$SCRIPTNAME: Importing CA cert & key created with NSS 3.21 --------------"
++ echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
++ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
++ ret=$?
++ html_msg $ret 0 "Importing CA cert & key created with NSS 3.21"
++ check_tmpfile
++}
++
+ ############################## tools_p12 ###############################
+ # local shell function to test basic functionality of pk12util
+ ########################################################################
+@@ -408,6 +420,7 @@ tools_p12()
+ tools_p12_export_list_import_all_pkcs5pbe_ciphers
+ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
+ tools_p12_export_with_null_ciphers
++ tools_p12_import_old_files
+ }
+
+ ############################## tools_sign ##############################
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index c372718..635f246 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -27,7 +27,7 @@
Summary: Network Security Services
Name: nss
Version: 3.28.4
-Release: 12%{?dist}
+Release: 15%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -88,6 +88,7 @@ Source27: secmod.db.xml
Source30: PayPalRootCA.cert
Source31: PayPalICA.cert
Source32: nss-rhel7.config
+Source33: TestOldCA.p12
Patch2: add-relro-linker-option.patch
Patch3: renegotiate-transitional.patch
@@ -155,6 +156,11 @@ Patch140: nss-ssl3gthr.patch
Patch141: nss-sysinit-getenv.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
Patch142: nss-transcript.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1399867
+Patch143: nss-pk12util-force-unicode.patch
+# Not upstreamed yet:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1493911
+Patch144: nss-pk12util-faulty-aes.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -231,6 +237,7 @@ low level services.
%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE33} -f ./nss/tests/tools
%setup -q -T -D -n %{name}-%{version}
%patch2 -p0 -b .relro
@@ -269,6 +276,8 @@ pushd nss
%patch140 -p1 -b .ssl3gthr
%patch141 -p1 -b .sysinit-getenv
%patch142 -p1 -b .transcript
+%patch143 -p1 -b .pk12util-force-unicode
+%patch144 -p1 -b .pk12util-faulty-aes
popd
#########################################################
@@ -859,6 +868,15 @@ fi
%changelog
+* Wed Sep 27 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-15
+- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption
+
+* Thu Sep 21 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-14
+- Update iquote.patch to prefer nss.h from the source
+
+* Wed Sep 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-13
+- Add backward compatibility to pk12util regarding password encoding
+
* Fri Aug 4 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-12
- Backport patch to simplify transcript calculation for CertificateVerify