diff --git a/.gitignore b/.gitignore index dac23b7..2eebac8 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,5 @@ SOURCES/key3.db.xml SOURCES/key4.db.xml SOURCES/nss-3.28.4.tar.gz SOURCES/nss-config.xml -SOURCES/nss-pem-20140125.tar.bz2 SOURCES/secmod.db.xml SOURCES/setup-nsssysinit.xml diff --git a/.nss.metadata b/.nss.metadata index abcc374..cf37dcc 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -11,6 +11,5 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml -66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml diff --git a/SOURCES/disable-ems-gtests.patch b/SOURCES/disable-ems-gtests.patch deleted file mode 100644 index 8824841..0000000 --- a/SOURCES/disable-ems-gtests.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests nss/gtests/pk11_gtest/pk11_prf_unittest.cc ---- nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests 2017-01-16 10:19:10.073459080 +0100 -+++ nss/gtests/pk11_gtest/pk11_prf_unittest.cc 2017-01-16 10:21:40.408011066 +0100 -@@ -193,37 +193,4 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) { - CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0); - } - --// Test matrix: --// --// DH RSA --// TLS_PRF 1 2 --// SHA256 3 4 --TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) { -- Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_TLS_PRF, -- nullptr, kExpectedOutputEmsTlsPrf); --} -- --TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) { -- Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, -- &pms_version_, kExpectedOutputEmsTlsPrf); -- EXPECT_EQ(0, pms_version_.major); -- EXPECT_EQ(1, pms_version_.minor); --} -- --TEST_F(TlsPrfTest, ExtendedMsDhSha256) { -- Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_SHA256, -- nullptr, kExpectedOutputEmsSha256); --} -- --TEST_F(TlsPrfTest, ExtendedMsRsaSha256) { -- Init(); -- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_SHA256, -- &pms_version_, kExpectedOutputEmsSha256); -- EXPECT_EQ(0, pms_version_.major); -- EXPECT_EQ(1, pms_version_.minor); --} -- - } // namespace nss_test -diff -up nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests nss/gtests/ssl_gtest/manifest.mn ---- nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests 2017-01-16 10:20:33.838983251 +0100 -+++ nss/gtests/ssl_gtest/manifest.mn 2017-01-16 10:20:36.802895453 +0100 -@@ -21,7 +21,6 @@ CPPSRCS = \ - ssl_dhe_unittest.cc \ - ssl_drop_unittest.cc \ - ssl_ecdh_unittest.cc \ -- ssl_ems_unittest.cc \ - ssl_exporter_unittest.cc \ - ssl_extension_unittest.cc \ - ssl_fuzz_unittest.cc \ -diff -up nss/gtests/ssl_gtest/ssl_ems_unittest.cc.disable_ems_gtests nss/gtests/ssl_gtest/ssl_ems_unittest.cc diff --git a/SOURCES/disable-extended-master-secret-with-old-softoken.patch b/SOURCES/disable-extended-master-secret-with-old-softoken.patch deleted file mode 100644 index fdcc416..0000000 --- a/SOURCES/disable-extended-master-secret-with-old-softoken.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.disable-ems nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.disable-ems 2017-01-13 17:33:07.226905929 +0100 -+++ nss/lib/ssl/sslsock.c 2017-01-13 17:35:19.175659702 +0100 -@@ -75,6 +75,7 @@ static sslOptions ssl_defaults = { - PR_TRUE, /* reuseServerECDHEKey */ - PR_FALSE, /* enableFallbackSCSV */ - PR_TRUE, /* enableServerDhe */ -+/* Keep extended-master-secret disabled until we have a compatible softokn. */ - PR_FALSE, /* enableExtendedMS */ - PR_FALSE, /* enableSignedCertTimestamps */ - PR_FALSE, /* requireDHENamedGroups */ -@@ -766,7 +767,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh - break; - - case SSL_ENABLE_EXTENDED_MASTER_SECRET: -+#if 0 -+/* No-Op until we have a compatible softokn. */ - ss->opt.enableExtendedMS = on; -+#endif - break; - - case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: -@@ -1199,7 +1203,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo - break; - - case SSL_ENABLE_EXTENDED_MASTER_SECRET: -+#if 0 -+/* No-Op until we have a compatible softokn. */ - ssl_defaults.enableExtendedMS = on; -+#endif - break; - - case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: diff --git a/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch b/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch new file mode 100644 index 0000000..db6be92 --- /dev/null +++ b/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch @@ -0,0 +1,4522 @@ +diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c +--- a/cmd/addbuiltin/addbuiltin.c ++++ b/cmd/addbuiltin/addbuiltin.c +@@ -26,16 +26,39 @@ dumpbytes(unsigned char *buf, int len) + if ((i != 0) && ((i & 0xf) == 0)) { + printf("\n"); + } + printf("\\%03o", buf[i]); + } + printf("\n"); + } + ++int ++hasPositiveTrust(unsigned int trust) ++{ ++ if (trust & CERTDB_TRUSTED) { ++ if (trust & CERTDB_TRUSTED_CA) { ++ return PR_TRUE; ++ } else { ++ return PR_FALSE; ++ } ++ } else { ++ if (trust & CERTDB_TRUSTED_CA) { ++ return PR_TRUE; ++ } else if (trust & CERTDB_VALID_CA) { ++ return PR_TRUE; ++ } else if (trust & CERTDB_TERMINAL_RECORD) { ++ return PR_FALSE; ++ } else { ++ return PR_FALSE; ++ } ++ } ++ return PR_FALSE; ++} ++ + char * + getTrustString(unsigned int trust) + { + if (trust & CERTDB_TRUSTED) { + if (trust & CERTDB_TRUSTED_CA) { + return "CKT_NSS_TRUSTED_DELEGATOR"; + } else { + return "CKT_NSS_TRUSTED"; +@@ -197,16 +220,21 @@ ConvertCertificate(SECItem *sdder, char + dumpbytes(cert->derIssuer.data, cert->derIssuer.len); + printf("END\n"); + printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); + dumpbytes(serial->data, serial->len); + printf("END\n"); + printf("CKA_VALUE MULTILINE_OCTAL\n"); + dumpbytes(sdder->data, sdder->len); + printf("END\n"); ++ if (hasPositiveTrust(trust->sslFlags) || ++ hasPositiveTrust(trust->emailFlags) || ++ hasPositiveTrust(trust->objectSigningFlags)) { ++ printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n"); ++ } + } + + if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == + CERTDB_TERMINAL_RECORD) + trust_info = "Distrust"; + else + trust_info = "Trust for"; + +diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c +--- a/cmd/lib/secutil.c ++++ b/cmd/lib/secutil.c +@@ -27,17 +27,17 @@ + #include + #endif + + /* for SEC_TraverseNames */ + #include "cert.h" + #include "certt.h" + #include "certdb.h" + +-/* #include "secmod.h" */ ++#include "secmod.h" + #include "pk11func.h" + #include "secoid.h" + + static char consoleName[] = { + #ifdef XP_UNIX + "/dev/tty" + #else + #ifdef XP_OS2 +@@ -3224,25 +3224,58 @@ SECU_PrintSignedContent(FILE *out, SECIt + SECStatus + SEC_PrintCertificateAndTrust(CERTCertificate *cert, + const char *label, + CERTCertTrust *trust) + { + SECStatus rv; + SECItem data; + CERTCertTrust certTrust; ++ PK11SlotList *slotList; ++ PRBool falseAttributeFound = PR_FALSE; ++ PRBool trueAttributeFound = PR_FALSE; ++ const char *moz_policy_ca_info = NULL; + + data.data = cert->derCert.data; + data.len = cert->derCert.len; + + rv = SECU_PrintSignedData(stdout, &data, label, 0, + (SECU_PPFunc)SECU_PrintCertificate); + if (rv) { + return (SECFailure); + } ++ ++ slotList = PK11_GetAllSlotsForCert(cert, NULL); ++ if (slotList) { ++ PK11SlotListElement *se = PK11_GetFirstSafe(slotList); ++ for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) { ++ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL); ++ if (handle != CK_INVALID_HANDLE) { ++ PORT_SetError(0); ++ if (PK11_HasAttributeSet(se->slot, handle, ++ CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) { ++ trueAttributeFound = PR_TRUE; ++ } else if (!PORT_GetError()) { ++ falseAttributeFound = PR_TRUE; ++ } ++ } ++ } ++ PK11_FreeSlotList(slotList); ++ } ++ ++ if (trueAttributeFound) { ++ moz_policy_ca_info = "true (attribute present)"; ++ } else if (falseAttributeFound) { ++ moz_policy_ca_info = "false (attribute present)"; ++ } else { ++ moz_policy_ca_info = "false (attribute missing)"; ++ } ++ SECU_Indent(stdout, 1); ++ printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info); ++ + if (trust) { + SECU_PrintTrustFlags(stdout, trust, + "Certificate Trust Flags", 1); + } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) { + SECU_PrintTrustFlags(stdout, &certTrust, + "Certificate Trust Flags", 1); + } + +diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt +--- a/lib/ckfw/builtins/certdata.txt ++++ b/lib/ckfw/builtins/certdata.txt +@@ -186,16 +186,17 @@ + \034\161\142\356\312\310\227\254\027\135\212\302\370\107\206\156 + \052\304\126\061\225\320\147\211\205\053\371\154\246\135\106\235 + \014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341 + \134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364 + \053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004 + \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146 + \125\342\374\110\311\051\046\151\340 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GlobalSign Root CA" + # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE + # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94 + # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE + # Not Valid Before: Tue Sep 01 12:00:00 1998 + # Not Valid After : Fri Jan 28 12:00:00 2028 + # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A +@@ -319,16 +320,17 @@ + \176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135 + \001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202 + \301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014 + \345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373 + \114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373 + \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214 + \152\374\176\102\070\100\144\022\367\236\201\341\223\056 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GlobalSign Root CA - R2" + # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 + # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d + # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 + # Not Valid Before: Fri Dec 15 08:00:00 2006 + # Not Valid After : Wed Dec 15 08:00:00 2021 + # Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30 +@@ -474,16 +476,17 @@ + \114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354 + \245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216 + \274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042 + \171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170 + \023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043 + \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243 + \113\336\006\226\161\054\362\333\266\037\244\357\077\356 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3" + # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4 + # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Fri Oct 01 00:00:00 1999 + # Not Valid After : Wed Jul 16 23:59:59 2036 + # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73 +@@ -638,16 +641,17 @@ + \301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110 + \260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153 + \106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045 + \342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317 + \162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263 + \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125 + \311\130\020\371\252\357\132\266\317\113\113\337\052 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3" + # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a + # Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Fri Oct 01 00:00:00 1999 + # Not Valid After : Wed Jul 16 23:59:59 2036 + # Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6 +@@ -802,16 +806,17 @@ + \022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151 + \027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246 + \124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156 + \352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255 + \117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126 + \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255 + \153\271\012\172\116\117\113\204\356\113\361\175\335\021 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3" + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 + # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Fri Oct 01 00:00:00 1999 + # Not Valid After : Wed Jul 16 23:59:59 2036 + # Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09 +@@ -1076,16 +1081,17 @@ + \273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320 + \036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304 + \171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376 + \155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171 + \057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227 + \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053 + \174\136\232\166\351\131\220\305\174\203\065\021\145\121 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Entrust.net Premium 2048 Secure Server CA" + # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net + # Serial Number: 946069240 (0x3863def8) + # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net + # Not Valid Before: Fri Dec 24 17:50:51 1999 + # Not Valid After : Tue Jul 24 14:15:12 2029 + # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90 +@@ -1213,16 +1219,17 @@ + \056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275 + \144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163 + \222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021 + \356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017 + \365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322 + \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374 + \347\201\035\031\303\044\102\352\143\071\251 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Baltimore CyberTrust Root" + # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE + # Serial Number: 33554617 (0x20000b9) + # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE + # Not Valid Before: Fri May 12 18:46:00 2000 + # Not Valid After : Mon May 12 23:59:00 2025 + # Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 +@@ -1356,16 +1363,17 @@ + \213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145 + \247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030 + \062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173 + \054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200 + \132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317 + \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344 + \065\341\035\026\034\320\274\053\216\326\161\331 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AddTrust Low-Value Services Root" + # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE + # Serial Number: 1 (0x1) + # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE + # Not Valid Before: Tue May 30 10:38:31 2000 + # Not Valid After : Sat May 30 10:38:31 2020 + # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC +@@ -1504,16 +1512,17 @@ + \335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247 + \142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027 + \163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236 + \216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163 + \111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132 + \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202 + \027\132\173\320\274\307\217\116\206\004 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AddTrust External Root" + # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE + # Serial Number: 1 (0x1) + # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE + # Not Valid Before: Tue May 30 10:48:38 2000 + # Not Valid After : Sat May 30 10:48:38 2020 + # Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F +@@ -1649,16 +1658,17 @@ + \330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341 + \341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266 + \200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120 + \305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046 + \136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035 + \137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362 + \116\072\063\014\053\263\055\220\006 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AddTrust Public Services Root" + # Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE + # Serial Number: 1 (0x1) + # Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE + # Not Valid Before: Tue May 30 10:41:50 2000 + # Not Valid After : Sat May 30 10:41:50 2020 + # Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F +@@ -1794,16 +1804,17 @@ + \077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056 + \011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033 + \365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130 + \211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335 + \340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336 + \074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350 + \306\241 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AddTrust Qualified Certificates Root" + # Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE + # Serial Number: 1 (0x1) + # Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE + # Not Valid Before: Tue May 30 10:44:50 2000 + # Not Valid After : Sat May 30 10:44:50 2020 + # Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB +@@ -1956,16 +1967,17 @@ + \175\352\261\355\060\045\301\204\332\064\322\133\170\203\126\354 + \234\066\303\046\342\021\366\147\111\035\222\253\214\373\353\377 + \172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231 + \074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140 + \073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146 + \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376 + \036\177\132\264\074 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Entrust Root Certification Authority" + # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US + # Serial Number: 1164660820 (0x456b5054) + # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US + # Not Valid Before: Mon Nov 27 20:23:42 2006 + # Not Valid After : Fri Nov 27 20:53:42 2026 + # Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4 +@@ -2089,16 +2101,17 @@ + \270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047 + \207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002 + \256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115 + \063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325 + \345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013 + \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355 + \302\005\146\200\241\313\346\063 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Global CA" + # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US + # Serial Number: 144470 (0x23456) + # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US + # Not Valid Before: Tue May 21 04:00:00 2002 + # Not Valid After : Sat May 21 04:00:00 2022 + # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5 +@@ -2216,16 +2229,17 @@ + \151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227 + \136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126 + \000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005 + \043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133 + \105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152 + \107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363 + \342\042\051\256\175\203\100\250\272\154 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Global CA 2" + # Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US + # Serial Number: 1 (0x1) + # Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US + # Not Valid Before: Thu Mar 04 05:00:00 2004 + # Not Valid After : Mon Mar 04 05:00:00 2019 + # Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9 +@@ -2375,16 +2389,17 @@ + \121\173\327\251\234\006\241\066\335\325\211\224\274\331\344\055 + \014\136\011\154\010\227\174\243\075\174\223\377\077\241\024\247 + \317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225 + \033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346 + \154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305 + \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157 + \244\346\216\330\371\051\110\212\316\163\376\054 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Universal CA" + # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US + # Serial Number: 1 (0x1) + # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US + # Not Valid Before: Thu Mar 04 05:00:00 2004 + # Not Valid After : Sun Mar 04 05:00:00 2029 + # Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48 +@@ -2534,16 +2549,17 @@ + \227\124\167\332\075\022\267\340\036\357\010\006\254\371\205\207 + \351\242\334\257\176\030\022\203\375\126\027\101\056\325\051\202 + \175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262 + \110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027 + \100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306 + \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246 + \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Universal CA 2" + # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US + # Serial Number: 1 (0x1) + # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US + # Not Valid Before: Thu Mar 04 05:00:00 2004 + # Not Valid After : Sun Mar 04 05:00:00 2029 + # Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7 +@@ -2670,16 +2686,17 @@ + \022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106 + \004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060 + \373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213 + \115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000 + \346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355 + \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026 + \222\340\134\366\007\017 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Visa eCommerce Root" + # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US + # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 + # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US + # Not Valid Before: Wed Jun 26 02:18:36 2002 + # Not Valid After : Fri Jun 24 00:16:12 2022 + # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02 +@@ -2792,16 +2809,17 @@ + \012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171 + \345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323 + \362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161 + \073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122 + \256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151 + \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054 + \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Certum Root CA" + # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL + # Serial Number: 65568 (0x10020) + # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL + # Not Valid Before: Tue Jun 11 10:46:39 2002 + # Not Valid After : Fri Jun 11 10:46:39 2027 + # Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9 +@@ -2937,16 +2955,17 @@ + \154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217 + \372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042 + \227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242 + \156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362 + \343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267 + \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237 + \225\351\066\226\230\156 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Comodo AAA Services root" + # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number: 1 (0x1) + # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Thu Jan 01 00:00:00 2004 + # Not Valid After : Sun Dec 31 23:59:59 2028 + # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0 +@@ -3087,16 +3106,17 @@ + \223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011 + \150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217 + \243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344 + \145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345 + \213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315 + \241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174 + \354\375\051 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Comodo Secure Services root" + # Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number: 1 (0x1) + # Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Thu Jan 01 00:00:00 2004 + # Not Valid After : Sun Dec 31 23:59:59 2028 + # Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD +@@ -3239,16 +3259,17 @@ + \201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076 + \306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261 + \115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336 + \172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047 + \164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335 + \005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230 + \160\136\310\304\170\260\142 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Comodo Trusted Services root" + # Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number: 1 (0x1) + # Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Thu Jan 01 00:00:00 2004 + # Not Valid After : Sun Dec 31 23:59:59 2028 + # Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27 +@@ -3417,16 +3438,17 @@ + \231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106 + \154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060 + \242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026 + \304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050 + \362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240 + \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212 + \112\164\066\371 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "QuoVadis Root CA" + # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM + # Serial Number: 985026699 (0x3ab6508b) + # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM + # Not Valid Before: Mon Mar 19 18:33:33 2001 + # Not Valid After : Wed Mar 17 18:33:33 2021 + # Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24 +@@ -3585,16 +3607,17 @@ + \226\136\234\307\357\047\142\010\342\221\031\134\322\361\041\335 + \272\027\102\202\227\161\201\123\061\251\237\366\175\142\277\162 + \341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026 + \264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271 + \274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332 + \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122 + \020\005\145\325\202\020\352\302\061\315\056 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "QuoVadis Root CA 2" + # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM + # Serial Number: 1289 (0x509) + # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM + # Not Valid Before: Fri Nov 24 18:27:00 2006 + # Not Valid After : Mon Nov 24 18:23:33 2031 + # Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B +@@ -3764,16 +3787,17 @@ + \340\164\053\262\353\175\276\101\033\265\300\106\305\241\042\313 + \137\116\301\050\222\336\030\272\325\052\050\273\021\213\027\223 + \230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067 + \036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164 + \076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312 + \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022 + \332 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "QuoVadis Root CA 3" + # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM + # Serial Number: 1478 (0x5c6) + # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM + # Not Valid Before: Fri Nov 24 19:11:23 2006 + # Not Valid After : Mon Nov 24 19:06:44 2031 + # Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF +@@ -3892,16 +3916,17 @@ + \161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124 + \045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101 + \065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260 + \112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055 + \105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003 + \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026 + \057\317\246\356\311\160\042\024\275\375\276\154\013\003 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Security Communication Root CA" + # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP + # Serial Number: 0 (0x0) + # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP + # Not Valid Before: Tue Sep 30 04:20:49 2003 + # Not Valid After : Sat Sep 30 04:20:49 2023 + # Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A +@@ -4014,16 +4039,17 @@ + \066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272 + \116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143 + \256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165 + \267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366 + \146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032 + \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132 + \160\254\337\114 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Sonera Class 2 Root CA" + # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI + # Serial Number: 29 (0x1d) + # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI + # Not Valid Before: Fri Apr 06 07:29:40 2001 + # Not Valid After : Tue Apr 06 07:29:40 2021 + # Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB +@@ -4175,16 +4201,17 @@ + \211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246 + \170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254 + \176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174 + \025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044 + \121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266 + \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303 + \005\323\312\003\112\124 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "UTN USERFirst Email Root CA" + # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US + # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89 + # Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US + # Not Valid Before: Fri Jul 09 17:28:50 1999 + # Not Valid After : Tue Jul 09 17:36:58 2019 + # Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7 +@@ -4338,16 +4365,17 @@ + \370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055 + \335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136 + \176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120 + \225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222 + \052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251 + \152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020 + \062\234\036\273\235\370\146\250 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "UTN USERFirst Hardware Root CA" + # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US + # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd + # Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US + # Not Valid Before: Fri Jul 09 18:10:42 1999 + # Not Valid After : Tue Jul 09 18:19:22 2019 + # Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39 +@@ -4498,16 +4526,17 @@ + \261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360 + \064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271 + \363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223 + \306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327 + \213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221 + \122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170 + \275\023\122\035\250\076\315\000\037\310 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "UTN USERFirst Object Root CA" + # Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US + # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b + # Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US + # Not Valid Before: Fri Jul 09 18:31:20 1999 + # Not Valid After : Tue Jul 09 18:40:36 2019 + # Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9 +@@ -4661,16 +4690,17 @@ + \210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312 + \327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064 + \170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110 + \132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335 + \250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356 + \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370 + \334 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Camerfirma Chambers of Commerce Root" + # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU + # Serial Number: 0 (0x0) + # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU + # Not Valid Before: Tue Sep 30 16:13:43 2003 + # Not Valid After : Wed Sep 30 16:13:44 2037 + # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84 +@@ -4820,16 +4850,17 @@ + \222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015 + \045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334 + \171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075 + \262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316 + \030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177 + \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111 + \166\135\165\220\032\365\046\217\360 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Camerfirma Global Chambersign Root" + # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU + # Serial Number: 0 (0x0) + # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU + # Not Valid Before: Tue Sep 30 16:14:18 2003 + # Not Valid After : Wed Sep 30 16:14:18 2037 + # Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19 +@@ -4972,16 +5003,17 @@ + \212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273 + \176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262 + \213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341 + \074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330 + \072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020 + \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311 + \264\003\045\274 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "XRamp Global CA Root" + # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US + # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad + # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US + # Not Valid Before: Mon Nov 01 17:14:04 2004 + # Not Valid After : Mon Jan 01 05:37:19 2035 + # Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1 +@@ -5118,16 +5150,17 @@ + \216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274 + \353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021 + \164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002 + \022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245 + \236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237 + \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035 + \177\333\275\237 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Go Daddy Class 2 CA" + # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US + # Serial Number: 0 (0x0) + # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US + # Not Valid Before: Tue Jun 29 17:06:20 2004 + # Not Valid After : Thu Jun 29 17:06:20 2034 + # Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67 +@@ -5262,16 +5295,17 @@ + \055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351 + \125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101 + \152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064 + \253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030 + \131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155 + \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057 + \037\027\224 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Starfield Class 2 CA" + # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US + # Serial Number: 0 (0x0) + # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US + # Not Valid Before: Tue Jun 29 17:39:16 2004 + # Not Valid After : Thu Jun 29 17:39:16 2034 + # Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24 +@@ -5467,16 +5501,17 @@ + \115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001 + \126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225 + \272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354 + \165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204 + \103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241 + \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060 + \152\263\364\210\034\200\015\374\162\212\350\203\136 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "StartCom Certification Authority" + # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL + # Serial Number: 1 (0x1) + # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL + # Not Valid Before: Sun Sep 17 19:46:36 2006 + # Not Valid After : Wed Sep 17 19:46:36 2036 + # Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 +@@ -5631,16 +5666,17 @@ + \262\304\060\231\043\116\135\362\110\241\022\014\334\022\220\011 + \220\124\221\003\074\107\345\325\311\145\340\267\113\175\354\107 + \323\263\013\076\255\236\320\164\000\016\353\275\121\255\300\336 + \054\300\303\152\376\357\334\013\247\372\106\337\140\333\234\246 + \131\120\165\043\151\163\223\262\371\374\002\323\107\346\161\316 + \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045 + \245\206\054\174\364\022 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Taiwan GRCA" + # Issuer: O=Government Root Certification Authority,C=TW + # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 + # Subject: O=Government Root Certification Authority,C=TW + # Not Valid Before: Thu Dec 05 13:23:33 2002 + # Not Valid After : Sun Dec 05 13:23:33 2032 + # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E +@@ -5803,16 +5839,17 @@ + \204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376 + \062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260 + \262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030 + \316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311 + \376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146 + \201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372 + \060\032\365\232\154\364\016\123\371\072\133\321\034 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Swisscom Root CA 1" + # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch + # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36 + # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch + # Not Valid Before: Thu Aug 18 12:06:20 2005 + # Not Valid After : Mon Aug 18 22:06:20 2025 + # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9 +@@ -5943,16 +5980,17 @@ + \102\267\372\214\036\335\142\361\276\120\147\267\154\275\363\361 + \037\153\014\066\007\026\177\067\174\251\133\155\172\361\022\106 + \140\203\327\047\004\276\113\316\227\276\303\147\052\150\021\337 + \200\347\014\063\146\277\023\015\024\156\363\177\037\143\020\036 + \372\215\033\045\155\154\217\245\267\141\001\261\322\243\046\241 + \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056 + \346\120\262\247\372\012\105\057\242\360\362 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "DigiCert Assured ID Root CA" + # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39 + # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Fri Nov 10 00:00:00 2006 + # Not Valid After : Mon Nov 10 00:00:00 2031 + # Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72 +@@ -6083,16 +6121,17 @@ + \076\052\271\066\123\317\072\120\006\367\056\350\304\127\111\154 + \141\041\030\325\004\255\170\074\054\072\200\153\247\353\257\025 + \024\351\330\211\301\271\070\154\342\221\154\212\377\144\271\167 + \045\127\060\300\033\044\243\341\334\351\337\107\174\265\264\044 + \010\005\060\354\055\275\013\277\105\277\120\271\251\363\353\230 + \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225 + \225\155\336 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "DigiCert Global Root CA" + # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a + # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Fri Nov 10 00:00:00 2006 + # Not Valid After : Mon Nov 10 00:00:00 2031 + # Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E +@@ -6224,16 +6263,17 @@ + \143\070\275\104\244\177\344\046\053\012\304\227\151\015\351\214 + \342\300\020\127\270\310\166\022\221\125\362\110\151\330\274\052 + \002\133\017\104\324\040\061\333\364\272\160\046\135\220\140\236 + \274\113\027\011\057\264\313\036\103\150\311\007\047\301\322\134 + \367\352\041\271\150\022\234\074\234\277\236\374\200\134\233\143 + \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251 + \370\351\056\023\243\167\350\037\112 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "DigiCert High Assurance EV Root CA" + # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77 + # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Fri Nov 10 00:00:00 2006 + # Not Valid After : Mon Nov 10 00:00:00 2031 + # Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A +@@ -6356,16 +6396,17 @@ + \311\273\211\176\156\200\210\036\057\024\264\003\044\250\062\157 + \003\232\107\054\060\276\126\306\247\102\002\160\033\352\100\330 + \272\005\003\160\007\244\226\377\375\110\063\012\341\334\245\201 + \220\233\115\335\175\347\347\262\315\134\310\152\225\370\245\366 + \215\304\135\170\010\276\173\006\326\111\317\031\066\120\043\056 + \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273 + \227\277\242\216\264\124 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Certplus Class 2 Primary CA" + # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR + # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23 + # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR + # Not Valid Before: Wed Jul 07 17:05:00 1999 + # Not Valid After : Sat Jul 06 23:59:59 2019 + # Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B +@@ -6482,16 +6523,17 @@ + \162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122 + \147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071 + \044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011 + \220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221 + \213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050 + \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221 + \013\004\216\007\333\051\266\012\356\235\202\065\065\020 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "DST Root CA X3" + # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. + # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b + # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. + # Not Valid Before: Sat Sep 30 21:12:19 2000 + # Not Valid After : Thu Sep 30 14:01:15 2021 + # Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5 +@@ -6623,16 +6665,17 @@ + \343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052 + \370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121 + \256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233 + \150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041 + \064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366 + \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101 + \363\267\240\247\315\345\172\063\066\152\372\232\053 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "DST ACES CA X6" + # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US + # Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9 + # Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US + # Not Valid Before: Thu Nov 20 21:19:58 2003 + # Not Valid After : Mon Nov 20 21:19:58 2017 + # Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8 +@@ -6790,16 +6833,17 @@ + \137\373\140\130\321\373\304\301\155\211\242\273\040\037\235\161 + \221\313\062\233\023\075\076\175\222\122\065\254\222\224\242\323 + \030\302\174\307\352\257\166\005\026\335\147\047\302\176\034\007 + \042\041\363\100\012\033\064\007\104\023\302\204\152\216\337\031 + \132\277\177\353\035\342\032\070\321\134\257\107\222\153\200\265 + \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251 + \205\206\171\145\322 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "SwissSign Platinum CA - G2" + # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH + # Serial Number:4e:b2:00:67:0c:03:5d:4f + # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH + # Not Valid Before: Wed Oct 25 08:36:00 2006 + # Not Valid After : Sat Oct 25 08:36:00 2036 + # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6 +@@ -6954,16 +6998,17 @@ + \001\320\277\150\236\143\140\153\065\115\013\155\272\241\075\300 + \223\340\177\043\263\125\255\162\045\116\106\371\322\026\357\260 + \144\301\001\236\351\312\240\152\230\016\317\330\140\362\057\111 + \270\344\102\341\070\065\026\364\310\156\117\367\201\126\350\272 + \243\276\043\257\256\375\157\003\340\002\073\060\166\372\033\155 + \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362 + \111\044\133\311\260\320\127\301\372\076\172\341\227\311 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "SwissSign Gold CA - G2" + # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH + # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0 + # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH + # Not Valid Before: Wed Oct 25 08:30:35 2006 + # Not Valid After : Sat Oct 25 08:30:35 2036 + # Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93 +@@ -7119,16 +7164,17 @@ + \212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076 + \204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345 + \000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353 + \233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362 + \264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152 + \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056 + \156 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "SwissSign Silver CA - G2" + # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH + # Serial Number:4f:1b:d4:2f:54:bb:2f:4b + # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH + # Not Valid Before: Wed Oct 25 08:32:46 2006 + # Not Valid After : Sat Oct 25 08:32:46 2036 + # Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13 +@@ -7250,16 +7296,17 @@ + \254\257\031\240\163\022\055\374\302\101\272\201\221\332\026\132 + \061\267\371\264\161\200\022\110\231\162\163\132\131\123\301\143 + \122\063\355\247\311\322\071\002\160\372\340\261\102\146\051\252 + \233\121\355\060\124\042\024\137\331\253\035\301\344\224\360\370 + \365\053\367\352\312\170\106\326\270\221\375\246\015\053\032\024 + \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215 + \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Primary Certification Authority" + # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US + # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1 + # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US + # Not Valid Before: Mon Nov 27 00:00:00 2006 + # Not Valid After : Wed Jul 16 23:59:59 2036 + # Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF +@@ -7404,16 +7451,17 @@ + \376\254\100\171\345\254\020\157\075\217\033\171\166\213\304\067 + \263\041\030\204\345\066\000\353\143\040\231\271\351\376\063\004 + \273\101\310\301\002\371\104\143\040\236\201\316\102\323\326\077 + \054\166\323\143\234\131\335\217\246\341\016\240\056\101\367\056 + \225\107\317\274\375\063\363\366\013\141\176\176\221\053\201\107 + \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173 + \215\126\214\150 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "thawte Primary Root CA" + # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US + # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d + # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US + # Not Valid Before: Fri Nov 17 00:00:00 2006 + # Not Valid After : Wed Jul 16 23:59:59 2036 + # Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12 +@@ -7578,16 +7626,17 @@ + \336\375\250\202\052\155\050\037\015\013\304\345\347\032\046\031 + \341\364\021\157\020\265\225\374\347\102\005\062\333\316\235\121 + \136\050\266\236\205\323\133\357\245\175\105\100\162\216\267\016 + \153\016\006\373\063\065\110\161\270\235\047\213\304\145\137\015 + \206\166\234\104\172\366\225\134\366\135\062\010\063\244\124\266 + \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362 + \254\021\326\250\355\143\152 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a + # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Wed Nov 08 00:00:00 2006 + # Not Valid After : Wed Jul 16 23:59:59 2036 + # Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C +@@ -7720,16 +7769,17 @@ + \144\122\066\137\140\147\331\234\305\005\164\013\347\147\043\322 + \010\374\210\351\256\213\177\341\060\364\067\176\375\306\062\332 + \055\236\104\060\060\154\356\007\336\322\064\374\322\377\100\366 + \113\364\146\106\006\124\246\362\062\012\143\046\060\153\233\321 + \334\213\107\272\341\271\325\142\320\242\240\364\147\005\170\051 + \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050 + \113\035\236\054\302\270\150\274\355\002\356\061 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "SecureTrust CA" + # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US + # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0 + # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US + # Not Valid Before: Tue Nov 07 19:31:18 2006 + # Not Valid After : Mon Dec 31 19:40:55 2029 + # Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1 +@@ -7854,16 +7904,17 @@ + \103\265\113\055\024\237\371\334\046\015\277\246\107\164\006\330 + \210\321\072\051\060\204\316\322\071\200\142\033\250\307\127\111 + \274\152\125\121\147\025\112\276\065\007\344\325\165\230\067\171 + \060\024\333\051\235\154\305\151\314\107\125\242\060\367\314\134 + \177\302\303\230\034\153\116\026\200\353\172\170\145\105\242\000 + \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362 + \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Secure Global CA" + # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US + # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 + # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US + # Not Valid Before: Tue Nov 07 19:42:28 2006 + # Not Valid After : Mon Dec 31 19:52:06 2029 + # Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE +@@ -8003,16 +8054,17 @@ + \314\225\122\223\360\160\045\131\234\040\147\304\356\371\213\127 + \141\364\222\166\175\077\204\215\125\267\350\345\254\325\361\365 + \031\126\246\132\373\220\034\257\223\353\345\034\324\147\227\135 + \004\016\276\013\203\246\027\203\271\060\022\240\305\063\025\005 + \271\015\373\307\005\166\343\330\112\215\374\064\027\243\306\041 + \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001 + \145 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "COMODO Certification Authority" + # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d + # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Fri Dec 01 00:00:00 2006 + # Not Valid After : Mon Dec 31 23:59:59 2029 + # Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75 +@@ -8148,16 +8200,17 @@ + \056\044\137\313\130\017\353\050\354\257\021\226\363\334\173\157 + \300\247\210\362\123\167\263\140\136\256\256\050\332\065\054\157 + \064\105\323\046\341\336\354\133\117\047\153\026\174\275\104\004 + \030\202\263\211\171\027\020\161\075\172\242\026\116\365\001\315 + \244\154\145\150\241\111\166\134\103\311\330\274\066\147\154\245 + \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313 + \244\140\114\260\125\240\240\173\127\262 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Network Solutions Certificate Authority" + # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US + # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0 + # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US + # Not Valid Before: Fri Dec 01 00:00:00 2006 + # Not Valid After : Mon Dec 31 23:59:59 2029 + # Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E +@@ -8188,177 +8241,16 @@ + \150\340 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +-# Certificate "WellsSecure Public Root Certificate Authority" +-# +-# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US +-# Serial Number: 1 (0x1) +-# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US +-# Not Valid Before: Thu Dec 13 17:07:54 2007 +-# Not Valid After : Wed Dec 14 00:07:54 2022 +-# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36 +-# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE +-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority" +-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +-CKA_SUBJECT MULTILINE_OCTAL +-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 +-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 +-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 +-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 +-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 +-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 +-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 +-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 +-\165\164\150\157\162\151\164\171 +-END +-CKA_ID UTF8 "0" +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 +-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 +-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 +-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 +-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 +-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 +-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 +-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 +-\165\164\150\157\162\151\164\171 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\001\001 +-END +-CKA_VALUE MULTILINE_OCTAL +-\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001 +-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 +-\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +-\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040 +-\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162 +-\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154 +-\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061 +-\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123 +-\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157 +-\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165 +-\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061 +-\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064 +-\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003 +-\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012 +-\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145 +-\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125 +-\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040 +-\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003 +-\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165 +-\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146 +-\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060 +-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 +-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 +-\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253 +-\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210 +-\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051 +-\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324 +-\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122 +-\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060 +-\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054 +-\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344 +-\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264 +-\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143 +-\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050 +-\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204 +-\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237 +-\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005 +-\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300 +-\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145 +-\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006 +-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071 +-\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206 +-\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056 +-\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167 +-\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017 +-\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016 +-\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031 +-\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043 +-\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227 +-\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244 +-\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002 +-\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154 +-\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145 +-\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127 +-\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040 +-\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154 +-\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040 +-\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145 +-\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006 +-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001 +-\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173 +-\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355 +-\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035 +-\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225 +-\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045 +-\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101 +-\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344 +-\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255 +-\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247 +-\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163 +-\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166 +-\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075 +-\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147 +-\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176 +-\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157 +-\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130 +-\333 +-END +- +-# Trust for Certificate "WellsSecure Public Root Certificate Authority" +-# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US +-# Serial Number: 1 (0x1) +-# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US +-# Not Valid Before: Thu Dec 13 17:07:54 2007 +-# Not Valid After : Wed Dec 14 00:07:54 2022 +-# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36 +-# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority" +-CKA_CERT_SHA1_HASH MULTILINE_OCTAL +-\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364 +-\175\117\350\356 +-END +-CKA_CERT_MD5_HASH MULTILINE_OCTAL +-\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066 +-END +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 +-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 +-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 +-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 +-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 +-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 +-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 +-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 +-\165\164\150\157\162\151\164\171 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\001\001 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# + # Certificate "COMODO ECC Certification Authority" + # + # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a + # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Thu Mar 06 00:00:00 2008 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23 +@@ -8434,16 +8326,17 @@ + \004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254 + \267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346 + \175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316 + \231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223 + \074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157 + \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346 + \334\335\363\377\035\054\072\026\127\331\222\071\326 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "COMODO ECC Certification Authority" + # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a + # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Thu Mar 06 00:00:00 2008 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23 +@@ -8741,16 +8634,17 @@ + \250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176 + \102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343 + \067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240 + \340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116 + \124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017 + \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217 + \164 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Security Communication EV RootCA1" + # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP + # Serial Number: 0 (0x0) + # Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP + # Not Valid Before: Wed Jun 06 02:12:32 2007 + # Not Valid After : Sat Jun 06 02:12:32 2037 + # Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3 +@@ -8888,16 +8782,17 @@ + \204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030 + \113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000 + \267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142 + \026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243 + \156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051 + \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311 + \374\276\337\012\015 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "OISTE WISeKey Global Root GA CA" + # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH + # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a + # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH + # Not Valid Before: Sun Dec 11 16:03:44 2005 + # Not Valid After : Fri Dec 11 16:09:51 2037 + # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93 +@@ -8930,222 +8825,16 @@ + \337\232 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +-# Certificate "Microsec e-Szigno Root CA" +-# +-# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU +-# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11 +-# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU +-# Not Valid Before: Wed Apr 06 12:28:44 2005 +-# Not Valid After : Thu Apr 06 12:28:44 2017 +-# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5 +-# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D +-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "Microsec e-Szigno Root CA" +-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +-CKA_SUBJECT MULTILINE_OCTAL +-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 +-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 +-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 +-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 +-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 +-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 +-\164\040\103\101 +-END +-CKA_ID UTF8 "0" +-CKA_ISSUER MULTILINE_OCTAL +-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 +-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 +-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 +-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 +-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 +-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 +-\164\040\103\101 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 +-\054\017\021 +-END +-CKA_VALUE MULTILINE_OCTAL +-\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000 +-\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021 +-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 +-\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021 +-\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163 +-\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162 +-\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125 +-\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061 +-\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163 +-\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164 +-\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062 +-\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070 +-\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002 +-\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144 +-\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015 +-\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060 +-\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157 +-\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151 +-\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040 +-\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052 +-\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060 +-\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070 +-\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207 +-\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256 +-\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167 +-\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331 +-\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376 +-\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006 +-\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254 +-\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300 +-\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140 +-\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270 +-\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364 +-\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341 +-\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111 +-\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161 +-\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346 +-\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004 +-\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001 +-\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060 +-\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145 +-\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060 +-\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164 +-\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157 +-\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017 +-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +-\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146 +-\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001 +-\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007 +-\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145 +-\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057 +-\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202 +-\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156 +-\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171 +-\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145 +-\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040 +-\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147 +-\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172 +-\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147 +-\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123 +-\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141 +-\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141 +-\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141 +-\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164 +-\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154 +-\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150 +-\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167 +-\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147 +-\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132 +-\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201 +-\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150 +-\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147 +-\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154 +-\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145 +-\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151 +-\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156 +-\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125 +-\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117 +-\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056 +-\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125 +-\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157 +-\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162 +-\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 +-\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201 +-\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150 +-\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032 +-\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156 +-\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003 +-\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110 +-\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143 +-\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003 +-\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060 +-\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125 +-\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141 +-\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166 +-\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110 +-\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141 +-\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115 +-\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022 +-\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040 +-\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143 +-\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122 +-\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032 +-\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016 +-\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322 +-\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206 +-\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146 +-\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154 +-\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240 +-\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247 +-\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345 +-\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172 +-\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250 +-\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332 +-\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133 +-\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323 +-\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321 +-\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235 +-\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362 +-\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077 +-\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226 +-\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040 +-\103\307\003\340\067\116\135\012\334\131\040\045 +-END +- +-# Trust for Certificate "Microsec e-Szigno Root CA" +-# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU +-# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11 +-# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU +-# Not Valid Before: Wed Apr 06 12:28:44 2005 +-# Not Valid After : Thu Apr 06 12:28:44 2017 +-# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5 +-# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "Microsec e-Szigno Root CA" +-CKA_CERT_SHA1_HASH MULTILINE_OCTAL +-\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326 +-\045\354\031\015 +-END +-CKA_CERT_MD5_HASH MULTILINE_OCTAL +-\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345 +-END +-CKA_ISSUER MULTILINE_OCTAL +-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 +-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 +-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 +-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 +-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 +-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 +-\164\040\103\101 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 +-\054\017\021 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# + # Certificate "Certigna" + # + # Issuer: CN=Certigna,O=Dhimyotis,C=FR + # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff + # Subject: CN=Certigna,O=Dhimyotis,C=FR + # Not Valid Before: Fri Jun 29 15:13:05 2007 + # Not Valid After : Tue Jun 29 15:13:05 2027 + # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF +@@ -9228,16 +8917,17 @@ + \013\221\003\165\054\154\162\265\141\225\232\015\213\271\015\347 + \365\337\124\315\336\346\330\326\011\010\227\143\345\301\056\260 + \267\104\046\300\046\300\257\125\060\236\073\325\066\052\031\004 + \364\134\036\377\317\054\267\377\320\375\207\100\021\325\021\043 + \273\110\300\041\251\244\050\055\375\025\370\260\116\053\364\060 + \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225 + \300\226\130\057\352\273\106\327\273\344\331\056 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Certigna" + # Issuer: CN=Certigna,O=Dhimyotis,C=FR + # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff + # Subject: CN=Certigna,O=Dhimyotis,C=FR + # Not Valid Before: Fri Jun 29 15:13:05 2007 + # Not Valid After : Tue Jun 29 15:13:05 2027 + # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF +@@ -9409,16 +9099,17 @@ + \104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352 + \147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211 + \302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153 + \060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030 + \107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043 + \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144 + \005\211\374\170\326\134\054\046\103\251 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AC Raiz Certicamara S.A." + # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO + # Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c + # Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO + # Not Valid Before: Mon Nov 27 20:46:29 2006 + # Not Valid After : Tue Apr 02 21:42:02 2030 + # Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6 +@@ -9566,16 +9257,17 @@ + \334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001 + \367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245 + \207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011 + \362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143 + \113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030 + \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154 + \016\121\075\157\373\226\126\200\342\066\027\321\334\344 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "TC TrustCenter Class 3 CA II" + # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE + # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf + # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE + # Not Valid Before: Thu Jan 12 14:41:57 2006 + # Not Valid After : Wed Dec 31 22:59:59 2025 + # Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E +@@ -9706,16 +9398,17 @@ + \332\347\212\067\041\276\131\143\340\362\205\210\061\123\324\124 + \024\205\160\171\364\056\006\167\047\165\057\037\270\212\371\376 + \305\272\330\066\344\203\354\347\145\267\277\143\132\363\106\257 + \201\224\067\324\101\214\326\043\326\036\317\365\150\033\104\143 + \242\132\272\247\065\131\241\345\160\005\233\016\043\127\231\224 + \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005 + \126\144\127 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Deutsche Telekom Root CA 2" + # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE + # Serial Number: 38 (0x26) + # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE + # Not Valid Before: Fri Jul 09 12:11:00 1999 + # Not Valid After : Tue Jul 09 23:59:00 2019 + # Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08 +@@ -9838,16 +9531,17 @@ + \205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334 + \157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135 + \023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044 + \105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163 + \055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370 + \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224 + \000\147\240\161\000\202\110 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "ComSign CA" + # Issuer: C=IL,O=ComSign,CN=ComSign CA + # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44 + # Subject: C=IL,O=ComSign,CN=ComSign CA + # Not Valid Before: Wed Mar 24 11:32:18 2004 + # Not Valid After : Mon Mar 19 15:02:18 2029 + # Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B +@@ -9968,16 +9662,17 @@ + \275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141 + \035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113 + \205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320 + \256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142 + \237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063 + \072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053 + \316\145\006\056\135\322\052\123\164\136\323\156\047\236\217 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "ComSign Secured CA" + # Issuer: C=IL,O=ComSign,CN=ComSign Secured CA + # Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9 + # Subject: C=IL,O=ComSign,CN=ComSign Secured CA + # Not Valid Before: Wed Mar 24 11:37:20 2004 + # Not Valid After : Fri Mar 16 15:04:56 2029 + # Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5 +@@ -10097,16 +9792,17 @@ + \017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354 + \174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034 + \003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327 + \347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006 + \140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326 + \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264 + \246\210\070\316\125 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Cybertrust Global Root" + # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" + # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48 + # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc" + # Not Valid Before: Fri Dec 15 08:00:00 2006 + # Not Valid After : Wed Dec 15 08:00:00 2021 + # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1 +@@ -10263,16 +9959,17 @@ + \115\343\061\325\307\354\350\362\260\376\222\036\026\012\032\374 + \331\363\370\047\266\311\276\035\264\154\144\220\177\364\344\304 + \133\327\067\256\102\016\335\244\032\157\174\210\124\305\026\156 + \341\172\150\056\370\072\277\015\244\074\211\073\170\247\116\143 + \203\004\041\010\147\215\362\202\111\320\133\375\261\315\017\203 + \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352 + \201\370\021\234 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "ePKI Root Certification Authority" + # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW + # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d + # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW + # Not Valid Before: Mon Dec 20 02:31:27 2004 + # Not Valid After : Wed Dec 20 02:31:27 2034 + # Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3 +@@ -10447,16 +10144,17 @@ + \200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112 + \057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307 + \060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147 + \240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154 + \301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204 + \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054 + \311\234\220\332\354\251\102\074\255\266\002 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" + # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR + # Serial Number: 17 (0x11) + # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR + # Not Valid Before: Fri Aug 24 11:37:07 2007 + # Not Valid After : Mon Aug 21 11:37:07 2017 + # Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26 +@@ -10583,16 +10281,17 @@ + \045\335\141\047\043\034\265\061\007\004\066\264\032\220\275\240 + \164\161\120\211\155\274\024\343\017\206\256\361\253\076\307\240 + \011\314\243\110\321\340\333\144\347\222\265\317\257\162\103\160 + \213\371\303\204\074\023\252\176\222\233\127\123\223\372\160\302 + \221\016\061\371\233\147\135\351\226\070\136\137\263\163\116\210 + \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115 + \366\356\260\132\116\111\104\124\130\137\102\203 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "certSIGN ROOT CA" + # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO + # Serial Number:20:06:05:16:70:02 + # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO + # Not Valid Before: Tue Jul 04 17:20:04 2006 + # Not Valid After : Fri Jul 04 17:20:04 2031 + # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17 +@@ -10706,16 +10405,17 @@ + \125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313 + \156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356 + \343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311 + \022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143 + \330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256 + \056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125 + \011\333\212\101\202\236\146\233\021 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "CNNIC ROOT" + # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN + # Serial Number: 1228079105 (0x49330001) + # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN + # Not Valid Before: Mon Apr 16 07:09:14 2007 + # Not Valid After : Fri Apr 16 07:09:14 2027 + # Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19 +@@ -10742,147 +10442,16 @@ + \002\004\111\063\000\001 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +-# Certificate "ApplicationCA - Japanese Government" +-# +-# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP +-# Serial Number: 49 (0x31) +-# Subject: OU=ApplicationCA,O=Japanese Government,C=JP +-# Not Valid Before: Wed Dec 12 15:00:00 2007 +-# Not Valid After : Tue Dec 12 15:00:00 2017 +-# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6 +-# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74 +-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "ApplicationCA - Japanese Government" +-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +-CKA_SUBJECT MULTILINE_OCTAL +-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 +-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 +-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 +-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 +-\151\157\156\103\101 +-END +-CKA_ID UTF8 "0" +-CKA_ISSUER MULTILINE_OCTAL +-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 +-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 +-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 +-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 +-\151\157\156\103\101 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\001\061 +-END +-CKA_VALUE MULTILINE_OCTAL +-\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061 +-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 +-\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034 +-\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163 +-\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024 +-\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151 +-\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065 +-\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060 +-\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023 +-\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141 +-\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156 +-\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154 +-\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006 +-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017 +-\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207 +-\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005 +-\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212 +-\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212 +-\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240 +-\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006 +-\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171 +-\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004 +-\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155 +-\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060 +-\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214 +-\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005 +-\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155 +-\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331 +-\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060 +-\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046 +-\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243 +-\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024 +-\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320 +-\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004 +-\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244 +-\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120 +-\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234 +-\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003 +-\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202 +-\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060 +-\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003 +-\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017 +-\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172 +-\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011 +-\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234 +-\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026 +-\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176 +-\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221 +-\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217 +-\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124 +-\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210 +-\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353 +-\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243 +-\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046 +-\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377 +-\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113 +-\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177 +-\262\033\211\124 +-END +- +-# Trust for Certificate "ApplicationCA - Japanese Government" +-# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP +-# Serial Number: 49 (0x31) +-# Subject: OU=ApplicationCA,O=Japanese Government,C=JP +-# Not Valid Before: Wed Dec 12 15:00:00 2007 +-# Not Valid After : Tue Dec 12 15:00:00 2017 +-# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6 +-# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74 +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "ApplicationCA - Japanese Government" +-CKA_CERT_SHA1_HASH MULTILINE_OCTAL +-\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214 +-\323\065\374\164 +-END +-CKA_CERT_MD5_HASH MULTILINE_OCTAL +-\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326 +-END +-CKA_ISSUER MULTILINE_OCTAL +-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 +-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 +-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 +-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 +-\151\157\156\103\101 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\001\061 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# + # Certificate "GeoTrust Primary Certification Authority - G3" + # + # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US + # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f + # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US + # Not Valid Before: Wed Apr 02 00:00:00 2008 + # Not Valid After : Tue Dec 01 23:59:59 2037 + # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05 +@@ -10984,16 +10553,17 @@ + \207\174\015\015\317\056\010\134\112\100\015\076\354\201\141\346 + \044\333\312\340\016\055\007\262\076\126\334\215\365\101\205\007 + \110\233\014\013\313\111\077\175\354\267\375\313\215\147\211\032 + \253\355\273\036\243\000\010\010\027\052\202\134\061\135\106\212 + \055\017\206\233\164\331\105\373\324\100\261\172\252\150\055\206 + \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031 + \021\055 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Primary Certification Authority - G3" + # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US + # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f + # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US + # Not Valid Before: Wed Apr 02 00:00:00 2008 + # Not Valid After : Tue Dec 01 23:59:59 2037 + # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05 +@@ -11112,16 +10682,17 @@ + \003\003\151\000\060\146\002\061\000\335\370\340\127\107\133\247 + \346\012\303\275\365\200\212\227\065\015\033\211\074\124\206\167 + \050\312\241\364\171\336\265\346\070\260\360\145\160\214\177\002 + \124\302\277\377\330\241\076\331\317\002\061\000\304\215\224\374 + \334\123\322\334\235\170\026\037\025\063\043\123\122\343\132\061 + \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022 + \367\130\077\056\162\002\127\243\217\241\024\056 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "thawte Primary Root CA - G2" + # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US + # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56 + # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US + # Not Valid Before: Mon Nov 05 00:00:00 2007 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F +@@ -11271,16 +10842,17 @@ + \051\101\221\042\074\151\247\273\002\362\266\134\047\003\211\364 + \006\352\233\344\162\202\343\241\011\301\351\000\031\323\076\324 + \160\153\272\161\246\252\130\256\364\273\351\154\266\357\207\314 + \233\273\377\071\346\126\141\323\012\247\304\134\114\140\173\005 + \167\046\172\277\330\007\122\054\142\367\160\143\331\071\274\157 + \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156 + \061\324\100\032\142\064\066\077\065\001\256\254\143\240 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "thawte Primary Root CA - G3" + # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US + # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb + # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US + # Not Valid Before: Wed Apr 02 00:00:00 2008 + # Not Valid After : Tue Dec 01 23:59:59 2037 + # Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31 +@@ -11406,16 +10978,17 @@ + \144\226\131\246\350\011\336\213\272\372\132\210\210\360\037\221 + \323\106\250\362\112\114\002\143\373\154\137\070\333\056\101\223 + \251\016\346\235\334\061\034\262\240\247\030\034\171\341\307\066 + \002\060\072\126\257\232\164\154\366\373\203\340\063\323\010\137 + \241\234\302\133\237\106\326\266\313\221\006\143\242\006\347\063 + \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004 + \017\212 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GeoTrust Primary Certification Authority - G2" + # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US + # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b + # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US + # Not Valid Before: Mon Nov 05 00:00:00 2007 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A +@@ -11575,16 +11148,17 @@ + \007\021\360\325\333\335\345\214\360\325\062\260\203\346\127\342 + \217\277\276\241\252\277\075\035\265\324\070\352\327\260\134\072 + \117\152\077\217\300\146\154\143\252\351\331\244\026\364\201\321 + \225\024\016\175\315\225\064\331\322\217\160\163\201\173\234\176 + \275\230\141\330\105\207\230\220\305\353\206\060\306\065\277\360 + \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267 + \354\315\202\141\361\070\346\117\227\230\052\132\215 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "VeriSign Universal Root Certification Authority" + # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d + # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Wed Apr 02 00:00:00 2008 + # Not Valid After : Tue Dec 01 23:59:59 2037 + # Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19 +@@ -11729,16 +11303,17 @@ + \000\060\145\002\060\146\041\014\030\046\140\132\070\173\126\102 + \340\247\374\066\204\121\221\040\054\166\115\103\075\304\035\204 + \043\320\254\326\174\065\006\316\315\151\275\220\015\333\154\110 + \102\035\016\252\102\002\061\000\234\075\110\071\043\071\130\032 + \025\022\131\152\236\357\325\131\262\035\122\054\231\161\315\307 + \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252 + \055\247\330\206\052\335\056\020 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3 + # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Mon Nov 05 00:00:00 2007 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41 +@@ -11888,16 +11463,17 @@ + \276\245\025\143\241\324\225\207\361\236\271\363\211\363\075\205 + \270\270\333\276\265\271\051\371\332\067\005\000\111\224\003\204 + \104\347\277\103\061\317\165\213\045\321\364\246\144\365\222\366 + \253\005\353\075\351\245\013\066\142\332\314\006\137\066\213\266 + \136\061\270\052\373\136\366\161\337\104\046\236\304\346\015\221 + \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233 + \330\316\304\143\165\077\131\107\261 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "NetLock Arany (Class Gold) FÅ‘tanúsítvány" + # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU + # Serial Number:49:41:2c:e4:00:10 + # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU + # Not Valid Before: Thu Dec 11 15:08:21 2008 + # Not Valid After : Wed Dec 06 15:08:21 2028 + # Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88 +@@ -12061,16 +11637,17 @@ + \120\346\105\020\107\170\266\116\322\145\311\303\067\337\341\102 + \143\260\127\067\105\055\173\212\234\277\005\352\145\125\063\367 + \071\020\305\050\052\041\172\033\212\304\044\371\077\025\310\232 + \025\040\365\125\142\226\355\155\223\120\274\344\252\170\255\331 + \313\012\145\207\246\146\301\304\201\243\167\072\130\036\013\356 + \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265 + \370\161\012\334\271\374\175\062\140\346\353\257\212\001 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Staat der Nederlanden Root CA - G2" + # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL + # Serial Number: 10000012 (0x98968c) + # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL + # Not Valid Before: Wed Mar 26 11:18:17 2008 + # Not Valid After : Wed Mar 25 11:03:10 2020 + # Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A +@@ -12186,16 +11763,17 @@ + \022\024\344\141\215\254\020\220\236\204\120\273\360\226\157\105 + \237\212\363\312\154\117\372\021\072\025\025\106\303\315\037\203 + \133\055\101\022\355\120\147\101\023\075\041\253\224\212\252\116 + \174\301\261\373\247\326\265\047\057\227\253\156\340\035\342\321 + \034\054\037\104\342\374\276\221\241\234\373\326\051\123\163\206 + \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342 + \002\153\331\132 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Hongkong Post Root CA 1" + # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK + # Serial Number: 1000 (0x3e8) + # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK + # Not Valid Before: Thu May 15 05:13:14 2003 + # Not Valid After : Mon May 15 04:52:29 2023 + # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA +@@ -12316,16 +11894,17 @@ + \143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310 + \122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371 + \244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154 + \017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055 + \015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215 + \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003 + \362 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "SecureSign RootCA11" + # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP + # Serial Number: 1 (0x1) + # Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP + # Not Valid Before: Wed Apr 08 04:56:47 2009 + # Not Valid After : Sun Apr 08 04:56:47 2029 + # Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26 +@@ -12481,16 +12060,17 @@ + \307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125 + \207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255 + \257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351 + \032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235 + \350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112 + \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176 + \113\076\053\070\007\125\230\136\244 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "ACEDICOM Root" + # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root + # Serial Number:61:8d:c7:86:3b:01:82:05 + # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root + # Not Valid Before: Fri Apr 18 16:24:22 2008 + # Not Valid After : Thu Apr 13 16:24:22 2028 + # Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6 +@@ -12627,16 +12207,17 @@ + \255\234\032\303\004\074\355\002\141\326\036\006\363\137\072\207 + \362\053\361\105\207\345\075\254\321\307\127\204\275\153\256\334 + \330\371\266\033\142\160\013\075\066\311\102\362\062\327\172\141 + \346\322\333\075\317\310\251\311\233\334\333\130\104\327\157\070 + \257\177\170\323\243\255\032\165\272\034\301\066\174\217\036\155 + \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311 + \202\042\055\172\124\253\160\303\175\042\145\202\160\226 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Microsec e-Szigno Root CA 2009" + # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU + # Serial Number:00:c2:7e:43:04:4e:47:3f:19 + # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU + # Not Valid Before: Tue Jun 16 11:30:18 2009 + # Not Valid After : Sun Dec 30 11:30:18 2029 + # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1 +@@ -12758,16 +12339,17 @@ + \231\302\037\172\016\343\055\010\255\012\034\054\377\074\253\125 + \016\017\221\176\066\353\303\127\111\276\341\056\055\174\140\213 + \303\101\121\023\043\235\316\367\062\153\224\001\250\231\347\054 + \063\037\072\073\045\322\206\100\316\073\054\206\170\311\141\057 + \024\272\356\333\125\157\337\204\356\005\011\115\275\050\330\162 + \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107 + \130\077\137 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "GlobalSign Root CA - R3" + # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 + # Serial Number:04:00:00:00:00:01:21:58:53:08:a2 + # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 + # Not Valid Before: Wed Mar 18 10:00:00 2009 + # Not Valid After : Sun Mar 18 10:00:00 2029 + # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28 +@@ -12930,16 +12512,17 @@ + \330\153\044\254\227\130\104\107\255\131\030\361\041\145\160\336 + \316\064\140\250\100\361\363\074\244\303\050\043\214\376\047\063 + \103\100\240\027\074\353\352\073\260\162\246\243\271\112\113\136 + \026\110\364\262\274\310\214\222\305\235\237\254\162\066\274\064 + \200\064\153\251\213\222\300\270\027\355\354\166\123\365\044\001 + \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156 + \156\117\022\176\012\074\235\225 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" + # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES + # Serial Number:53:ec:3b:ee:fb:b2:48:5f + # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES + # Not Valid Before: Wed May 20 08:38:15 2009 + # Not Valid After : Tue Dec 31 08:38:15 2030 + # Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3 +@@ -13098,16 +12681,17 @@ + \150\103\110\262\333\353\163\044\347\221\177\124\244\266\200\076 + \235\243\074\114\162\302\127\304\240\324\314\070\047\316\325\006 + \236\242\110\331\351\237\316\202\160\066\223\232\073\337\226\041 + \343\131\267\014\332\221\067\360\375\131\132\263\231\310\151\154 + \103\046\001\065\143\140\125\211\003\072\165\330\272\112\331\124 + \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154 + \333\374\046\210\307 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Izenpe.com" + # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES + # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d + # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES + # Not Valid Before: Thu Dec 13 13:08:28 2007 + # Not Valid After : Sun Dec 13 08:27:25 2037 + # Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73 +@@ -13302,16 +12886,17 @@ + \176\030\230\265\105\073\366\171\264\350\367\032\173\006\203\373 + \320\213\332\273\307\275\030\253\010\157\074\200\153\100\077\031 + \031\272\145\212\346\276\325\134\323\066\327\357\100\122\044\140 + \070\147\004\061\354\217\363\202\306\336\271\125\363\073\061\221 + \132\334\265\010\025\255\166\045\012\015\173\056\207\342\014\246 + \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331 + \167\110\320 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Chambers of Commerce Root - 2008" + # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU + # Serial Number:00:a3:da:42:7e:a4:b1:ae:da + # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU + # Not Valid Before: Fri Aug 01 12:29:50 2008 + # Not Valid After : Sat Jul 31 12:29:50 2038 + # Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7 +@@ -13510,16 +13095,17 @@ + \223\256\231\240\357\045\152\163\230\211\133\072\056\023\210\036 + \277\300\222\224\064\033\343\047\267\213\036\157\102\377\347\351 + \067\233\120\035\055\242\371\002\356\313\130\130\072\161\274\150 + \343\252\301\257\034\050\037\242\334\043\145\077\201\352\256\231 + \323\330\060\317\023\015\117\025\311\204\274\247\110\055\370\060 + \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364 + \351\233\256\325\124\300\164\200\321\013\102\237\301 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Global Chambersign Root - 2008" + # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU + # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce + # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU + # Not Valid Before: Fri Aug 01 12:31:40 2008 + # Not Valid After : Sat Jul 31 12:31:40 2038 + # Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3 +@@ -15376,16 +14962,17 @@ + \330\144\363\054\176\024\374\002\352\237\315\377\007\150\027\333 + \042\220\070\055\172\215\321\124\361\151\343\137\063\312\172\075 + \173\012\343\312\177\137\071\345\342\165\272\305\166\030\063\316 + \054\360\057\114\255\367\261\347\316\117\250\304\233\112\124\006 + \305\177\175\325\010\017\342\034\376\176\027\270\254\136\366\324 + \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210 + \342\342\104\276\134\367\352\034\365 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Go Daddy Root Certificate Authority - G2" + # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US + # Serial Number: 0 (0x0) + # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US + # Not Valid Before: Tue Sep 01 00:00:00 2009 + # Not Valid After : Thu Dec 31 23:59:59 2037 + # Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01 +@@ -15525,16 +15112,17 @@ + \037\305\354\372\234\176\317\176\261\361\007\055\266\374\277\312 + \244\277\320\227\005\112\274\352\030\050\002\220\275\124\170\011 + \041\161\323\321\175\035\331\026\260\251\141\075\320\012\000\042 + \374\307\173\313\011\144\105\013\073\100\201\367\175\174\062\365 + \230\312\130\216\175\052\356\220\131\163\144\371\066\164\136\045 + \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151 + \364 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Starfield Root Certificate Authority - G2" + # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US + # Serial Number: 0 (0x0) + # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US + # Not Valid Before: Tue Sep 01 00:00:00 2009 + # Not Valid After : Thu Dec 31 23:59:59 2037 + # Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96 +@@ -15676,16 +15264,17 @@ + \210\100\317\175\106\035\377\036\307\341\316\377\043\333\306\372 + \215\125\116\251\002\347\107\021\106\076\364\375\275\173\051\046 + \273\251\141\142\067\050\266\055\052\366\020\206\144\311\160\247 + \322\255\267\051\160\171\352\074\332\143\045\237\375\150\267\060 + \354\160\373\165\212\267\155\140\147\262\036\310\271\351\330\250 + \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215 + \261\050\272 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Starfield Services Root Certificate Authority - G2" + # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US + # Serial Number: 0 (0x0) + # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US + # Not Valid Before: Tue Sep 01 00:00:00 2009 + # Not Valid After : Thu Dec 31 23:59:59 2037 + # Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2 +@@ -15806,16 +15395,17 @@ + \265\063\252\262\157\323\012\242\120\343\366\073\350\056\104\302 + \333\146\070\251\063\126\110\361\155\033\063\215\015\214\077\140 + \067\235\323\312\155\176\064\176\015\237\162\166\213\033\237\162 + \375\122\065\101\105\002\226\057\034\262\232\163\111\041\261\111 + \107\105\107\264\357\152\064\021\311\115\232\314\131\267\326\002 + \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236 + \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AffirmTrust Commercial" + # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US + # Serial Number:77:77:06:27:26:a9:b1:7c + # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US + # Not Valid Before: Fri Jan 29 14:06:06 2010 + # Not Valid After : Tue Dec 31 14:06:06 2030 + # Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7 +@@ -15931,16 +15521,17 @@ + \115\207\165\155\267\130\226\132\335\155\322\000\240\364\233\110 + \276\303\067\244\272\066\340\174\207\205\227\032\025\242\336\056 + \242\133\275\257\030\371\220\120\315\160\131\370\047\147\107\313 + \307\240\007\072\175\321\054\135\154\031\072\146\265\175\375\221 + \157\202\261\276\010\223\333\024\107\361\242\067\307\105\236\074 + \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064 + \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AffirmTrust Networking" + # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US + # Serial Number:7c:4f:04:39:1c:d4:99:2d + # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US + # Not Valid Before: Fri Jan 29 14:08:24 2010 + # Not Valid After : Tue Dec 31 14:08:24 2030 + # Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F +@@ -16088,16 +15679,17 @@ + \030\246\265\250\136\264\203\154\153\151\100\323\237\334\361\303 + \151\153\271\341\155\011\364\361\252\120\166\012\172\175\172\027 + \241\125\226\102\231\061\011\335\140\021\215\005\060\176\346\216 + \106\321\235\024\332\307\027\344\005\226\214\304\044\265\033\317 + \024\007\262\100\370\243\236\101\206\274\004\320\153\226\310\052 + \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236 + \051\340\266\270\011\150\031\034\030\103 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AffirmTrust Premium" + # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US + # Serial Number:6d:8c:14:46:b1:a6:0a:ee + # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US + # Not Valid Before: Fri Jan 29 14:10:36 2010 + # Not Valid After : Mon Dec 31 14:10:36 2040 + # Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57 +@@ -16193,16 +15785,17 @@ + \027\011\363\207\210\120\132\257\310\300\102\277\107\137\365\154 + \152\206\340\304\047\164\344\070\123\327\005\177\033\064\343\306 + \057\263\312\011\074\067\235\327\347\270\106\361\375\241\342\161 + \002\060\102\131\207\103\324\121\337\272\323\011\062\132\316\210 + \176\127\075\234\137\102\153\365\007\055\265\360\202\223\371\131 + \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002 + \214\171 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "AffirmTrust Premium ECC" + # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US + # Serial Number:74:97:25:8a:c7:3f:7a:54 + # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US + # Not Valid Before: Fri Jan 29 14:20:24 2010 + # Not Valid After : Mon Dec 31 14:20:24 2040 + # Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D +@@ -16331,16 +15924,17 @@ + \227\306\166\350\047\226\243\146\335\341\256\362\101\133\312\230 + \126\203\163\160\344\206\032\322\061\101\272\057\276\055\023\132 + \166\157\116\350\116\201\016\077\133\003\042\240\022\276\146\130 + \021\112\313\003\304\264\052\052\055\226\027\340\071\124\274\110 + \323\166\047\235\232\055\006\246\311\354\071\322\253\333\237\232 + \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106 + \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Certum Trusted Network CA" + # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL + # Serial Number: 279744 (0x444c0) + # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL + # Not Valid Before: Wed Oct 22 12:07:37 2008 + # Not Valid After : Mon Dec 31 12:07:37 2029 + # Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78 +@@ -16500,16 +16094,17 @@ + \032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133 + \166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333 + \240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027 + \366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164 + \004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126 + \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143 + \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Certinomis - Autorité Racine" + # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR + # Serial Number: 1 (0x1) + # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR + # Not Valid Before: Wed Sep 17 08:28:59 2008 + # Not Valid After : Sun Sep 17 08:28:59 2028 + # Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A +@@ -16634,16 +16229,17 @@ + \172\162\132\203\263\171\157\357\264\374\320\012\245\130\117\106 + \337\373\155\171\131\362\204\042\122\256\017\314\373\174\073\347 + \152\312\107\141\303\172\370\323\222\004\037\270\040\204\341\066 + \124\026\307\100\336\073\212\163\334\337\306\011\114\337\354\332 + \377\324\123\102\241\311\362\142\035\042\203\074\227\305\371\031 + \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316 + \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "TWCA Root Certification Authority" + # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW + # Serial Number: 1 (0x1) + # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW + # Not Valid Before: Thu Aug 28 07:24:33 2008 + # Not Valid After : Tue Dec 31 15:59:59 2030 + # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79 +@@ -18024,16 +17620,17 @@ + \273\233\051\126\074\376\000\067\317\043\154\361\116\252\266\164 + \106\022\154\221\356\064\325\354\232\221\347\104\276\220\061\162 + \325\111\002\366\002\345\364\037\353\174\331\226\125\251\377\354 + \212\371\231\107\377\065\132\002\252\004\313\212\133\207\161\051 + \221\275\244\264\172\015\275\232\365\127\043\000\007\041\027\077 + \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136 + \201\050\174\247\175\047\353\000\256\215\067 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Security Communication RootCA2" + # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP + # Serial Number: 0 (0x0) + # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP + # Not Valid Before: Fri May 29 05:00:39 2009 + # Not Valid After : Tue May 29 05:00:39 2029 + # Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43 +@@ -18206,16 +17803,17 @@ + \234\211\333\151\070\276\354\134\016\126\307\145\121\345\120\210 + \210\277\102\325\053\075\345\371\272\236\056\263\312\364\163\222 + \002\013\276\114\146\353\040\376\271\313\265\231\177\346\266\023 + \372\312\113\115\331\356\123\106\006\073\306\116\255\223\132\201 + \176\154\052\113\152\005\105\214\362\041\244\061\220\207\154\145 + \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133 + \371\210\075\176\270\157\156\003\344\102 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "EC-ACC" + # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES + # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01 + # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES + # Not Valid Before: Tue Jan 07 23:00:00 2003 + # Not Valid After : Tue Jan 07 22:59:59 2031 + # Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09 +@@ -18368,16 +17966,17 @@ + \372\363\003\022\226\170\006\215\261\147\355\216\077\276\237\117 + \002\365\263\011\057\363\114\207\337\052\313\225\174\001\314\254 + \066\172\277\242\163\172\367\217\301\265\232\241\024\262\217\063 + \237\015\357\042\334\146\173\204\275\105\027\006\075\074\312\271 + \167\064\217\312\352\317\077\061\076\343\210\343\200\111\045\310 + \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071 + \113\321\047\327\270 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011" + # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR + # Serial Number: 0 (0x0) + # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR + # Not Valid Before: Tue Dec 06 13:49:52 2011 + # Not Valid After : Mon Dec 01 13:49:52 2031 + # Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9 +@@ -18603,16 +18202,17 @@ + \177\244\101\041\220\101\167\246\071\037\352\236\343\237\320\146 + \157\005\354\252\166\176\277\153\026\240\353\265\307\374\222\124 + \057\053\021\047\045\067\170\114\121\152\260\363\314\130\135\024 + \361\152\110\025\377\302\007\266\261\215\017\216\134\120\106\263 + \075\277\001\230\117\262\131\124\107\076\064\173\170\155\126\223 + \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056 + \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Actalis Authentication Root CA" + # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT + # Serial Number:57:0a:11:97:42:c4:e3:cc + # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT + # Not Valid Before: Thu Sep 22 11:22:02 2011 + # Not Valid After : Sun Sep 22 11:22:02 2030 + # Fingerprint (MD5): 69:C1:0D:4F:07:A3:1B:C3:FE:56:3D:04:BC:11:F6:A6 +@@ -18733,16 +18333,17 @@ + \177\124\365\243\340\217\360\174\125\042\217\051\266\201\243\341 + \155\116\054\033\200\147\354\255\040\237\014\142\141\325\227\377 + \103\355\055\301\332\135\051\052\205\077\254\145\356\206\017\005 + \215\220\137\337\356\237\364\277\356\035\373\230\344\177\220\053 + \204\170\020\016\154\111\123\357\025\133\145\106\112\135\257\272 + \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015 + \145\353\127\331\363\127\226\273\110\315\201 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Trustis FPS Root CA" + # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB + # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 + # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB + # Not Valid Before: Tue Dec 23 12:14:06 2003 + # Not Valid After : Sun Jan 21 11:36:54 2024 + # Fingerprint (MD5): 30:C9:E7:1E:6B:E6:14:EB:65:B2:16:69:20:31:67:4D +@@ -18933,16 +18534,17 @@ + \046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340 + \124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135 + \016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331 + \361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212 + \362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217 + \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346 + \177\045\245\362\110\000\300\244\001\332\077 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "StartCom Certification Authority" + # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL + # Serial Number: 45 (0x2d) + # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL + # Not Valid Before: Sun Sep 17 19:46:37 2006 + # Not Valid After : Wed Sep 17 19:46:36 2036 + # Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16 +@@ -19097,16 +18699,17 @@ + \102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050 + \205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355 + \173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311 + \062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153 + \262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303 + \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123 + \127\055\366\320\341\327\110 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "StartCom Certification Authority G2" + # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL + # Serial Number: 59 (0x3b) + # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL + # Not Valid Before: Fri Jan 01 01:00:01 2010 + # Not Valid After : Sat Dec 31 23:59:01 2039 + # Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64 +@@ -19256,16 +18859,17 @@ + \112\220\136\303\372\047\004\261\171\025\164\231\314\276\255\040 + \336\046\140\034\353\126\121\246\243\352\344\243\077\247\377\141 + \334\361\132\115\154\062\043\103\356\254\250\356\356\112\022\011 + \074\135\161\302\276\171\372\302\207\150\035\013\375\134\151\314 + \006\320\232\175\124\231\052\311\071\032\031\257\113\052\103\363 + \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277 + \327\201\011\361\311\307\046\015\254\230\026\126\240 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Buypass Class 2 Root CA" + # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO + # Serial Number: 2 (0x2) + # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO + # Not Valid Before: Tue Oct 26 08:38:03 2010 + # Not Valid After : Fri Oct 26 08:38:03 2040 + # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29 +@@ -19414,16 +19018,17 @@ + \105\310\114\161\331\274\311\231\122\127\106\057\120\317\275\065 + \151\364\075\025\316\006\245\054\017\076\366\201\272\224\273\303 + \273\277\145\170\322\206\171\377\111\073\032\203\014\360\336\170 + \354\310\362\115\114\032\336\202\051\370\301\132\332\355\356\346 + \047\136\350\105\320\235\034\121\250\150\253\104\343\320\213\152 + \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351 + \061\356\006\274\163\277\023\142\012\237\307\271\227 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Buypass Class 3 Root CA" + # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO + # Serial Number: 2 (0x2) + # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO + # Not Valid Before: Tue Oct 26 08:28:58 2010 + # Not Valid After : Fri Oct 26 08:28:58 2040 + # Fingerprint (MD5): 3D:3B:18:9E:2C:64:5A:E8:D5:88:CE:0E:F9:37:C2:EC +@@ -19555,16 +19160,17 @@ + \367\124\076\201\075\332\111\152\232\263\357\020\075\346\353\157 + \321\310\042\107\313\314\317\001\061\222\331\030\343\042\276\011 + \036\032\076\132\262\344\153\014\124\172\175\103\116\270\211\245 + \173\327\242\075\226\206\314\362\046\064\055\152\222\235\232\032 + \320\060\342\135\116\004\260\137\213\040\176\167\301\075\225\202 + \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051 + \116\223\303\244\124\024\133 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "T-TeleSec GlobalRoot Class 3" + # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE + # Serial Number: 1 (0x1) + # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE + # Not Valid Before: Wed Oct 01 10:29:56 2008 + # Not Valid After : Sat Oct 01 23:59:59 2033 + # Fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EF +@@ -19703,16 +19309,17 @@ + \346\164\163\224\135\026\230\023\225\376\373\333\261\104\345\072 + \160\254\067\153\346\263\063\162\050\311\263\127\240\366\002\026 + \210\006\013\266\246\113\040\050\324\336\075\213\255\067\005\123 + \164\376\156\314\274\103\027\161\136\371\305\314\032\251\141\356 + \367\166\014\363\162\364\162\255\317\162\002\066\007\107\317\357 + \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220 + \307\314\165\301\226\305\235 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "EE Certification Centre Root CA" + # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE + # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a + # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE + # Not Valid Before: Sat Oct 30 10:10:30 2010 + # Not Valid After : Tue Dec 17 23:59:59 2030 + # Fingerprint (MD5): 43:5E:88:D4:7D:1A:4A:7E:FD:84:2E:52:EB:01:D4:6F +@@ -19932,16 +19539,17 @@ + \005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032 + \135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325 + \242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277 + \354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031 + \253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146 + \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071 + \175 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "TURKTRUST Certificate Services Provider Root 2007" + # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. + # Serial Number: 1 (0x1) + # Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. + # Not Valid Before: Tue Dec 25 18:37:19 2007 + # Not Valid After : Fri Dec 22 18:37:19 2017 + # Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72 +@@ -20080,16 +19688,17 @@ + \310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133 + \163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274 + \074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227 + \212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366 + \121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330 + \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136 + \164\145\327\134\376\243\342 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "D-TRUST Root Class 3 CA 2 2009" + # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE + # Serial Number: 623603 (0x983f3) + # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE + # Not Valid Before: Thu Nov 05 08:35:58 2009 + # Not Valid After : Mon Nov 05 08:35:58 2029 + # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F +@@ -20223,16 +19832,17 @@ + \173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332 + \306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046 + \347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063 + \352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227 + \051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327 + \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041 + \352\237\026\361\054\124\265 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "D-TRUST Root Class 3 CA 2 EV 2009" + # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE + # Serial Number: 623604 (0x983f4) + # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE + # Not Valid Before: Thu Nov 05 08:50:46 2009 + # Not Valid After : Mon Nov 05 08:50:46 2029 + # Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6 +@@ -20472,16 +20082,17 @@ + \071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375 + \242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141 + \154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253 + \261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307 + \142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063 + \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335 + \376\206\364\274\340\032\161\263\142\246 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "PSCProcert" + # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano + # Serial Number: 11 (0xb) + # Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve + # Not Valid Before: Tue Dec 28 16:51:00 2010 + # Not Valid After : Fri Dec 25 23:59:59 2020 + # Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC +@@ -20630,16 +20241,17 @@ + \146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326 + \135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276 + \172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310 + \316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276 + \256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367 + \126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362 + \303\055\375\024\052\220\231\271\007\314\237 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "China Internet Network Information Center EV Certificates Root" + # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN + # Serial Number: 1218379777 (0x489f0001) + # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN + # Not Valid Before: Tue Aug 31 07:11:25 2010 + # Not Valid After : Sat Aug 31 07:11:25 2030 + # Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15 +@@ -20805,16 +20417,17 @@ + \361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114 + \130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164 + \302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166 + \364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335 + \312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224 + \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071 + \301\053\022\236\246\236\033\305\346\016\331\061\331 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Swisscom Root CA 2" + # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch + # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6 + # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch + # Not Valid Before: Fri Jun 24 08:38:14 2011 + # Not Valid After : Wed Jun 25 07:38:14 2031 + # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19 +@@ -20980,16 +20593,17 @@ + \234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370 + \042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310 + \174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357 + \361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036 + \344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033 + \043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255 + \046\277\242\367 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Swisscom Root EV CA 2" + # Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch + # Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58 + # Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch + # Not Valid Before: Fri Jun 24 09:45:08 2011 + # Not Valid After : Wed Jun 25 08:45:08 2031 + # Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC +@@ -21144,16 +20758,17 @@ + \001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205 + \153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121 + \243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276 + \200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023 + \103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066 + \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342 + \360\343\355\144\236\075\057\226\122\117\200\123\213 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "CA Disig Root R1" + # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK + # Serial Number:00:c3:03:9a:ee:50:90:6e:28 + # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK + # Not Valid Before: Thu Jul 19 09:06:56 2012 + # Not Valid After : Sat Jul 19 09:06:56 2042 + # Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A +@@ -21306,16 +20921,17 @@ + \233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254 + \314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123 + \022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302 + \075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061 + \057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146 + \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375 + \363\154\033\165\106\243\345\112\027\351\244\327\013 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "CA Disig Root R2" + # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK + # Serial Number:00:92:b8:88:db:b0:8a:c1:63 + # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK + # Not Valid Before: Thu Jul 19 09:15:30 2012 + # Not Valid After : Sat Jul 19 09:15:30 2042 + # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03 +@@ -21505,16 +21121,17 @@ + \346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105 + \167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226 + \040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217 + \013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207 + \244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311 + \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113 + \125\064\106\052\213\206\073 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "ACCVRAIZ1" + # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 + # Serial Number:5e:c3:b7:a6:43:7f:a4:e0 + # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 + # Not Valid Before: Thu May 05 09:37:37 2011 + # Not Valid After : Tue Dec 31 09:37:37 2030 + # Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02 +@@ -21664,16 +21281,17 @@ + \301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004 + \225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127 + \272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263 + \150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316 + \246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364 + \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262 + \053\006\320\004\315 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "TWCA Global Root CA" + # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW + # Serial Number: 3262 (0xcbe) + # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW + # Not Valid Before: Wed Jun 27 06:28:33 2012 + # Not Valid After : Tue Dec 31 15:59:59 2030 + # Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96 +@@ -21820,16 +21438,17 @@ + \255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047 + \034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206 + \130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077 + \306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161 + \110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131 + \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211 + \245\240\314\277\323\366\165\244\165\226\155\126 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "TeliaSonera Root CA v1" + # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera + # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96 + # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera + # Not Valid Before: Thu Oct 18 12:00:50 2007 + # Not Valid After : Mon Oct 18 12:00:50 2032 + # Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C +@@ -22007,16 +21626,17 @@ + \237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013 + \264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103 + \313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373 + \176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147 + \015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035 + \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073 + \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "E-Tugra Certification Authority" + # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR + # Serial Number:6a:68:3e:9c:51:9b:cb:53 + # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR + # Not Valid Before: Tue Mar 05 12:09:48 2013 + # Not Valid After : Fri Mar 03 12:09:48 2023 + # Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49 +@@ -22155,16 +21775,17 @@ + \203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311 + \057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030 + \014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015 + \366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263 + \251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333 + \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117 + \005\047\216\023\241\156\302 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "T-TeleSec GlobalRoot Class 2" + # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE + # Serial Number: 1 (0x1) + # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE + # Not Valid Before: Wed Oct 01 10:40:14 2008 + # Not Valid After : Sat Oct 01 23:59:59 2033 + # Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A +@@ -22285,16 +21906,17 @@ + \265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132 + \247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203 + \226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151 + \236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344 + \132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357 + \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140 + \035\362\376\011\021\260\360\207\173\247\235 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Atos TrustedRoot 2011" + # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011 + # Serial Number:5c:33:cb:62:2c:5f:b3:32 + # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011 + # Not Valid Before: Thu Jul 07 14:58:30 2011 + # Not Valid After : Tue Dec 31 23:59:59 2030 + # Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56 +@@ -22444,16 +22066,17 @@ + \353\134\237\336\263\257\147\003\263\037\335\155\135\151\150\151 + \253\136\072\354\174\151\274\307\073\205\116\236\025\271\264\025 + \117\303\225\172\130\327\311\154\351\154\271\363\051\143\136\264 + \054\360\055\075\355\132\145\340\251\133\100\302\110\231\201\155 + \236\037\006\052\074\022\264\213\017\233\242\044\360\246\215\326 + \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207 + \063\140\345\303 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "QuoVadis Root CA 1 G3" + # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM + # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93 + # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM + # Not Valid Before: Thu Jan 12 17:27:44 2012 + # Not Valid After : Sun Jan 12 17:27:44 2042 + # Fingerprint (SHA-256): 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74 +@@ -22605,16 +22228,17 @@ + \374\267\003\111\002\133\310\045\346\342\124\070\365\171\207\214 + \035\123\262\116\205\173\006\070\307\054\370\370\260\162\215\045 + \345\167\122\364\003\034\110\246\120\137\210\040\060\156\362\202 + \103\253\075\227\204\347\123\373\041\301\117\017\042\232\206\270 + \131\052\366\107\075\031\210\055\350\205\341\236\354\205\010\152 + \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151 + \203\336\177\214 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "QuoVadis Root CA 2 G3" + # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM + # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28 + # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM + # Not Valid Before: Thu Jan 12 18:59:32 2012 + # Not Valid After : Sun Jan 12 18:59:32 2042 + # Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40 +@@ -22766,16 +22390,17 @@ + \046\350\354\266\013\055\247\205\065\315\375\131\310\237\321\315 + \076\132\051\064\271\075\204\316\261\145\324\131\221\221\126\165 + \041\301\167\236\371\172\341\140\235\323\255\004\030\364\174\353 + \136\223\217\123\112\042\051\370\110\053\076\115\206\254\133\177 + \313\006\231\131\140\330\130\145\225\215\104\321\367\177\176\047 + \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375 + \130\371\230\364 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "QuoVadis Root CA 3 G3" + # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM + # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d + # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM + # Not Valid Before: Thu Jan 12 20:26:32 2012 + # Not Valid After : Sun Jan 12 20:26:32 2042 + # Fingerprint (SHA-256): 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46 +@@ -22902,16 +22527,17 @@ + \007\234\242\272\331\001\162\134\363\115\301\335\016\261\034\015 + \304\143\276\255\364\024\373\211\354\242\101\016\114\314\310\127 + \100\320\156\003\252\315\014\216\211\231\231\154\360\074\060\257 + \070\337\157\274\243\276\051\040\047\253\164\377\023\042\170\336 + \227\122\125\036\203\265\124\040\003\356\256\300\117\126\336\067 + \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050 + \042\023\163\154\317\046\365\212\051\347 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "DigiCert Assured ID Root G2" + # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b + # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Thu Aug 01 12:00:00 2013 + # Not Valid After : Fri Jan 15 12:00:00 2038 + # Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85 +@@ -23019,16 +22645,17 @@ + \003\003\147\000\060\144\002\060\045\244\201\105\002\153\022\113 + \165\164\117\310\043\343\160\362\165\162\336\174\211\360\317\221 + \162\141\236\136\020\222\131\126\271\203\307\020\347\070\351\130 + \046\066\175\325\344\064\206\071\002\060\174\066\123\360\060\345 + \142\143\072\231\342\266\243\073\233\064\372\036\332\020\222\161 + \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057 + \352\226\143\152\145\105\222\225\001\264 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "DigiCert Assured ID Root G3" + # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec + # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Thu Aug 01 12:00:00 2013 + # Not Valid After : Fri Jan 15 12:00:00 2038 + # Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2 +@@ -23157,16 +22784,17 @@ + \362\261\216\231\241\157\023\261\101\161\376\210\052\310\117\020 + \040\125\327\363\024\105\345\340\104\364\352\207\225\062\223\016 + \376\123\106\372\054\235\377\213\042\271\113\331\011\105\244\336 + \244\270\232\130\335\033\175\122\237\216\131\103\210\201\244\236 + \046\325\157\255\335\015\306\067\175\355\003\222\033\345\167\137 + \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345 + \062\266 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "DigiCert Global Root G2" + # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 + # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Thu Aug 01 12:00:00 2013 + # Not Valid After : Fri Jan 15 12:00:00 2038 + # Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F +@@ -23274,16 +22902,17 @@ + \000\255\274\362\154\077\022\112\321\055\071\303\012\011\227\163 + \364\210\066\214\210\047\273\346\210\215\120\205\247\143\371\236 + \062\336\146\223\017\361\314\261\011\217\335\154\253\372\153\177 + \240\002\060\071\146\133\302\144\215\270\236\120\334\250\325\111 + \242\355\307\334\321\111\177\027\001\270\310\206\217\116\214\210 + \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174 + \263\047\027 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "DigiCert Global Root G3" + # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72 + # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Thu Aug 01 12:00:00 2013 + # Not Valid After : Fri Jan 15 12:00:00 2038 + # Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0 +@@ -23444,16 +23073,17 @@ + \102\154\311\012\274\356\103\372\072\161\245\310\115\046\245\065 + \375\211\135\274\205\142\035\062\322\240\053\124\355\232\127\301 + \333\372\020\317\031\267\213\112\033\217\001\266\047\225\123\350 + \266\211\155\133\274\150\324\043\350\213\121\242\126\371\360\246 + \200\240\326\036\263\274\017\017\123\165\051\252\352\023\167\344 + \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274 + \317\363\146\176 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "DigiCert Trusted Root G4" + # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US + # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c + # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US + # Not Valid Before: Thu Aug 01 12:00:00 2013 + # Not Valid After : Fri Jan 15 12:00:00 2038 + # Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88 +@@ -23610,16 +23240,17 @@ + \047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221 + \103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244 + \063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045 + \072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110 + \246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246 + \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223 + \171\356\104\206\276\327\036\344\036\373 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "WoSign" + # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN + # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91 + # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN + # Not Valid Before: Sat Aug 08 01:00:01 2009 + # Not Valid After : Mon Aug 08 01:00:01 2039 + # Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 +@@ -23771,16 +23402,17 @@ + \324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215 + \034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336 + \211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117 + \302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010 + \364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165 + \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327 + \234\313\051\213\070\112\013\016\220\215\272\241 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "WoSign China" + # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN + # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d + # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN + # Not Valid Before: Sat Aug 08 01:00:01 2009 + # Not Valid After : Mon Aug 08 01:00:01 2039 + # Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 +@@ -23947,16 +23579,17 @@ + \100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336 + \274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116 + \166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245 + \320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174 + \372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354 + \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301 + \065\123\205\006\112\135\237\255\273\033\137\164 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "COMODO RSA Certification Authority" + # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d + # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB + # Not Valid Before: Tue Jan 19 00:00:00 2010 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34 +@@ -24128,16 +23761,17 @@ + \245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301 + \260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201 + \057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217 + \173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135 + \231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306 + \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220 + \250\375 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "USERTrust RSA Certification Authority" + # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US + # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d + # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US + # Not Valid Before: Mon Feb 01 00:00:00 2010 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2 +@@ -24256,16 +23890,17 @@ + \066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001 + \317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035 + \372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115 + \002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326 + \104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304 + \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135 + \127\152\030 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "USERTrust ECC Certification Authority" + # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US + # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 + # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US + # Not Valid Before: Mon Feb 01 00:00:00 2010 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A +@@ -24367,16 +24002,17 @@ + \270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060 + \012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105 + \002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227 + \220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274 + \242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107 + \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354 + \173\013\370\237\204 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "GlobalSign ECC Root CA - R4" + # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 + # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02 + # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 + # Not Valid Before: Tue Nov 13 00:00:00 2012 + # Not Valid After : Tue Jan 19 03:14:07 2038 + # Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C +@@ -24479,16 +24115,17 @@ + \345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375 + \232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240 + \347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142 + \002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222 + \073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316 + \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146 + \220\067 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "GlobalSign ECC Root CA - R5" + # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 + # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c + # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 + # Not Valid Before: Tue Nov 13 00:00:00 2012 + # Not Valid After : Tue Jan 19 03:14:07 2038 + # Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24 +@@ -24653,16 +24290,17 @@ + \107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272 + \264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170 + \366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246 + \134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227 + \354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207 + \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333 + \145\110\041\012\057\327\334\176\240\314\145\176\171 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae + # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US + # Not Valid Before: Thu Mar 26 00:00:00 2009 + # Not Valid After : Sun Mar 24 23:59:59 2019 + # Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14 +@@ -24824,16 +24462,17 @@ + \325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044 + \157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276 + \321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077 + \100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172 + \307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110 + \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014 + \367\200\173\041\147\047\060\131 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Staat der Nederlanden Root CA - G3" + # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL + # Serial Number: 10003001 (0x98a239) + # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL + # Not Valid Before: Thu Nov 14 11:28:42 2013 + # Not Valid After : Mon Nov 13 23:00:00 2028 + # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28 +@@ -24987,16 +24626,17 @@ + \170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017 + \040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361 + \136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274 + \025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031 + \342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047 + \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034 + \356\354\327\056 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Staat der Nederlanden EV Root CA" + # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL + # Serial Number: 10000013 (0x98968d) + # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL + # Not Valid Before: Wed Dec 08 11:19:29 2010 + # Not Valid After : Thu Dec 08 11:10:28 2022 + # Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A +@@ -25148,16 +24788,17 @@ + \312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331 + \231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147 + \153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161 + \237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200 + \357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253 + \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030 + \272\204\156\207 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "IdenTrust Commercial Root CA 1" + # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US + # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02 + # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US + # Not Valid Before: Thu Jan 16 18:12:23 2014 + # Not Valid After : Mon Jan 16 18:12:23 2034 + # Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE +@@ -25309,16 +24950,17 @@ + \150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100 + \031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144 + \164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220 + \216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357 + \361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162 + \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245 + \267\254\266\255\267\312\076\001\357\234 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "IdenTrust Public Sector Root CA 1" + # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US + # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02 + # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US + # Not Valid Before: Thu Jan 16 17:53:32 2014 + # Not Valid After : Mon Jan 16 17:53:32 2034 + # Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F +@@ -25453,16 +25095,17 @@ + \217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314 + \043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052 + \367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141 + \032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007 + \054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116 + \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161 + \073\303\035\374\377\262\117\250\342\366\060\036 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "S-TRUST Universal Root CA" + # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE + # Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e + # Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE + # Not Valid Before: Tue Oct 22 00:00:00 2013 + # Not Valid After : Thu Oct 21 23:59:59 2038 + # Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31 +@@ -25615,16 +25258,17 @@ + \274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021 + \234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207 + \103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130 + \010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207 + \124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005 + \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213 + \105\366 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Entrust Root Certification Authority - G2" + # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US + # Serial Number: 1246989352 (0x4a538c28) + # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US + # Not Valid Before: Tue Jul 07 17:25:54 2009 + # Not Valid After : Sat Dec 07 17:55:54 2030 + # Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 +@@ -25759,16 +25403,17 @@ + \075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102 + \107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321 + \003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365 + \373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327 + \205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247 + \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270 + \231\267\046\101\133\045\140\256\320\110\032\356\006 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Entrust Root Certification Authority - EC1" + # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US + # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9 + # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US + # Not Valid Before: Tue Dec 18 15:25:36 2012 + # Not Valid After : Fri Dec 18 15:55:36 2037 + # Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 +@@ -25931,16 +25576,17 @@ + \110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231 + \000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325 + \171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222 + \313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331 + \346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243 + \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173 + \056 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "CFCA EV ROOT" + # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN + # Serial Number: 407555286 (0x184accd6) + # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN + # Not Valid Before: Wed Aug 08 03:07:01 2012 + # Not Valid After : Mon Dec 31 03:07:01 2029 + # Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD +@@ -26228,16 +25874,17 @@ + \245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364 + \220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235 + \162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205 + \142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114 + \267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346 + \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226 + \372\253\101\341\113\266\065\013\300\233\025 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H5" + # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR + # Serial Number:00:8e:17:fe:24:20:81 + # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR + # Not Valid Before: Tue Apr 30 08:07:01 2013 + # Not Valid After : Fri Apr 28 08:07:01 2023 + # Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78 +@@ -26272,176 +25919,16 @@ + \002\007\000\216\027\376\044\040\201 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +-# Certificate "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" +-# +-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR +-# Serial Number:7d:a1:f2:65:ec:8a +-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR +-# Not Valid Before: Wed Dec 18 09:04:10 2013 +-# Not Valid After : Sat Dec 16 09:04:10 2023 +-# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 +-# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 +-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" +-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +-CKA_SUBJECT MULTILINE_OCTAL +-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 +-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 +-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 +-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 +-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 +-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 +-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 +-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 +-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 +-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 +-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 +-\261\040\110\066 +-END +-CKA_ID UTF8 "0" +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 +-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 +-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 +-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 +-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 +-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 +-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 +-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 +-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 +-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 +-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 +-\261\040\110\066 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\006\175\241\362\145\354\212 +-END +-CKA_VALUE MULTILINE_OCTAL +-\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175 +-\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001 +-\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006 +-\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101 +-\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104 +-\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151 +-\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102 +-\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151 +-\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101 +-\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124 +-\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162 +-\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110 +-\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143 +-\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062 +-\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061 +-\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006 +-\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004 +-\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125 +-\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102 +-\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040 +-\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166 +-\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145 +-\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004 +-\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154 +-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151 +-\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141 +-\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042 +-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 +-\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150 +-\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161 +-\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063 +-\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157 +-\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275 +-\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324 +-\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327 +-\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200 +-\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324 +-\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330 +-\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051 +-\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315 +-\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136 +-\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251 +-\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171 +-\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143 +-\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001 +-\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004 +-\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000 +-\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004 +-\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004 +-\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015 +-\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252 +-\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122 +-\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024 +-\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002 +-\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066 +-\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356 +-\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062 +-\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226 +-\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024 +-\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003 +-\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050 +-\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342 +-\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246 +-\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203 +-\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130 +-\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006 +-\264\013\230\113\050\136\257\210\130\313 +-END +- +-# Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" +-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR +-# Serial Number:7d:a1:f2:65:ec:8a +-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR +-# Not Valid Before: Wed Dec 18 09:04:10 2013 +-# Not Valid After : Sat Dec 16 09:04:10 2023 +-# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 +-# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" +-CKA_CERT_SHA1_HASH MULTILINE_OCTAL +-\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260 +-\355\345\057\340 +-END +-CKA_CERT_MD5_HASH MULTILINE_OCTAL +-\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106 +-END +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 +-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 +-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 +-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 +-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 +-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 +-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 +-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 +-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 +-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 +-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 +-\261\040\110\066 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\006\175\241\362\145\354\212 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# + # Certificate "Certinomis - Root CA" + # + # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR + # Serial Number: 1 (0x1) + # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR + # Not Valid Before: Mon Oct 21 09:17:18 2013 + # Not Valid After : Fri Oct 21 09:17:18 2033 + # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 +@@ -26559,16 +26046,17 @@ + \307\132\141\315\217\201\140\025\115\200\335\220\342\175\304\120 + \362\214\073\156\112\307\306\346\200\053\074\201\274\021\200\026 + \020\047\327\360\315\077\171\314\163\052\303\176\123\221\326\156 + \370\365\363\307\320\121\115\216\113\245\133\346\031\027\073\326 + \201\011\334\042\334\356\216\271\304\217\123\341\147\273\063\270 + \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305 + \153\206\102\006\271\101 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Certinomis - Root CA" + # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR + # Serial Number: 1 (0x1) + # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR + # Not Valid Before: Mon Oct 21 09:17:18 2013 + # Not Valid After : Fri Oct 21 09:17:18 2033 + # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 +@@ -26697,16 +26185,17 @@ + \265\253\226\300\264\113\242\035\227\236\172\362\156\100\161\337 + \150\361\145\115\316\174\005\337\123\145\251\245\360\261\227\004 + \160\025\106\003\230\324\322\277\124\264\240\130\175\122\157\332 + \126\046\142\324\330\333\211\061\157\034\360\042\302\323\142\034 + \065\315\114\151\025\124\032\220\230\336\353\036\137\312\167\307 + \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176 + \065\255\201\307\116\161\272\210\023 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "OISTE WISeKey Global Root GB CA" + # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH + # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0 + # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH + # Not Valid Before: Mon Dec 01 15:00:32 2014 + # Not Valid After : Thu Dec 01 15:10:31 2039 + # Fingerprint (SHA-256): 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6 +@@ -26831,16 +26320,17 @@ + \171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310 + \237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340 + \054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060 + \132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102 + \111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273 + \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340 + \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Certification Authority of WoSign G2" + # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN + # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44 + # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN + # Not Valid Before: Sat Nov 08 00:58:58 2014 + # Not Valid After : Tue Nov 08 00:58:58 2044 + # Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 +@@ -26939,16 +26429,17 @@ + \004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201 + \325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153 + \371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312 + \205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367 + \151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073 + \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046 + \056\153\361\221\262\220\145\364\232\346\220\356\112 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "CA WoSign ECC Root" + # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN + # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90 + # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN + # Not Valid Before: Sat Nov 08 00:58:58 2014 + # Not Valid After : Tue Nov 08 00:58:58 2044 + # Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 +@@ -27071,16 +26562,17 @@ + \322\324\141\372\325\025\333\327\237\207\121\124\353\245\343\353 + \311\205\240\045\040\067\373\216\316\014\064\204\341\074\201\262 + \167\116\103\245\210\137\206\147\241\075\346\264\134\141\266\076 + \333\376\267\050\305\242\007\256\265\312\312\215\052\022\357\227 + \355\302\060\244\311\052\172\373\363\115\043\033\231\063\064\240 + \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212 + \326\040\036\343\163\267 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "SZAFIR ROOT CA2" + # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL + # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 + # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL + # Not Valid Before: Mon Oct 19 07:43:30 2015 + # Not Valid After : Fri Oct 19 07:43:30 2035 + # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE +@@ -27248,16 +26740,17 @@ + \134\002\312\054\330\157\112\007\331\311\065\332\100\165\362\304 + \247\031\157\236\102\020\230\165\346\225\213\140\274\355\305\022 + \327\212\316\325\230\134\126\226\003\305\356\167\006\065\377\317 + \344\356\077\023\141\356\333\332\055\205\360\315\256\235\262\030 + \011\105\303\222\241\162\027\374\107\266\240\013\054\361\304\336 + \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342 + \016\265\271\276\044\217 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Certum Trusted Network CA 2" + # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL + # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9 + # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL + # Not Valid Before: Thu Oct 06 08:39:56 2011 + # Not Valid After : Sat Oct 06 08:39:56 2046 + # Fingerprint (SHA-256): B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04 +@@ -27434,16 +26927,17 @@ + \245\314\073\330\167\067\060\242\117\331\157\321\362\100\255\101 + \172\027\305\326\112\065\211\267\101\325\174\206\177\125\115\203 + \112\245\163\040\300\072\257\220\361\232\044\216\331\216\161\312 + \173\270\206\332\262\217\231\076\035\023\015\022\021\356\324\253 + \360\351\025\166\002\344\340\337\252\040\036\133\141\205\144\100 + \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264 + \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Hellenic Academic and Research Institutions RootCA 2015" + # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR + # Serial Number: 0 (0x0) + # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR + # Not Valid Before: Tue Jul 07 10:11:21 2015 + # Not Valid After : Sat Jun 30 10:11:21 2040 + # Fingerprint (SHA-256): A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36 +@@ -27569,16 +27063,17 @@ + \000\060\144\002\060\147\316\026\142\070\242\254\142\105\247\251 + \225\044\300\032\047\234\062\073\300\300\325\272\251\347\370\004 + \103\123\205\356\122\041\336\235\365\045\203\076\236\130\113\057 + \327\147\023\016\041\002\060\005\341\165\001\336\150\355\052\037 + \115\114\011\010\015\354\113\255\144\027\050\347\165\316\105\145 + \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312 + \342\174\352\002\130\042\221 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015" + # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR + # Serial Number: 0 (0x0) + # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR + # Not Valid Before: Tue Jul 07 10:37:12 2015 + # Not Valid After : Sat Jun 30 10:37:12 2040 + # Fingerprint (SHA-256): 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33 +@@ -27733,16 +27228,17 @@ + \040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271 + \203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372 + \141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166 + \202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145 + \373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213 + \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300 + \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Certplus Root CA G1" + # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR + # Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11 + # Subject: CN=Certplus Root CA G1,O=Certplus,C=FR + # Not Valid Before: Mon May 26 00:00:00 2014 + # Not Valid After : Fri Jan 15 00:00:00 2038 + # Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E +@@ -27838,16 +27334,17 @@ + \110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260 + \013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063 + \230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041 + \247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000 + \206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150 + \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245 + \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Certplus Root CA G2" + # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR + # Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55 + # Subject: CN=Certplus Root CA G2,O=Certplus,C=FR + # Not Valid Before: Mon May 26 00:00:00 2014 + # Not Valid After : Fri Jan 15 00:00:00 2038 + # Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17 +@@ -27999,16 +27496,17 @@ + \076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340 + \021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011 + \212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111 + \003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034 + \262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336 + \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043 + \326\214\161 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "OpenTrust Root CA G1" + # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR + # Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67 + # Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR + # Not Valid Before: Mon May 26 08:45:50 2014 + # Not Valid After : Fri Jan 15 00:00:00 2038 + # Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4 +@@ -28161,16 +27659,17 @@ + \210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140 + \237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225 + \010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037 + \130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030 + \170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377 + \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014 + \113\122\012 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "OpenTrust Root CA G2" + # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR + # Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11 + # Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR + # Not Valid Before: Mon May 26 00:00:00 2014 + # Not Valid After : Fri Jan 15 00:00:00 2038 + # Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2 +@@ -28270,16 +27769,17 @@ + \061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051 + \001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252 + \217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217 + \221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373 + \132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161 + \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352 + \315\215\361\373\301 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "OpenTrust Root CA G3" + # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR + # Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f + # Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR + # Not Valid Before: Mon May 26 00:00:00 2014 + # Not Valid After : Fri Jan 15 00:00:00 2038 + # Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92 +@@ -28433,16 +27933,17 @@ + \242\320\141\070\341\226\270\254\135\213\067\327\165\325\063\300 + \231\021\256\235\101\301\162\165\204\276\002\101\102\137\147\044 + \110\224\321\233\047\276\007\077\271\270\117\201\164\121\341\172 + \267\355\235\043\342\276\340\325\050\004\023\074\061\003\236\335 + \172\154\217\306\007\030\306\177\336\107\216\077\050\236\004\006 + \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137 + \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "ISRG Root X1" + # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US + # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 + # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US + # Not Valid Before: Thu Jun 04 11:04:38 2015 + # Not Valid After : Mon Jun 04 11:04:38 2035 + # Fingerprint (SHA-256): 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 +@@ -28595,16 +28096,17 @@ + \152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125 + \274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044 + \106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360 + \300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004 + \370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057 + \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121 + \072\117\110\366\213\266\263 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "AC RAIZ FNMT-RCM" + # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES + # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07 + # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES + # Not Valid Before: Wed Oct 29 15:59:56 2008 + # Not Valid After : Tue Jan 01 00:00:00 2030 + # Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA +@@ -28719,16 +28221,17 @@ + \331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127 + \131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324 + \344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136 + \010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223 + \103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162 + \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353 + \304\220\276\361\271 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Amazon Root CA 1" + # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US + # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca + # Subject: CN=Amazon Root CA 1,O=Amazon,C=US + # Not Valid Before: Tue May 26 00:00:00 2015 + # Not Valid After : Sun Jan 17 00:00:00 2038 + # Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E +@@ -28875,16 +28378,17 @@ + \357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264 + \352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357 + \312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007 + \366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045 + \111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321 + \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323 + \340\373\011\140\154 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Amazon Root CA 2" + # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US + # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 + # Subject: CN=Amazon Root CA 2,O=Amazon,C=US + # Not Valid Before: Tue May 26 00:00:00 2015 + # Not Valid After : Sat May 26 00:00:00 2040 + # Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4 +@@ -28974,16 +28478,17 @@ + \266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031 + \261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003 + \111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053 + \006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170 + \140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234 + \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214 + \143\044\110\034\337\060\175\325\150\073 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Amazon Root CA 3" + # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US + # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a + # Subject: CN=Amazon Root CA 3,O=Amazon,C=US + # Not Valid Before: Tue May 26 00:00:00 2015 + # Not Valid After : Sat May 26 00:00:00 2040 + # Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4 +@@ -29077,16 +28582,17 @@ + \145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057 + \326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160 + \012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065 + \115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221 + \311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226 + \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265 + \012\166\324\245\274\020 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Amazon Root CA 4" + # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US + # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e + # Subject: CN=Amazon Root CA 4,O=Amazon,C=US + # Not Valid Before: Tue May 26 00:00:00 2015 + # Not Valid After : Sat May 26 00:00:00 2040 + # Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92 +@@ -29243,16 +28749,17 @@ + \105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376 + \307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377 + \170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175 + \110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072 + \240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125 + \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154 + \045\307\043\200\203\012\353 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "LuxTrust Global Root 2" + # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU + # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1 + # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU + # Not Valid Before: Thu Mar 05 13:21:57 2015 + # Not Valid After : Mon Mar 05 13:21:57 2035 + # Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5 +@@ -29391,16 +28898,17 @@ + \347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126 + \003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104 + \267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100 + \014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013 + \310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043 + \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364 + \322\063\340\377\275\321\124\071\051\017 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Symantec Class 1 Public Primary Certification Authority - G6" + # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98 + # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Not Valid Before: Tue Oct 18 00:00:00 2011 + # Not Valid After : Tue Dec 01 23:59:59 2037 + # Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9 +@@ -29544,16 +29052,17 @@ + \111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113 + \026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231 + \177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246 + \050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035 + \141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326 + \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376 + \157\374\132\344\202\125\131\257\061\251 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Symantec Class 2 Public Primary Certification Authority - G6" + # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41 + # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Not Valid Before: Tue Oct 18 00:00:00 2011 + # Not Valid After : Tue Dec 01 23:59:59 2037 + # Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0 +@@ -29676,16 +29185,17 @@ + \003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230 + \066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161 + \136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271 + \153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332 + \151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154 + \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150 + \362\014\105\111\071\277\231\004\034\323\020\240 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Symantec Class 1 Public Primary Certification Authority - G4" + # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8 + # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Not Valid Before: Wed Oct 05 00:00:00 2011 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF +@@ -29808,16 +29318,17 @@ + \003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265 + \311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177 + \220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172 + \113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206 + \316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216 + \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377 + \051\246\330\107\331\240\226\030\333\362\105\263 + END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + + # Trust for "Symantec Class 2 Public Primary Certification Authority - G4" + # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e + # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US + # Not Valid Before: Wed Oct 05 00:00:00 2011 + # Not Valid After : Mon Jan 18 23:59:59 2038 + # Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92 +@@ -29849,8 +29360,318 @@ + CKA_SERIAL_NUMBER MULTILINE_OCTAL + \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125 + \246\036 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# ++# Certificate "D-TRUST Root CA 3 2013" ++# ++# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE ++# Serial Number: 1039788 (0xfddac) ++# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE ++# Not Valid Before: Fri Sep 20 08:25:51 2013 ++# Not Valid After : Wed Sep 20 08:25:51 2028 ++# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 ++# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97 ++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "D-TRUST Root CA 3 2013" ++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 ++CKA_SUBJECT MULTILINE_OCTAL ++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 ++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 ++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 ++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 ++\040\063\040\062\060\061\063 ++END ++CKA_ID UTF8 "0" ++CKA_ISSUER MULTILINE_OCTAL ++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 ++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 ++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 ++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 ++\040\063\040\062\060\061\063 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\003\017\335\254 ++END ++CKA_VALUE MULTILINE_OCTAL ++\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017 ++\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005 ++\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105 ++\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165 ++\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003 ++\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103 ++\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071 ++\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062 ++\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003 ++\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 ++\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037 ++\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124 ++\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060 ++\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 ++\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 ++\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337 ++\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341 ++\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046 ++\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154 ++\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340 ++\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011 ++\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274 ++\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323 ++\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352 ++\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121 ++\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075 ++\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256 ++\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077 ++\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357 ++\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174 ++\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263 ++\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006 ++\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035 ++\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157 ++\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006 ++\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276 ++\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240 ++\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164 ++\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057 ++\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157 ++\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061 ++\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155 ++\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143 ++\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163 ++\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057 ++\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057 ++\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164 ++\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015 ++\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001 ++\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234 ++\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237 ++\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317 ++\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175 ++\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040 ++\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065 ++\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210 ++\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157 ++\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246 ++\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303 ++\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115 ++\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223 ++\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113 ++\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147 ++\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155 ++\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111 ++\137\134 ++END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE ++ ++# Trust for "D-TRUST Root CA 3 2013" ++# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE ++# Serial Number: 1039788 (0xfddac) ++# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE ++# Not Valid Before: Fri Sep 20 08:25:51 2013 ++# Not Valid After : Wed Sep 20 08:25:51 2028 ++# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 ++# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "D-TRUST Root CA 3 2013" ++CKA_CERT_SHA1_HASH MULTILINE_OCTAL ++\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170 ++\337\157\357\227 ++END ++CKA_CERT_MD5_HASH MULTILINE_OCTAL ++\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277 ++END ++CKA_ISSUER MULTILINE_OCTAL ++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 ++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 ++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 ++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 ++\040\063\040\062\060\061\063 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\003\017\335\254 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# ++# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" ++# ++# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR ++# Serial Number: 1 (0x1) ++# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR ++# Not Valid Before: Mon Nov 25 08:25:55 2013 ++# Not Valid After : Sun Oct 25 08:25:55 2043 ++# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 ++# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA ++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" ++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 ++CKA_SUBJECT MULTILINE_OCTAL ++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 ++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 ++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 ++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 ++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 ++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 ++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 ++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 ++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 ++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 ++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 ++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 ++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 ++\162\165\155\040\061 ++END ++CKA_ID UTF8 "0" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 ++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 ++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 ++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 ++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 ++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 ++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 ++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 ++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 ++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 ++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 ++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 ++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 ++\162\165\155\040\061 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\001\001 ++END ++CKA_VALUE MULTILINE_OCTAL ++\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001 ++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 ++\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040 ++\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125 ++\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151 ++\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152 ++\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162 ++\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060 ++\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162 ++\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145 ++\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064 ++\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113 ++\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123 ++\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162 ++\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070 ++\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062 ++\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006 ++\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107 ++\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102 ++\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145 ++\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153 ++\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155 ++\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124 ++\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155 ++\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040 ++\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123 ++\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111 ++\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040 ++\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040 ++\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006 ++\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017 ++\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273 ++\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377 ++\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372 ++\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253 ++\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154 ++\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320 ++\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153 ++\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000 ++\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116 ++\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227 ++\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332 ++\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311 ++\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177 ++\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054 ++\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352 ++\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037 ++\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243 ++\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077 ++\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107 ++\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002 ++\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003 ++\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013 ++\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230 ++\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175 ++\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341 ++\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260 ++\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355 ++\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337 ++\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027 ++\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235 ++\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270 ++\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226 ++\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223 ++\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334 ++\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177 ++\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255 ++\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237 ++\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302 ++\237\042\136\242\017\241\343 ++END ++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE ++ ++# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" ++# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR ++# Serial Number: 1 (0x1) ++# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR ++# Not Valid Before: Mon Nov 25 08:25:55 2013 ++# Not Valid After : Sun Oct 25 08:25:55 2043 ++# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 ++# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" ++CKA_CERT_SHA1_HASH MULTILINE_OCTAL ++\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350 ++\221\335\356\312 ++END ++CKA_CERT_MD5_HASH MULTILINE_OCTAL ++\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111 ++END ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 ++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 ++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 ++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 ++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 ++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 ++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 ++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 ++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 ++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 ++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 ++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 ++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 ++\162\165\155\040\061 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\001\001 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h +--- a/lib/ckfw/builtins/nssckbi.h ++++ b/lib/ckfw/builtins/nssckbi.h +@@ -17,41 +17,42 @@ + */ + #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2 + #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20 + + /* These version numbers detail the changes + * to the list of trusted certificates. + * + * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped +- * for each NSS minor release AND whenever we change the list of +- * trusted certificates. 10 minor versions are allocated for each +- * NSS 3.x branch as follows, allowing us to change the list of +- * trusted certificates up to 9 times on each branch. +- * - NSS 3.5 branch: 3-9 +- * - NSS 3.6 branch: 10-19 +- * - NSS 3.7 branch: 20-29 +- * - NSS 3.8 branch: 30-39 +- * - NSS 3.9 branch: 40-49 +- * - NSS 3.10 branch: 50-59 +- * - NSS 3.11 branch: 60-69 +- * ... +- * - NSS 3.12 branch: 70-89 +- * - NSS 3.13 branch: 90-99 +- * - NSS 3.14 branch: 100-109 +- * ... +- * - NSS 3.29 branch: 250-255 ++ * whenever we change the list of trusted certificates. ++ * ++ * Please use the following rules when increasing the version number: ++ * ++ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR ++ * must always be an EVEN number (e.g. 16, 18, 20 etc.) ++ * ++ * - whenever possible, if older branches require a modification to the ++ * list, these changes should be made on the main line of development (trunk), ++ * and the older branches should update to the most recent list. ++ * ++ * - ODD minor version numbers are reserved to indicate a snapshot that has ++ * deviated from the main line of development, e.g. if it was necessary ++ * to modify the list on a stable branch. ++ * Once the version has been changed to an odd number (e.g. 2.13) on a branch, ++ * it should remain unchanged on that branch, even if further changes are ++ * made on that branch. + * + * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear + * whether we may use its full range (0-255) or only 0-99 because + * of the comment in the CK_VERSION type definition. ++ * It's recommend to switch back to 0 after having reached version 98/99. + */ + #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 +-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11 +-#define NSS_BUILTINS_LIBRARY_VERSION "2.11" ++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14 ++#define NSS_BUILTINS_LIBRARY_VERSION "2.14" + + /* These version numbers detail the semantic changes to the ckfw engine. */ + #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 + #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0 + + /* These version numbers detail the semantic changes to ckbi itself + * (new PKCS #11 objects), etc. */ + #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1 + +diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c +--- a/lib/certdb/genname.c ++++ b/lib/certdb/genname.c +@@ -1583,19 +1583,19 @@ done: + + #define NAME_CONSTRAINTS_ENTRY(CA) \ + { \ + STRING_TO_SECITEM(CA##_SUBJECT_DN) \ + , \ + STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \ + } + +-/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */ ++/* clang-format off */ + +-/* clang-format off */ ++/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */ + + #define ANSSI_SUBJECT_DN \ + "\x30\x81\x85" \ + "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR" /* C */ \ + "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France" /* ST */ \ + "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris" /* L */ \ + "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN" /* O */ \ + "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI" /* OU */ \ +@@ -1614,20 +1614,49 @@ done: + "\x30\x05\x82\x03" ".pm" \ + "\x30\x05\x82\x03" ".bl" \ + "\x30\x05\x82\x03" ".mf" \ + "\x30\x05\x82\x03" ".wf" \ + "\x30\x05\x82\x03" ".pf" \ + "\x30\x05\x82\x03" ".nc" \ + "\x30\x05\x82\x03" ".tf" + ++/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */ ++ ++#define TUBITAK1_SUBJECT_DN \ ++ "\x30\x81\xd2" \ ++ "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02" \ ++ /* C */ "TR" \ ++ "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f" \ ++ /* L */ "Gebze - Kocaeli" \ ++ "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39" \ ++ /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK" \ ++ "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24" \ ++ /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM" \ ++ "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d" \ ++ /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" ++ ++#define TUBITAK1_NAME_CONSTRAINTS \ ++ "\x30\x65\xa0\x63" \ ++ "\x30\x09\x82\x07" ".gov.tr" \ ++ "\x30\x09\x82\x07" ".k12.tr" \ ++ "\x30\x09\x82\x07" ".pol.tr" \ ++ "\x30\x09\x82\x07" ".mil.tr" \ ++ "\x30\x09\x82\x07" ".tsk.tr" \ ++ "\x30\x09\x82\x07" ".kep.tr" \ ++ "\x30\x09\x82\x07" ".bel.tr" \ ++ "\x30\x09\x82\x07" ".edu.tr" \ ++ "\x30\x09\x82\x07" ".org.tr" ++ + /* clang-format on */ + +-static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY( +- ANSSI) }; ++static const SECItem builtInNameConstraints[][2] = { ++ NAME_CONSTRAINTS_ENTRY(ANSSI), ++ NAME_CONSTRAINTS_ENTRY(TUBITAK1) ++}; + + SECStatus + CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions) + { + size_t i; + + if (!extensions) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + +diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h +--- a/lib/cryptohi/keythi.h ++++ b/lib/cryptohi/keythi.h +@@ -204,17 +204,17 @@ typedef struct SECKEYPublicKeyStr SECKEY + + #define SECKEY_ATTRIBUTE_VALUE(key, attribute) \ + (0 != (key->staticflags & SECKEY_##attribute)) + + #define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \ + (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE) + + #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \ +- (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) ++ (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) + + /* + ** A generic key structure + */ + struct SECKEYPrivateKeyStr { + PLArenaPool *arena; + KeyType keyType; + PK11SlotInfo *pkcs11Slot; /* pkcs11 slot this key lives in */ +diff --git a/lib/nss/nss.def b/lib/nss/nss.def +--- a/lib/nss/nss.def ++++ b/lib/nss/nss.def +@@ -1092,8 +1092,15 @@ SECMOD_CreateModuleEx; + ;+}; + ;+NSS_3.22 { # NSS 3.22 release + ;+ global: + PK11_SignWithMechanism; + PK11_VerifyWithMechanism; + ;+ local: + ;+ *; + ;+}; ++;+NSS_3.30 { # NSS 3.30 release ++;+ global: ++CERT_CompareAVA; ++PK11_HasAttributeSet; ++;+ local: ++;+ *; ++;+}; +diff --git a/lib/pk11wrap/pk11obj.c b/lib/pk11wrap/pk11obj.c +--- a/lib/pk11wrap/pk11obj.c ++++ b/lib/pk11wrap/pk11obj.c +@@ -151,18 +151,18 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl + } + return value; + } + + /* + * check to see if a bool has been set. + */ + CK_BBOOL +-PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, +- CK_ATTRIBUTE_TYPE type, PRBool haslock) ++pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, ++ CK_ATTRIBUTE_TYPE type, PRBool haslock) + { + CK_BBOOL ckvalue = CK_FALSE; + CK_ATTRIBUTE theTemplate; + CK_RV crv; + + /* Prepare to retrieve the attribute. */ + PK11_SETATTRS(&theTemplate, type, &ckvalue, sizeof(CK_BBOOL)); + +@@ -176,16 +176,24 @@ PK11_HasAttributeSet(PK11SlotInfo *slot, + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return CK_FALSE; + } + + return ckvalue; + } + ++CK_BBOOL ++PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, ++ CK_ATTRIBUTE_TYPE type, PRBool haslock) ++{ ++ PR_ASSERT(haslock == PR_FALSE); ++ return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE); ++} ++ + /* + * returns a full list of attributes. Allocate space for them. If an arena is + * provided, allocate space out of the arena. + */ + CK_RV + PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, + CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count) + { +diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h +--- a/lib/pk11wrap/pk11priv.h ++++ b/lib/pk11wrap/pk11priv.h +@@ -113,20 +113,20 @@ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo + SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot, + SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg); + SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx); + CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname, + PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, + void *wincx); + CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer, + CK_OBJECT_CLASS o_class); +-CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, +- CK_OBJECT_HANDLE id, +- CK_ATTRIBUTE_TYPE type, +- PRBool haslock); ++CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, ++ CK_OBJECT_HANDLE id, ++ CK_ATTRIBUTE_TYPE type, ++ PRBool haslock); + CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, + CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count); + int PK11_NumberCertsForCertSubject(CERTCertificate *cert); + SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, + SECStatus (*callback)(CERTCertificate *, void *), void *arg); + SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, + PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2); + SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot, +diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h +--- a/lib/pk11wrap/pk11pub.h ++++ b/lib/pk11wrap/pk11pub.h +@@ -681,16 +681,20 @@ CK_OBJECT_HANDLE PK11_FindCertInSlot(PK1 + void *wincx); + SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, + PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *), + void *arg); + CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg); + CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot); + CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url, + int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions); ++CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, ++ CK_OBJECT_HANDLE id, ++ CK_ATTRIBUTE_TYPE type, ++ PRBool haslock /* must be set to PR_FALSE */); + + /********************************************************************** + * Sign/Verify + **********************************************************************/ + + /* + * Return the length in bytes of a signature generated with the + * private key. diff --git a/SOURCES/nss-alert-handler.patch b/SOURCES/nss-alert-handler.patch new file mode 100644 index 0000000..ca0b434 --- /dev/null +++ b/SOURCES/nss-alert-handler.patch @@ -0,0 +1,461 @@ +diff -up nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc +--- nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc 2017-03-14 11:01:42.563689719 +0100 +@@ -24,6 +24,8 @@ namespace nss_test { + + TEST_P(TlsConnectTls13, ZeroRtt) { + SetupForZeroRtt(); ++ client_->SetExpectedAlertSentCount(1); ++ server_->SetExpectedAlertReceivedCount(1); + client_->Set0RttEnabled(true); + server_->Set0RttEnabled(true); + ExpectResumption(RESUME_TICKET); +@@ -103,6 +105,8 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt + EnableAlpn(); + SetupForZeroRtt(); + EnableAlpn(); ++ client_->SetExpectedAlertSentCount(1); ++ server_->SetExpectedAlertReceivedCount(1); + client_->Set0RttEnabled(true); + server_->Set0RttEnabled(true); + ExpectResumption(RESUME_TICKET); +diff -up nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_exporter_unittest.cc +--- nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_exporter_unittest.cc 2017-03-14 11:01:42.563689719 +0100 +@@ -90,6 +90,8 @@ int32_t RegularExporterShouldFail(TlsAge + + TEST_P(TlsConnectTls13, EarlyExporter) { + SetupForZeroRtt(); ++ client_->SetExpectedAlertSentCount(1); ++ server_->SetExpectedAlertReceivedCount(1); + client_->Set0RttEnabled(true); + server_->Set0RttEnabled(true); + ExpectResumption(RESUME_TICKET); +diff -up nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_extension_unittest.cc +--- nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler 2017-03-14 11:01:42.563689719 +0100 ++++ nss/gtests/ssl_gtest/ssl_extension_unittest.cc 2017-03-14 11:06:39.215006989 +0100 +@@ -167,27 +167,69 @@ class TlsExtensionTestBase : public TlsC + : TlsConnectTestBase(mode, version) {} + + void ClientHelloErrorTest(PacketFilter* filter, +- uint8_t alert = kTlsAlertDecodeError) { ++ uint8_t desc = kTlsAlertDecodeError) { ++ SSLAlert alert; ++ + auto alert_recorder = new TlsAlertRecorder(); + server_->SetPacketFilter(alert_recorder); + if (filter) { + client_->SetPacketFilter(filter); + } + ConnectExpectFail(); ++ + EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); +- EXPECT_EQ(alert, alert_recorder->description()); ++ EXPECT_EQ(desc, alert_recorder->description()); ++ ++ // verify no alerts received by the server ++ EXPECT_EQ(0U, server_->alert_received_count()); ++ ++ // verify the alert sent by the server ++ EXPECT_EQ(1U, server_->alert_sent_count()); ++ EXPECT_TRUE(server_->GetLastAlertSent(&alert)); ++ EXPECT_EQ(kTlsAlertFatal, alert.level); ++ EXPECT_EQ(desc, alert.description); ++ ++ // verify the alert received by the client ++ EXPECT_EQ(1U, client_->alert_received_count()); ++ EXPECT_TRUE(client_->GetLastAlertReceived(&alert)); ++ EXPECT_EQ(kTlsAlertFatal, alert.level); ++ EXPECT_EQ(desc, alert.description); ++ ++ // verify no alerts sent by the client ++ EXPECT_EQ(0U, client_->alert_sent_count()); + } + + void ServerHelloErrorTest(PacketFilter* filter, +- uint8_t alert = kTlsAlertDecodeError) { ++ uint8_t desc = kTlsAlertDecodeError) { ++ SSLAlert alert; ++ + auto alert_recorder = new TlsAlertRecorder(); + client_->SetPacketFilter(alert_recorder); + if (filter) { + server_->SetPacketFilter(filter); + } + ConnectExpectFail(); ++ + EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); +- EXPECT_EQ(alert, alert_recorder->description()); ++ EXPECT_EQ(desc, alert_recorder->description()); ++ ++ // verify no alerts received by the client ++ EXPECT_EQ(0U, client_->alert_received_count()); ++ ++ // verify the alert sent by the client ++ EXPECT_EQ(1U, client_->alert_sent_count()); ++ EXPECT_TRUE(client_->GetLastAlertSent(&alert)); ++ EXPECT_EQ(kTlsAlertFatal, alert.level); ++ EXPECT_EQ(desc, alert.description); ++ ++ // verify the alert received by the server ++ EXPECT_EQ(1U, server_->alert_received_count()); ++ EXPECT_TRUE(server_->GetLastAlertReceived(&alert)); ++ EXPECT_EQ(kTlsAlertFatal, alert.level); ++ EXPECT_EQ(desc, alert.description); ++ ++ // verify no alerts sent by the server ++ EXPECT_EQ(0U, server_->alert_sent_count()); + } + + static void InitSimpleSni(DataBuffer* extension) { +diff -up nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_version_unittest.cc +--- nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_version_unittest.cc 2017-03-14 11:01:42.563689719 +0100 +@@ -225,6 +225,7 @@ TEST_F(TlsConnectTest, Tls13RejectsRehan + + TEST_P(TlsConnectGeneric, AlertBeforeServerHello) { + EnsureTlsSetup(); ++ client_->SetExpectedAlertReceivedCount(1); + client_->StartConnect(); + server_->StartConnect(); + client_->Handshake(); // Send ClientHello. +diff -up nss/gtests/ssl_gtest/tls_agent.cc.alert-handler nss/gtests/ssl_gtest/tls_agent.cc +--- nss/gtests/ssl_gtest/tls_agent.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/tls_agent.cc 2017-03-14 11:07:22.414890511 +0100 +@@ -61,6 +61,12 @@ TlsAgent::TlsAgent(const std::string& na + can_falsestart_hook_called_(false), + sni_hook_called_(false), + auth_certificate_hook_called_(false), ++ alert_received_count_(0), ++ expected_alert_received_count_(0), ++ last_alert_received_({0, 0}), ++ alert_sent_count_(0), ++ expected_alert_sent_count_(0), ++ last_alert_sent_({0, 0}), + handshake_callback_called_(false), + error_code_(0), + send_ctr_(0), +@@ -165,6 +171,14 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc + EXPECT_EQ(SECSuccess, rv); + if (rv != SECSuccess) return false; + ++ rv = SSL_AlertReceivedCallback(ssl_fd(), AlertReceivedCallback, this); ++ EXPECT_EQ(SECSuccess, rv); ++ if (rv != SECSuccess) return false; ++ ++ rv = SSL_AlertSentCallback(ssl_fd(), AlertSentCallback, this); ++ EXPECT_EQ(SECSuccess, rv); ++ if (rv != SECSuccess) return false; ++ + rv = SSL_HandshakeCallback(ssl_fd_, HandshakeCallback, this); + EXPECT_EQ(SECSuccess, rv); + if (rv != SECSuccess) return false; +@@ -578,6 +592,11 @@ void TlsAgent::CheckErrorCode(int32_t ex + << PORT_ErrorToName(expected) << std::endl; + } + ++void TlsAgent::CheckAlerts() const { ++ EXPECT_EQ(expected_alert_received_count_, alert_received_count_); ++ EXPECT_EQ(expected_alert_sent_count_, alert_sent_count_); ++} ++ + void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const { + ASSERT_EQ(0, error_code_); + WAIT_(error_code_ != 0, delay); +diff -up nss/gtests/ssl_gtest/tls_agent.h.alert-handler nss/gtests/ssl_gtest/tls_agent.h +--- nss/gtests/ssl_gtest/tls_agent.h.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/tls_agent.h 2017-03-14 11:01:42.564689693 +0100 +@@ -139,6 +139,7 @@ class TlsAgent : public PollTarget { + void EnableSrtp(); + void CheckSrtp() const; + void CheckErrorCode(int32_t expected) const; ++ void CheckAlerts() const; + void WaitForErrorCode(int32_t expected, uint32_t delay) const; + // Send data on the socket, encrypting it. + void SendData(size_t bytes, size_t blocksize = 1024); +@@ -239,6 +240,34 @@ class TlsAgent : public PollTarget { + sni_callback_ = sni_callback; + } + ++ size_t alert_received_count() const { return alert_received_count_; } ++ ++ void SetExpectedAlertReceivedCount(size_t count) { ++ expected_alert_received_count_ = count; ++ } ++ ++ bool GetLastAlertReceived(SSLAlert* alert) const { ++ if (!alert_received_count_) { ++ return false; ++ } ++ *alert = last_alert_received_; ++ return true; ++ } ++ ++ size_t alert_sent_count() const { return alert_sent_count_; } ++ ++ void SetExpectedAlertSentCount(size_t count) { ++ expected_alert_sent_count_ = count; ++ } ++ ++ bool GetLastAlertSent(SSLAlert* alert) const { ++ if (!alert_sent_count_) { ++ return false; ++ } ++ *alert = last_alert_sent_; ++ return true; ++ } ++ + private: + const static char* states[]; + +@@ -320,6 +349,30 @@ class TlsAgent : public PollTarget { + return SECSuccess; + } + ++ static void AlertReceivedCallback(const PRFileDesc* fd, void* arg, ++ const SSLAlert* alert) { ++ TlsAgent* agent = reinterpret_cast(arg); ++ ++ std::cerr << agent->role_str() ++ << ": Alert received: level=" << static_cast(alert->level) ++ << " desc=" << static_cast(alert->description) << std::endl; ++ ++ ++agent->alert_received_count_; ++ agent->last_alert_received_ = *alert; ++ } ++ ++ static void AlertSentCallback(const PRFileDesc* fd, void* arg, ++ const SSLAlert* alert) { ++ TlsAgent* agent = reinterpret_cast(arg); ++ ++ std::cerr << agent->role_str() ++ << ": Alert sent: level=" << static_cast(alert->level) ++ << " desc=" << static_cast(alert->description) << std::endl; ++ ++ ++agent->alert_sent_count_; ++ agent->last_alert_sent_ = *alert; ++ } ++ + static void HandshakeCallback(PRFileDesc* fd, void* arg) { + TlsAgent* agent = reinterpret_cast(arg); + agent->handshake_callback_called_ = true; +@@ -352,6 +405,12 @@ class TlsAgent : public PollTarget { + bool can_falsestart_hook_called_; + bool sni_hook_called_; + bool auth_certificate_hook_called_; ++ size_t alert_received_count_; ++ size_t expected_alert_received_count_; ++ SSLAlert last_alert_received_; ++ size_t alert_sent_count_; ++ size_t expected_alert_sent_count_; ++ SSLAlert last_alert_sent_; + bool handshake_callback_called_; + SSLChannelInfo info_; + SSLCipherSuiteInfo csinfo_; +diff -up nss/gtests/ssl_gtest/tls_connect.cc.alert-handler nss/gtests/ssl_gtest/tls_connect.cc +--- nss/gtests/ssl_gtest/tls_connect.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/tls_connect.cc 2017-03-14 11:01:42.564689693 +0100 +@@ -309,6 +309,9 @@ void TlsConnectTestBase::CheckConnected( + CheckResumption(expected_resumption_mode_); + client_->CheckSecretsDestroyed(); + server_->CheckSecretsDestroyed(); ++ ++ client_->CheckAlerts(); ++ server_->CheckAlerts(); + } + + void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type, SSLNamedGroup kea_group, +diff -up nss/lib/ssl/ssl3con.c.alert-handler nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.alert-handler 2017-03-14 11:01:42.551690030 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-03-14 11:03:45.319510356 +0100 +@@ -3143,6 +3143,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertL + } + ssl_ReleaseXmitBufLock(ss); + ssl_ReleaseSSL3HandshakeLock(ss); ++ if (rv == SECSuccess && ss->alertSentCallback) { ++ SSLAlert alert = { level, desc }; ++ ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert); ++ } + return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ + } + +@@ -3255,6 +3259,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe + SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d", + SSL_GETPID(), ss->fd, level, desc)); + ++ if (ss->alertReceivedCallback) { ++ SSLAlert alert = { level, desc }; ++ ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert); ++ } ++ + switch (desc) { + case close_notify: + ss->recvdCloseNotify = 1; +diff -up nss/lib/ssl/ssl.def.alert-handler nss/lib/ssl/ssl.def +--- nss/lib/ssl/ssl.def.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/lib/ssl/ssl.def 2017-03-14 11:01:42.564689693 +0100 +@@ -221,3 +221,10 @@ SSL_SignatureSchemePrefGet; + ;+ local: + ;+*; + ;+}; ++;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release ++;+ global: ++SSL_AlertReceivedCallback; ++SSL_AlertSentCallback; ++;+ local: ++;+*; ++;+}; +diff -up nss/lib/ssl/ssl.h.alert-handler nss/lib/ssl/ssl.h +--- nss/lib/ssl/ssl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/lib/ssl/ssl.h 2017-03-14 11:01:42.564689693 +0100 +@@ -820,6 +820,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PR + SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a); + + /* ++** These are callbacks for dealing with SSL alerts. ++ */ ++ ++typedef PRUint8 SSLAlertLevel; ++typedef PRUint8 SSLAlertDescription; ++ ++typedef struct { ++ SSLAlertLevel level; ++ SSLAlertDescription description; ++} SSLAlert; ++ ++typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg, ++ const SSLAlert *alert); ++ ++SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, ++ void *arg); ++SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, ++ void *arg); ++/* + ** This is a callback for dealing with server certs that are not authenticated + ** by the client. The client app can decide that it actually likes the + ** cert by some external means and restart the connection. +diff -up nss/lib/ssl/sslimpl.h.alert-handler nss/lib/ssl/sslimpl.h +--- nss/lib/ssl/sslimpl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/lib/ssl/sslimpl.h 2017-03-14 11:01:42.566689641 +0100 +@@ -1121,6 +1121,10 @@ struct sslSocketStr { + void *getClientAuthDataArg; + SSLSNISocketConfig sniSocketConfig; + void *sniSocketConfigArg; ++ SSLAlertCallback alertReceivedCallback; ++ void *alertReceivedCallbackArg; ++ SSLAlertCallback alertSentCallback; ++ void *alertSentCallbackArg; + SSLBadCertHandler handleBadCert; + void *badCertArg; + SSLHandshakeCallback handshakeCallback; +diff -up nss/lib/ssl/sslsecur.c.alert-handler nss/lib/ssl/sslsecur.c +--- nss/lib/ssl/sslsecur.c.alert-handler 2017-02-17 14:20:06.000000000 +0100 ++++ nss/lib/ssl/sslsecur.c 2017-03-14 11:01:42.566689641 +0100 +@@ -994,6 +994,42 @@ ssl_SecureWrite(sslSocket *ss, const uns + } + + SECStatus ++SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg) ++{ ++ sslSocket *ss; ++ ++ ss = ssl_FindSocket(fd); ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback", ++ SSL_GETPID(), fd)); ++ return SECFailure; ++ } ++ ++ ss->alertReceivedCallback = cb; ++ ss->alertReceivedCallbackArg = arg; ++ ++ return SECSuccess; ++} ++ ++SECStatus ++SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg) ++{ ++ sslSocket *ss; ++ ++ ss = ssl_FindSocket(fd); ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback", ++ SSL_GETPID(), fd)); ++ return SECFailure; ++ } ++ ++ ss->alertSentCallback = cb; ++ ss->alertSentCallbackArg = arg; ++ ++ return SECSuccess; ++} ++ ++SECStatus + SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg) + { + sslSocket *ss; +diff -up nss/lib/ssl/sslsock.c.alert-handler nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.alert-handler 2017-03-14 11:01:42.538690367 +0100 ++++ nss/lib/ssl/sslsock.c 2017-03-14 11:01:42.566689641 +0100 +@@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os) + ss->getClientAuthDataArg = os->getClientAuthDataArg; + ss->sniSocketConfig = os->sniSocketConfig; + ss->sniSocketConfigArg = os->sniSocketConfigArg; ++ ss->alertReceivedCallback = os->alertReceivedCallback; ++ ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg; ++ ss->alertSentCallback = os->alertSentCallback; ++ ss->alertSentCallbackArg = os->alertSentCallbackArg; + ss->handleBadCert = os->handleBadCert; + ss->badCertArg = os->badCertArg; + ss->handshakeCallback = os->handshakeCallback; +@@ -2149,6 +2153,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile + ss->sniSocketConfig = sm->sniSocketConfig; + if (sm->sniSocketConfigArg) + ss->sniSocketConfigArg = sm->sniSocketConfigArg; ++ if (ss->alertReceivedCallback) { ++ ss->alertReceivedCallback = sm->alertReceivedCallback; ++ ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; ++ } ++ if (ss->alertSentCallback) { ++ ss->alertSentCallback = sm->alertSentCallback; ++ ss->alertSentCallbackArg = sm->alertSentCallbackArg; ++ } + if (sm->handleBadCert) + ss->handleBadCert = sm->handleBadCert; + if (sm->badCertArg) +@@ -3691,6 +3703,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto + ss->sniSocketConfig = NULL; + ss->sniSocketConfigArg = NULL; + ss->getClientAuthData = NULL; ++ ss->alertReceivedCallback = NULL; ++ ss->alertReceivedCallbackArg = NULL; ++ ss->alertSentCallback = NULL; ++ ss->alertSentCallbackArg = NULL; + ss->handleBadCert = NULL; + ss->badCertArg = NULL; + ss->pkcs11PinArg = NULL; +# HG changeset patch +# User Kai Engert +# Date 1493741561 -7200 +# Tue May 02 18:12:41 2017 +0200 +# Node ID 8804a0c65a08ee53096c07cc091536c7cf102b58 +# Parent 769f9ae07b103494af809620478e60256a344adc +Bug 1360207, Fix incorrect if (ss->...) in SSL_ReconfigFD, Patch contributed by Ian Goldberg, r=ttaubert + +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -2152,11 +2152,11 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile + ss->sniSocketConfig = sm->sniSocketConfig; + if (sm->sniSocketConfigArg) + ss->sniSocketConfigArg = sm->sniSocketConfigArg; +- if (ss->alertReceivedCallback) { ++ if (sm->alertReceivedCallback) { + ss->alertReceivedCallback = sm->alertReceivedCallback; + ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; + } +- if (ss->alertSentCallback) { ++ if (sm->alertSentCallback) { + ss->alertSentCallback = sm->alertSentCallback; + ss->alertSentCallbackArg = sm->alertSentCallbackArg; + } diff --git a/SOURCES/nss-ca-2.14.patch b/SOURCES/nss-ca-2.14.patch deleted file mode 100644 index b571fa6..0000000 --- a/SOURCES/nss-ca-2.14.patch +++ /dev/null @@ -1,1190 +0,0 @@ -diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt ---- a/lib/ckfw/builtins/certdata.txt -+++ b/lib/ckfw/builtins/certdata.txt -@@ -8188,177 +8188,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL - \150\340 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "WellsSecure Public Root Certificate Authority" --# --# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Serial Number: 1 (0x1) --# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Not Valid Before: Thu Dec 13 17:07:54 2007 --# Not Valid After : Wed Dec 14 00:07:54 2022 --# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36 --# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 --\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 --\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 --\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 --\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 --\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 --\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 --\165\164\150\157\162\151\164\171 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 --\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 --\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 --\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 --\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 --\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 --\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 --\165\164\150\157\162\151\164\171 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\001 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 --\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061 --\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040 --\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162 --\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154 --\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061 --\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123 --\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157 --\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165 --\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061 --\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064 --\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003 --\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012 --\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145 --\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125 --\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040 --\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003 --\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165 --\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146 --\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060 --\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 --\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 --\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253 --\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210 --\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051 --\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324 --\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122 --\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060 --\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054 --\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344 --\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264 --\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143 --\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050 --\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204 --\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237 --\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005 --\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300 --\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145 --\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006 --\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071 --\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206 --\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056 --\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167 --\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017 --\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016 --\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031 --\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043 --\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227 --\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244 --\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002 --\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154 --\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145 --\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127 --\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040 --\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154 --\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040 --\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145 --\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006 --\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001 --\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173 --\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355 --\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035 --\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225 --\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045 --\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101 --\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344 --\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255 --\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247 --\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163 --\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166 --\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075 --\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147 --\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176 --\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157 --\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130 --\333 --END -- --# Trust for Certificate "WellsSecure Public Root Certificate Authority" --# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Serial Number: 1 (0x1) --# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US --# Not Valid Before: Thu Dec 13 17:07:54 2007 --# Not Valid After : Wed Dec 14 00:07:54 2022 --# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36 --# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364 --\175\117\350\356 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066 --END --CKA_ISSUER MULTILINE_OCTAL --\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163 --\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165 --\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154 --\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101 --\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163 --\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157 --\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101 --\165\164\150\157\162\151\164\171 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\001 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "COMODO ECC Certification Authority" - # - # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a - # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - # Not Valid Before: Thu Mar 06 00:00:00 2008 - # Not Valid After : Mon Jan 18 23:59:59 2038 - # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23 -@@ -8930,222 +8769,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL - \337\232 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "Microsec e-Szigno Root CA" --# --# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11 --# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Not Valid Before: Wed Apr 06 12:28:44 2005 --# Not Valid After : Thu Apr 06 12:28:44 2017 --# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5 --# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "Microsec e-Szigno Root CA" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 --\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 --\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 --\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 --\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 --\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 --\164\040\103\101 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 --\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 --\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 --\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 --\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 --\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 --\164\040\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 --\054\017\021 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000 --\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 --\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021 --\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163 --\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162 --\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125 --\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061 --\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163 --\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164 --\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062 --\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070 --\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002 --\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144 --\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015 --\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060 --\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157 --\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151 --\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040 --\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052 --\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060 --\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070 --\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207 --\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256 --\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167 --\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331 --\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376 --\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006 --\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254 --\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300 --\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140 --\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270 --\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364 --\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341 --\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111 --\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161 --\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346 --\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004 --\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001 --\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060 --\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145 --\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060 --\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164 --\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157 --\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017 --\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 --\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146 --\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001 --\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007 --\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145 --\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057 --\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202 --\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156 --\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171 --\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145 --\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040 --\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147 --\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172 --\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147 --\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123 --\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141 --\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141 --\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141 --\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164 --\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154 --\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150 --\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167 --\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147 --\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132 --\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201 --\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150 --\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147 --\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154 --\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145 --\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151 --\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156 --\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125 --\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117 --\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056 --\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125 --\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157 --\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162 --\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 --\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201 --\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150 --\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032 --\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156 --\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003 --\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110 --\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003 --\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060 --\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125 --\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141 --\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166 --\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110 --\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141 --\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115 --\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022 --\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040 --\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143 --\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122 --\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032 --\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016 --\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322 --\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206 --\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146 --\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154 --\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240 --\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247 --\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345 --\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172 --\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250 --\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332 --\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133 --\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323 --\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321 --\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235 --\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362 --\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077 --\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226 --\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040 --\103\307\003\340\067\116\135\012\334\131\040\045 --END -- --# Trust for Certificate "Microsec e-Szigno Root CA" --# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11 --# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU --# Not Valid Before: Wed Apr 06 12:28:44 2005 --# Not Valid After : Thu Apr 06 12:28:44 2017 --# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5 --# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "Microsec e-Szigno Root CA" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326 --\045\354\031\015 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345 --END --CKA_ISSUER MULTILINE_OCTAL --\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061 --\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 --\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143 --\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003 --\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101 --\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157 --\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157 --\164\040\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 --\054\017\021 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "Certigna" - # - # Issuer: CN=Certigna,O=Dhimyotis,C=FR - # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff - # Subject: CN=Certigna,O=Dhimyotis,C=FR - # Not Valid Before: Fri Jun 29 15:13:05 2007 - # Not Valid After : Tue Jun 29 15:13:05 2027 - # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF -@@ -10742,147 +10375,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\004\111\063\000\001 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "ApplicationCA - Japanese Government" --# --# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP --# Serial Number: 49 (0x31) --# Subject: OU=ApplicationCA,O=Japanese Government,C=JP --# Not Valid Before: Wed Dec 12 15:00:00 2007 --# Not Valid After : Tue Dec 12 15:00:00 2017 --# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6 --# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74 --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "ApplicationCA - Japanese Government" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 --\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 --\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 --\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 --\151\157\156\103\101 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 --\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 --\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 --\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 --\151\157\156\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\061 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 --\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034 --\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163 --\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024 --\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151 --\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065 --\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060 --\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023 --\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141 --\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156 --\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154 --\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006 --\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017 --\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207 --\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005 --\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212 --\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212 --\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240 --\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006 --\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171 --\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004 --\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155 --\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060 --\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214 --\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005 --\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155 --\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331 --\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060 --\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046 --\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243 --\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024 --\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320 --\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004 --\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244 --\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120 --\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234 --\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003 --\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202 --\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060 --\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 --\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003 --\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017 --\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172 --\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011 --\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234 --\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026 --\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176 --\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221 --\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217 --\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124 --\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210 --\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353 --\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243 --\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046 --\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377 --\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113 --\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177 --\262\033\211\124 --END -- --# Trust for Certificate "ApplicationCA - Japanese Government" --# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP --# Serial Number: 49 (0x31) --# Subject: OU=ApplicationCA,O=Japanese Government,C=JP --# Not Valid Before: Wed Dec 12 15:00:00 2007 --# Not Valid After : Tue Dec 12 15:00:00 2017 --# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6 --# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "ApplicationCA - Japanese Government" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214 --\323\065\374\164 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326 --END --CKA_ISSUER MULTILINE_OCTAL --\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061 --\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145 --\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060 --\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164 --\151\157\156\103\101 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\001\061 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "GeoTrust Primary Certification Authority - G3" - # - # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f - # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US - # Not Valid Before: Wed Apr 02 00:00:00 2008 - # Not Valid After : Tue Dec 01 23:59:59 2037 - # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05 -@@ -26272,176 +25774,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\007\000\216\027\376\044\040\201 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --# --# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Serial Number:7d:a1:f2:65:ec:8a --# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Not Valid Before: Wed Dec 18 09:04:10 2013 --# Not Valid After : Sat Dec 16 09:04:10 2023 --# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 --# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 --\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 --\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 --\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 --\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 --\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 --\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 --\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 --\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 --\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 --\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 --\261\040\110\066 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 --\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 --\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 --\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 --\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 --\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 --\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 --\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 --\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 --\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 --\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 --\261\040\110\066 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\006\175\241\362\145\354\212 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175 --\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001 --\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006 --\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101 --\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104 --\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151 --\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102 --\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151 --\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101 --\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124 --\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162 --\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110 --\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143 --\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062 --\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061 --\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006 --\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004 --\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125 --\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102 --\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040 --\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166 --\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145 --\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004 --\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154 --\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151 --\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141 --\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042 --\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 --\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150 --\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161 --\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063 --\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157 --\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275 --\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324 --\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327 --\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200 --\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324 --\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330 --\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051 --\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315 --\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136 --\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251 --\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171 --\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143 --\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001 --\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004 --\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000 --\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004 --\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004 --\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015 --\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252 --\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122 --\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024 --\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002 --\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066 --\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356 --\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062 --\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226 --\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024 --\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003 --\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050 --\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342 --\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246 --\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203 --\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130 --\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006 --\264\013\230\113\050\136\257\210\130\313 --END -- --# Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Serial Number:7d:a1:f2:65:ec:8a --# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR --# Not Valid Before: Wed Dec 18 09:04:10 2013 --# Not Valid After : Sat Dec 16 09:04:10 2023 --# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 --# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H6" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260 --\355\345\057\340 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106 --END --CKA_ISSUER MULTILINE_OCTAL --\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 --\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 --\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122 --\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 --\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 --\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 --\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 --\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113 --\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153 --\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 --\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 --\261\040\110\066 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\006\175\241\362\145\354\212 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "Certinomis - Root CA" - # - # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR - # Serial Number: 1 (0x1) - # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR - # Not Valid Before: Mon Oct 21 09:17:18 2013 - # Not Valid After : Fri Oct 21 09:17:18 2033 - # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 -@@ -29849,8 +29191,316 @@ END - CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125 - \246\036 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -+ -+# -+# Certificate "D-TRUST Root CA 3 2013" -+# -+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Serial Number: 1039788 (0xfddac) -+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Not Valid Before: Fri Sep 20 08:25:51 2013 -+# Not Valid After : Wed Sep 20 08:25:51 2028 -+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 -+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97 -+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013" -+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -+CKA_SUBJECT MULTILINE_OCTAL -+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 -+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 -+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 -+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 -+\040\063\040\062\060\061\063 -+END -+CKA_ID UTF8 "0" -+CKA_ISSUER MULTILINE_OCTAL -+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 -+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 -+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 -+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 -+\040\063\040\062\060\061\063 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\003\017\335\254 -+END -+CKA_VALUE MULTILINE_OCTAL -+\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017 -+\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005 -+\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105 -+\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165 -+\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003 -+\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103 -+\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071 -+\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062 -+\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003 -+\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 -+\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037 -+\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124 -+\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060 -+\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 -+\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 -+\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337 -+\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341 -+\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046 -+\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154 -+\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340 -+\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011 -+\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274 -+\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323 -+\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352 -+\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121 -+\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075 -+\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256 -+\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077 -+\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357 -+\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174 -+\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263 -+\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006 -+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035 -+\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157 -+\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006 -+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276 -+\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240 -+\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164 -+\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057 -+\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157 -+\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061 -+\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155 -+\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143 -+\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163 -+\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057 -+\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057 -+\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164 -+\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015 -+\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001 -+\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234 -+\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237 -+\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317 -+\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175 -+\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040 -+\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065 -+\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210 -+\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157 -+\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246 -+\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303 -+\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115 -+\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223 -+\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113 -+\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147 -+\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155 -+\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111 -+\137\134 -+END -+ -+# Trust for "D-TRUST Root CA 3 2013" -+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Serial Number: 1039788 (0xfddac) -+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE -+# Not Valid Before: Fri Sep 20 08:25:51 2013 -+# Not Valid After : Wed Sep 20 08:25:51 2028 -+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 -+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97 -+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013" -+CKA_CERT_SHA1_HASH MULTILINE_OCTAL -+\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170 -+\337\157\357\227 -+END -+CKA_CERT_MD5_HASH MULTILINE_OCTAL -+\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277 -+END -+CKA_ISSUER MULTILINE_OCTAL -+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061 -+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163 -+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014 -+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101 -+\040\063\040\062\060\061\063 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\003\017\335\254 -+END -+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -+ -+# -+# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+# -+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Serial Number: 1 (0x1) -+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Not Valid Before: Mon Nov 25 08:25:55 2013 -+# Not Valid After : Sun Oct 25 08:25:55 2043 -+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 -+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA -+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -+CKA_SUBJECT MULTILINE_OCTAL -+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 -+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 -+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 -+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 -+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 -+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 -+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 -+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 -+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 -+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 -+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 -+\162\165\155\040\061 -+END -+CKA_ID UTF8 "0" -+CKA_ISSUER MULTILINE_OCTAL -+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 -+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 -+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 -+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 -+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 -+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 -+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 -+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 -+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 -+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 -+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 -+\162\165\155\040\061 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\001\001 -+END -+CKA_VALUE MULTILINE_OCTAL -+\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001 -+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 -+\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061 -+\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040 -+\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125 -+\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151 -+\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152 -+\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162 -+\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060 -+\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162 -+\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145 -+\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064 -+\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113 -+\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123 -+\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162 -+\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070 -+\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062 -+\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006 -+\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107 -+\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102 -+\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145 -+\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153 -+\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155 -+\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124 -+\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155 -+\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040 -+\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123 -+\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111 -+\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040 -+\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040 -+\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006 -+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017 -+\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273 -+\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377 -+\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372 -+\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253 -+\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154 -+\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320 -+\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153 -+\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000 -+\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116 -+\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227 -+\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332 -+\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311 -+\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177 -+\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054 -+\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352 -+\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037 -+\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243 -+\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077 -+\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107 -+\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002 -+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003 -+\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013 -+\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230 -+\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175 -+\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341 -+\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260 -+\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355 -+\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337 -+\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027 -+\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235 -+\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270 -+\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226 -+\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223 -+\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334 -+\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177 -+\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255 -+\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237 -+\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302 -+\237\042\136\242\017\241\343 -+END -+ -+# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Serial Number: 1 (0x1) -+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -+# Not Valid Before: Mon Nov 25 08:25:55 2013 -+# Not Valid After : Sun Oct 25 08:25:55 2043 -+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 -+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA -+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -+CKA_TOKEN CK_BBOOL CK_TRUE -+CKA_PRIVATE CK_BBOOL CK_FALSE -+CKA_MODIFIABLE CK_BBOOL CK_FALSE -+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+CKA_CERT_SHA1_HASH MULTILINE_OCTAL -+\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350 -+\221\335\356\312 -+END -+CKA_CERT_MD5_HASH MULTILINE_OCTAL -+\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111 -+END -+CKA_ISSUER MULTILINE_OCTAL -+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 -+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145 -+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003 -+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154 -+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165 -+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055 -+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145 -+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060 -+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040 -+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040 -+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165 -+\162\165\155\040\061 -+END -+CKA_SERIAL_NUMBER MULTILINE_OCTAL -+\002\001\001 -+END -+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h ---- a/lib/ckfw/builtins/nssckbi.h -+++ b/lib/ckfw/builtins/nssckbi.h -@@ -17,41 +17,42 @@ - */ - #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2 - #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20 - - /* These version numbers detail the changes - * to the list of trusted certificates. - * - * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped -- * for each NSS minor release AND whenever we change the list of -- * trusted certificates. 10 minor versions are allocated for each -- * NSS 3.x branch as follows, allowing us to change the list of -- * trusted certificates up to 9 times on each branch. -- * - NSS 3.5 branch: 3-9 -- * - NSS 3.6 branch: 10-19 -- * - NSS 3.7 branch: 20-29 -- * - NSS 3.8 branch: 30-39 -- * - NSS 3.9 branch: 40-49 -- * - NSS 3.10 branch: 50-59 -- * - NSS 3.11 branch: 60-69 -- * ... -- * - NSS 3.12 branch: 70-89 -- * - NSS 3.13 branch: 90-99 -- * - NSS 3.14 branch: 100-109 -- * ... -- * - NSS 3.29 branch: 250-255 -+ * whenever we change the list of trusted certificates. -+ * -+ * Please use the following rules when increasing the version number: -+ * -+ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR -+ * must always be an EVEN number (e.g. 16, 18, 20 etc.) -+ * -+ * - whenever possible, if older branches require a modification to the -+ * list, these changes should be made on the main line of development (trunk), -+ * and the older branches should update to the most recent list. -+ * -+ * - ODD minor version numbers are reserved to indicate a snapshot that has -+ * deviated from the main line of development, e.g. if it was necessary -+ * to modify the list on a stable branch. -+ * Once the version has been changed to an odd number (e.g. 2.13) on a branch, -+ * it should remain unchanged on that branch, even if further changes are -+ * made on that branch. - * - * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear - * whether we may use its full range (0-255) or only 0-99 because - * of the comment in the CK_VERSION type definition. -+ * It's recommend to switch back to 0 after having reached version 98/99. - */ - #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 --#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11 --#define NSS_BUILTINS_LIBRARY_VERSION "2.11" -+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14 -+#define NSS_BUILTINS_LIBRARY_VERSION "2.14" - - /* These version numbers detail the semantic changes to the ckfw engine. */ - #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 - #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0 - - /* These version numbers detail the semantic changes to ckbi itself - * (new PKCS #11 objects), etc. */ - #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1 - -diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c ---- a/lib/certdb/genname.c -+++ b/lib/certdb/genname.c -@@ -1583,19 +1583,19 @@ done: - - #define NAME_CONSTRAINTS_ENTRY(CA) \ - { \ - STRING_TO_SECITEM(CA##_SUBJECT_DN) \ - , \ - STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \ - } - --/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */ -+/* clang-format off */ - --/* clang-format off */ -+/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */ - - #define ANSSI_SUBJECT_DN \ - "\x30\x81\x85" \ - "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR" /* C */ \ - "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France" /* ST */ \ - "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris" /* L */ \ - "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN" /* O */ \ - "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI" /* OU */ \ -@@ -1614,20 +1614,49 @@ done: - "\x30\x05\x82\x03" ".pm" \ - "\x30\x05\x82\x03" ".bl" \ - "\x30\x05\x82\x03" ".mf" \ - "\x30\x05\x82\x03" ".wf" \ - "\x30\x05\x82\x03" ".pf" \ - "\x30\x05\x82\x03" ".nc" \ - "\x30\x05\x82\x03" ".tf" - -+/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */ -+ -+#define TUBITAK1_SUBJECT_DN \ -+ "\x30\x81\xd2" \ -+ "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02" \ -+ /* C */ "TR" \ -+ "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f" \ -+ /* L */ "Gebze - Kocaeli" \ -+ "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39" \ -+ /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK" \ -+ "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24" \ -+ /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM" \ -+ "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d" \ -+ /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" -+ -+#define TUBITAK1_NAME_CONSTRAINTS \ -+ "\x30\x65\xa0\x63" \ -+ "\x30\x09\x82\x07" ".gov.tr" \ -+ "\x30\x09\x82\x07" ".k12.tr" \ -+ "\x30\x09\x82\x07" ".pol.tr" \ -+ "\x30\x09\x82\x07" ".mil.tr" \ -+ "\x30\x09\x82\x07" ".tsk.tr" \ -+ "\x30\x09\x82\x07" ".kep.tr" \ -+ "\x30\x09\x82\x07" ".bel.tr" \ -+ "\x30\x09\x82\x07" ".edu.tr" \ -+ "\x30\x09\x82\x07" ".org.tr" -+ - /* clang-format on */ - --static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY( -- ANSSI) }; -+static const SECItem builtInNameConstraints[][2] = { -+ NAME_CONSTRAINTS_ENTRY(ANSSI), -+ NAME_CONSTRAINTS_ENTRY(TUBITAK1) -+}; - - SECStatus - CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions) - { - size_t i; - - if (!extensions) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - diff --git a/SOURCES/nss-check-policy-file.patch b/SOURCES/nss-check-policy-file.patch new file mode 100644 index 0000000..898ffef --- /dev/null +++ b/SOURCES/nss-check-policy-file.patch @@ -0,0 +1,49 @@ +diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c +--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-02-28 10:49:53.811343156 +0100 ++++ nss/lib/pk11wrap/pk11pars.c 2017-02-28 10:59:41.178647490 +0100 +@@ -109,6 +109,7 @@ secmod_NewModule(void) + *other flags are set */ + #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 + #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04 ++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08 + + /* private flags for internal (field in SECMODModule). */ + /* The meaing of these flags is as follows: +@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar + if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) { + flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; + } ++ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) { ++ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY; ++ } + /* additional moduleDB flags could be added here in the future */ + mod->isModuleDB = (PRBool)flags; + } +@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule + } + + PRBool ++secmod_PolicyOnly(SECMODModule *mod) ++{ ++ char flags = (char) mod->isModuleDB; ++ ++ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE; ++} ++ ++PRBool + secmod_IsInternalKeySlot(SECMODModule *mod) + { + char flags = (char)mod->internal; +@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM + if (!module) { + goto loser; + } ++ ++ /* a policy only stanza doesn't actually get 'loaded'. policy has already ++ * been parsed as a side effect of the CreateModuleEx call */ ++ if (secmod_PolicyOnly(module)) { ++ return module; ++ } + if (parent) { + module->parent = SECMOD_ReferenceModule(parent); + if (module->internal && secmod_IsInternalKeySlot(parent)) { diff --git a/SOURCES/nss-disable-chacha20-gtests.patch b/SOURCES/nss-disable-chacha20-gtests.patch deleted file mode 100644 index ff221d3..0000000 --- a/SOURCES/nss-disable-chacha20-gtests.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff -up nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 nss/gtests/pk11_gtest/manifest.mn ---- nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 -+++ nss/gtests/pk11_gtest/manifest.mn 2017-02-17 11:40:26.749019359 +0100 -@@ -8,7 +8,6 @@ MODULE = nss - - CPPSRCS = \ - pk11_aeskeywrap_unittest.cc \ -- pk11_chacha20poly1305_unittest.cc \ - pk11_export_unittest.cc \ - pk11_pbkdf2_unittest.cc \ - pk11_prf_unittest.cc \ -diff -up nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc ---- nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 -+++ nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc 2017-02-17 11:40:26.749019359 +0100 -@@ -326,10 +326,7 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, -- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, -- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256); -+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); - INSTANTIATE_CIPHER_TEST_P( - CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, -@@ -361,7 +358,7 @@ INSTANTIATE_CIPHER_TEST_P( - INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13, - ::testing::ValuesIn(kFasterDHEGroups), - ::testing::ValuesIn(kSignatureSchemesParamsArr), -- TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, -+ TLS_AES_128_GCM_SHA256, - TLS_AES_256_GCM_SHA384); - INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13, - ::testing::ValuesIn(kAllDHEGroups), -@@ -446,9 +443,7 @@ static const SecStatusParams kSecStatusT - {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_128_GCM_SHA256, - "AES-128-GCM", 128}, - {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_256_GCM_SHA384, -- "AES-256-GCM", 256}, -- {SSL_LIBRARY_VERSION_TLS_1_2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -- "ChaCha20-Poly1305", 256}}; -+ "AES-256-GCM", 256}}; - INSTANTIATE_TEST_CASE_P(TestSecurityStatus, SecurityStatusTest, - ::testing::ValuesIn(kSecStatusTestValuesArr)); - -diff -up nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_drop_unittest.cc ---- nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 -+++ nss/gtests/ssl_gtest/ssl_drop_unittest.cc 2017-02-17 11:41:03.656247032 +0100 -@@ -65,69 +65,4 @@ TEST_P(TlsConnectDatagram, DropServerSec - Connect(); - } - --static void GetCipherAndLimit(uint16_t version, uint16_t* cipher, -- uint64_t* limit = nullptr) { -- uint64_t l; -- if (!limit) limit = &l; -- -- if (version < SSL_LIBRARY_VERSION_TLS_1_2) { -- *cipher = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; -- *limit = 0x5aULL << 28; -- } else if (version == SSL_LIBRARY_VERSION_TLS_1_2) { -- *cipher = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; -- *limit = (1ULL << 48) - 1; -- } else { -- *cipher = TLS_CHACHA20_POLY1305_SHA256; -- *limit = (1ULL << 48) - 1; -- } --} -- --// This simulates a huge number of drops on one side. --TEST_P(TlsConnectDatagram, MissLotsOfPackets) { -- uint16_t cipher; -- uint64_t limit; -- -- GetCipherAndLimit(version_, &cipher, &limit); -- -- EnsureTlsSetup(); -- server_->EnableSingleCipher(cipher); -- Connect(); -- -- // Note that the limit for ChaCha is 2^48-1. -- EXPECT_EQ(SECSuccess, -- SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), limit - 10)); -- SendReceive(); --} -- --class TlsConnectDatagram12Plus : public TlsConnectDatagram { -- public: -- TlsConnectDatagram12Plus() : TlsConnectDatagram() {} --}; -- --// This simulates missing a window's worth of packets. --TEST_P(TlsConnectDatagram12Plus, MissAWindow) { -- EnsureTlsSetup(); -- uint16_t cipher; -- GetCipherAndLimit(version_, &cipher); -- server_->EnableSingleCipher(cipher); -- Connect(); -- -- EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 0)); -- SendReceive(); --} -- --TEST_P(TlsConnectDatagram12Plus, MissAWindowAndOne) { -- EnsureTlsSetup(); -- uint16_t cipher; -- GetCipherAndLimit(version_, &cipher); -- server_->EnableSingleCipher(cipher); -- Connect(); -- -- EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 1)); -- SendReceive(); --} -- --INSTANTIATE_TEST_CASE_P(Datagram12Plus, TlsConnectDatagram12Plus, -- TlsConnectTestBase::kTlsV12Plus); -- - } // namespace nss_test -diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc ---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 2017-02-17 11:40:26.747019401 +0100 -+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:40:26.749019359 +0100 -@@ -50,17 +50,6 @@ TEST_P(TlsConnectGeneric, ConnectEcdhe) - CheckKeys(); - } - --// If we pick a 256-bit cipher suite and use a P-384 certificate, the server --// should choose P-384 for key exchange too. Only valid for TLS == 1.2 because --// we don't have 256-bit ciphers before then and 1.3 doesn't try to couple --// DHE size to symmetric size. --TEST_P(TlsConnectTls12, ConnectEcdheP384) { -- Reset(TlsAgent::kServerEcdsa384); -- ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); -- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa, -- ssl_sig_ecdsa_secp256r1_sha256); --} -- - TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) { - EnsureTlsSetup(); - const std::vector groups = {ssl_grp_ec_secp384r1, diff --git a/SOURCES/nss-disable-chacha20-tests.patch b/SOURCES/nss-disable-chacha20-tests.patch deleted file mode 100644 index 8ad0b4f..0000000 --- a/SOURCES/nss-disable-chacha20-tests.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up nss/tests/ssl/sslcov.txt.disable-chacha20 nss/tests/ssl/sslcov.txt ---- nss/tests/ssl/sslcov.txt.disable-chacha20 2017-01-30 02:06:08.000000000 +0100 -+++ nss/tests/ssl/sslcov.txt 2017-02-17 11:40:26.749019359 +0100 -@@ -65,7 +65,7 @@ - noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 - noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256 - noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256 -- noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -+# noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - # - # ECC ciphers (TLS) - # -@@ -139,5 +139,5 @@ - ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -- ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -- ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -+# ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -+# ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch index f54e4b7..b593479 100644 --- a/SOURCES/nss-disable-cipher-suites.patch +++ b/SOURCES/nss-disable-cipher-suites.patch @@ -1,9 +1,9 @@ diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-02-20 16:29:09.760163465 +0100 -+++ nss/lib/ssl/ssl3con.c 2017-02-20 16:30:32.948137315 +0100 -@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-04-26 11:53:57.980039632 +0200 ++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:55:56.374264466 +0200 +@@ -97,7 +97,10 @@ static ssl3CipherSuiteCfg cipherSuites[s { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default. @@ -13,9 +13,9 @@ diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -@@ -104,7 +107,10 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -106,7 +109,10 @@ static ssl3CipherSuiteCfg cipherSuites[s { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default. diff --git a/SOURCES/nss-disable-curve25519-gtests.patch b/SOURCES/nss-disable-curve25519-gtests.patch deleted file mode 100644 index 4d1eb35..0000000 --- a/SOURCES/nss-disable-curve25519-gtests.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc ---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 2017-02-17 11:35:40.794056778 +0100 -+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:35:50.905842897 +0100 -@@ -287,20 +287,6 @@ TEST_P(TlsConnectStreamPre13, Configured - ssl_sig_rsa_pss_sha256); - } - --TEST_P(TlsKeyExchangeTest, Curve25519) { -- Reset(TlsAgent::kServerEcdsa256); -- const std::vector groups = { -- ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1}; -- EnsureKeyShareSetup(); -- ConfigNamedGroups(groups); -- Connect(); -- -- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_ecdsa, -- ssl_sig_ecdsa_secp256r1_sha256); -- const std::vector shares = {ssl_grp_ec_curve25519}; -- CheckKEXDetails(groups, shares); --} -- - TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) { - EnsureTlsSetup(); - client_->DisableAllCiphers(); diff --git a/SOURCES/nss-disable-curve25519-tests.patch b/SOURCES/nss-disable-curve25519-tests.patch deleted file mode 100644 index bfd9081..0000000 --- a/SOURCES/nss-disable-curve25519-tests.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- nss/tests/ec/ectest.sh.disable-curve25519 2017-01-30 02:06:08.000000000 +0100 -+++ nss/tests/ec/ectest.sh 2017-02-17 11:35:24.937392173 +0100 -@@ -46,7 +46,6 @@ ectest_genkeydb_test() - return $? - fi - curves=( \ -- "curve25519" \ - "secp256r1" \ - "secp384r1" \ - "secp521r1" \ diff --git a/SOURCES/nss-disable-curve25519.patch b/SOURCES/nss-disable-curve25519.patch deleted file mode 100644 index e6925af..0000000 --- a/SOURCES/nss-disable-curve25519.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.disable-curve25519 nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.disable-curve25519 2017-02-17 11:35:24.922392490 +0100 -+++ nss/lib/ssl/sslsock.c 2017-02-17 11:35:24.936392194 +0100 -@@ -152,7 +152,7 @@ static const PRUint16 srtpCiphers[] = { - const sslNamedGroupDef ssl_named_groups[] = { - /* Note that 256 for 25519 is a lie, but we only use it for checking bit - * security and expect 256 bits there (not 255). */ -- { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_TRUE }, -+ { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_FALSE }, - ECGROUP(secp256r1, 256, SECP256R1, PR_TRUE), - ECGROUP(secp384r1, 384, SECP384R1, PR_TRUE), - ECGROUP(secp521r1, 521, SECP521R1, PR_TRUE), -diff -up nss/tests/ec/ectest.sh.disable-curve25519 nss/tests/ec/ectest.sh diff --git a/SOURCES/nss-disable-pss-gtests.patch b/SOURCES/nss-disable-pss-gtests.patch index 0f090e4..2371c45 100644 --- a/SOURCES/nss-disable-pss-gtests.patch +++ b/SOURCES/nss-disable-pss-gtests.patch @@ -1,7 +1,7 @@ -diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc ---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss 2017-02-17 11:45:24.866780893 +0100 -+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-02-17 11:47:16.774439092 +0100 -@@ -58,7 +58,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 +diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc +--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests 2017-02-17 14:20:06.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-03-24 17:45:58.439916101 +0100 +@@ -69,7 +69,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 server_->ConfigNamedGroups(groups); Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -10,7 +10,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt } // This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care. -@@ -71,7 +71,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 +@@ -82,7 +82,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3 server_->ConfigNamedGroups(groups); Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -19,7 +19,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3, hrr_capture->buffer().len() != 0); } -@@ -101,7 +101,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority) +@@ -112,7 +112,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority) Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -28,7 +28,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt std::vector shares = {ssl_grp_ec_secp384r1}; CheckKEXDetails(groups, shares); -@@ -118,7 +118,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou +@@ -129,7 +129,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -37,7 +37,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt std::vector shares = {ssl_grp_ec_secp384r1}; std::vector expectedGroups = {ssl_grp_ec_secp384r1, -@@ -136,7 +136,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD +@@ -147,7 +147,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -46,7 +46,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { std::vector shares = {ssl_grp_ec_secp384r1}; -@@ -161,7 +161,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior +@@ -172,7 +172,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -55,7 +55,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt } TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) { -@@ -177,7 +177,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior +@@ -188,7 +188,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign, @@ -64,7 +64,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt } class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter { -@@ -265,7 +265,7 @@ TEST_P(TlsConnectStreamPre13, Configured +@@ -276,7 +276,7 @@ TEST_P(TlsConnectStreamPre13, Configured Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -73,7 +73,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt CheckConnected(); // The renegotiation has to use the same preferences as the original session. -@@ -273,7 +273,7 @@ TEST_P(TlsConnectStreamPre13, Configured +@@ -284,7 +284,7 @@ TEST_P(TlsConnectStreamPre13, Configured client_->StartRenegotiate(); Handshake(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -81,8 +81,8 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt + ssl_sig_rsa_pkcs1_sha256); } - TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) { -@@ -293,7 +293,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref + TEST_P(TlsKeyExchangeTest, Curve25519) { +@@ -318,7 +318,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, @@ -91,7 +91,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt } #ifndef NSS_DISABLE_TLS_1_3 -@@ -312,7 +312,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P +@@ -337,7 +337,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -100,7 +100,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt const std::vector shares = {ssl_grp_ec_secp256r1}; CheckKEXDetails(client_groups, shares); } -@@ -332,7 +332,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P +@@ -357,7 +357,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign, @@ -109,7 +109,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt const std::vector shares = {ssl_grp_ec_curve25519}; CheckKEXDetails(client_groups, shares); } -@@ -354,7 +354,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori +@@ -379,7 +379,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -118,7 +118,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt const std::vector shares = {ssl_grp_ec_curve25519}; CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); } -@@ -376,7 +376,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri +@@ -401,7 +401,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -127,7 +127,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt const std::vector shares = {ssl_grp_ec_curve25519}; CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); } -@@ -398,7 +398,7 @@ TEST_P(TlsKeyExchangeTest13, +@@ -423,7 +423,7 @@ TEST_P(TlsKeyExchangeTest13, Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -136,7 +136,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt const std::vector shares = {ssl_grp_ec_curve25519}; CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); } -@@ -420,7 +420,7 @@ TEST_P(TlsKeyExchangeTest13, +@@ -445,7 +445,7 @@ TEST_P(TlsKeyExchangeTest13, Connect(); CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, @@ -145,7 +145,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt const std::vector shares = {ssl_grp_ec_curve25519}; CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1); } -@@ -482,7 +482,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli +@@ -507,7 +507,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli // The server would accept 25519 but its preferred group (P256) has to win. CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign, diff --git a/SOURCES/nss-disable-unsupported-gtests.patch b/SOURCES/nss-disable-unsupported-gtests.patch deleted file mode 100644 index 983b8e4..0000000 --- a/SOURCES/nss-disable-unsupported-gtests.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_export_unittest.cc ---- nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests 2017-01-30 02:06:08.000000000 +0100 -+++ nss/gtests/pk11_gtest/pk11_export_unittest.cc 2017-02-17 12:02:00.023957459 +0100 -@@ -61,6 +61,4 @@ class Pkcs11ExportTest : public ::testin - - TEST_F(Pkcs11ExportTest, DeriveNonExport) { Derive(false); } - --TEST_F(Pkcs11ExportTest, DeriveExport) { Derive(true); } -- - } // namespace nss_test -diff -up nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc ---- nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests 2017-02-17 12:09:06.448036028 +0100 -+++ nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc 2017-02-17 12:10:03.479842833 +0100 -@@ -72,25 +72,4 @@ class Pkcs11Pbkdf2Test : public ::testin - } - }; - --// RFC 6070 --TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) { -- std::vector derived = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, -- 0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, -- 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, -- 0xf2, 0xf0, 0x70, 0x38}; -- -- Derive(derived, SEC_OID_HMAC_SHA1); --} -- --// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors --TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) { -- std::vector derived = { -- 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, -- 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, -- 0xbc, 0x18, 0x00, 0x18, 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, -- 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9}; -- -- Derive(derived, SEC_OID_HMAC_SHA256); --} -- - } // namespace nss_test diff --git a/SOURCES/nss-disable-unsupported-tests.patch b/SOURCES/nss-disable-unsupported-tests.patch deleted file mode 100644 index 9b57e20..0000000 --- a/SOURCES/nss-disable-unsupported-tests.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up nss/tests/ec/ectest.sh.disable_unsupported_tests nss/tests/ec/ectest.sh ---- nss/tests/ec/ectest.sh.disable_unsupported_tests 2017-02-17 12:33:08.137805278 +0100 -+++ nss/tests/ec/ectest.sh 2017-02-17 12:43:50.000297523 +0100 -@@ -81,7 +81,8 @@ if [ -f ${BINDIR}/fbectest ]; then - fi - fi - if [ -f ${BINDIR}/pk11ectest ]; then -- PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1) -+ PK11_ECTEST_OUT=$(pk11ectest -n 2>&1) -+ echo $PK11_ECTEST_OUT - PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'` - if [ -n "$PK11_ECTEST_OUT" ] ; then - html_failed "pk11 ec tests" diff --git a/SOURCES/nss-enable-pem.patch b/SOURCES/nss-enable-pem.patch deleted file mode 100644 index 723039a..0000000 --- a/SOURCES/nss-enable-pem.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn ---- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700 -+++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700 -@@ -5,7 +5,7 @@ - - CORE_DEPTH = ../.. - --DIRS = builtins -+DIRS = builtins pem - - PRIVATE_EXPORTS = \ - ck.h \ diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch new file mode 100644 index 0000000..6f6fcb9 --- /dev/null +++ b/SOURCES/nss-is-token-present-race.patch @@ -0,0 +1,76 @@ +# HG changeset patch +# User Kamil Dudka +# Date 1484568851 -3600 +# Mon Jan 16 13:14:11 2017 +0100 +# Node ID 754a4a1f6220fa99e72197408726da14419fc187 +# Parent b6a26d34c0e354344f81a73137deeb682c7961e0 +Bug 1297397, avoid race condition in nssSlot_IsTokenPresent() that caused spurious SEC_ERROR_NO_TOKEN, r=rrelyea + +diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c +--- a/lib/dev/devslot.c ++++ b/lib/dev/devslot.c +@@ -91,7 +91,7 @@ nssSlot_ResetDelay( + } + + static PRBool +-within_token_delay_period(NSSSlot *slot) ++within_token_delay_period(const NSSSlot *slot) + { + PRIntervalTime time, lastTime; + /* Set the delay time for checking the token presence */ +@@ -103,7 +103,6 @@ within_token_delay_period(NSSSlot *slot) + if ((lastTime) && ((time - lastTime) < s_token_delay_time)) { + return PR_TRUE; + } +- slot->lastTokenPing = time; + return PR_FALSE; + } + +@@ -136,6 +135,7 @@ nssSlot_IsTokenPresent( + nssSlot_ExitMonitor(slot); + if (ckrv != CKR_OK) { + slot->token->base.name[0] = 0; /* XXX */ ++ slot->lastTokenPing = PR_IntervalNow(); + return PR_FALSE; + } + slot->ckFlags = slotInfo.flags; +@@ -143,6 +143,7 @@ nssSlot_IsTokenPresent( + if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { + if (!slot->token) { + /* token was never present */ ++ slot->lastTokenPing = PR_IntervalNow(); + return PR_FALSE; + } + session = nssToken_GetDefaultSession(slot->token); +@@ -165,6 +166,7 @@ nssSlot_IsTokenPresent( + slot->token->base.name[0] = 0; /* XXX */ + /* clear the token cache */ + nssToken_Remove(slot->token); ++ slot->lastTokenPing = PR_IntervalNow(); + return PR_FALSE; + } + /* token is present, use the session info to determine if the card +@@ -187,8 +189,10 @@ nssSlot_IsTokenPresent( + isPresent = session->handle != CK_INVALID_SESSION; + nssSession_ExitMonitor(session); + /* token not removed, finished */ +- if (isPresent) ++ if (isPresent) { ++ slot->lastTokenPing = PR_IntervalNow(); + return PR_TRUE; ++ } + } + /* the token has been removed, and reinserted, or the slot contains + * a token it doesn't recognize. invalidate all the old +@@ -201,8 +205,11 @@ nssSlot_IsTokenPresent( + if (nssrv != PR_SUCCESS) { + slot->token->base.name[0] = 0; /* XXX */ + slot->ckFlags &= ~CKF_TOKEN_PRESENT; ++ /* TODO: insert a barrier here to avoid reordering of the assingments */ ++ slot->lastTokenPing = PR_IntervalNow(); + return PR_FALSE; + } ++ slot->lastTokenPing = PR_IntervalNow(); + return PR_TRUE; + } + diff --git a/SOURCES/nss-old-pkcs11-num.patch b/SOURCES/nss-old-pkcs11-num.patch deleted file mode 100644 index dbfdf05..0000000 --- a/SOURCES/nss-old-pkcs11-num.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up nss/lib/ssl/ssl3con.c.old_pkcs11_num nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.old_pkcs11_num 2017-01-04 15:24:24.000000000 +0100 -+++ nss/lib/ssl/ssl3con.c 2017-01-16 10:42:14.993429316 +0100 -@@ -11054,8 +11054,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s - tls_mac_params.ulServerOrClient = isServer ? 1 : 2; - param.data = (unsigned char *)&tls_mac_params; - param.len = sizeof(tls_mac_params); -- prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN, -- spec->master_secret, ¶m); -+ /* RHEL 7.2 had the wrong number for CKM_TLS12_MACH instead of CKM_TLS_MAC. In the new scheme that -+ * number matches with CKM_TLS_KDF, so until softoken gets updated, use CKM_TLS_KDF on RHEL7 */ -+ prf_context = PK11_CreateContextBySymKey(CKM_TLS_KDF, CKA_SIGN, -+ spec->master_secret, ¶m); - if (!prf_context) - return SECFailure; - diff --git a/SOURCES/nss-pk12util.patch b/SOURCES/nss-pk12util.patch new file mode 100644 index 0000000..e2f7f99 --- /dev/null +++ b/SOURCES/nss-pk12util.patch @@ -0,0 +1,765 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1481829086 -3600 +# Thu Dec 15 20:11:26 2016 +0100 +# Node ID 6d66c2c24e4d9d1ad12a7065c55ef1c9fe143057 +# Parent 35ecce23718136f99ca9537007481b4774c57e68 +Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r=rrelyea + +diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c +--- a/lib/pk11wrap/pk11mech.c ++++ b/lib/pk11wrap/pk11mech.c +@@ -612,6 +612,10 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE + case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: +diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c +--- a/lib/pkcs12/p12d.c ++++ b/lib/pkcs12/p12d.c +@@ -1335,11 +1335,23 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12 + case SEC_OID_MD2: + integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; + break; ++ case SEC_OID_SHA224: ++ integrityMech = CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN; ++ break; ++ case SEC_OID_SHA256: ++ integrityMech = CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN; ++ break; ++ case SEC_OID_SHA384: ++ integrityMech = CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN; ++ break; ++ case SEC_OID_SHA512: ++ integrityMech = CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN; ++ break; + default: + goto loser; + } + +- symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); ++ symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL); + PK11_DestroyPBEParams(params); + params = NULL; + if (!symKey) +diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c +--- a/lib/softoken/lowpbe.c ++++ b/lib/softoken/lowpbe.c +@@ -408,7 +408,6 @@ loser: + return result; + } + +-#define HMAC_BUFFER 64 + #define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y)) + #define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y)) + /* +@@ -430,6 +429,7 @@ nsspkcs5_PKCS12PBE(const SECHashObject * + int iter; + unsigned char *iterBuf; + void *hash = NULL; ++ unsigned int bufferLength; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { +@@ -439,8 +439,11 @@ nsspkcs5_PKCS12PBE(const SECHashObject * + /* how many hash object lengths are needed */ + c = (bytesNeeded + (hashLength - 1)) / hashLength; + ++ /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */ ++ bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64); ++ + /* initialize our buffers */ +- D.len = HMAC_BUFFER; ++ D.len = bufferLength; + /* B and D are the same length, use one alloc go get both */ + D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2); + B.len = D.len; +@@ -452,8 +455,8 @@ nsspkcs5_PKCS12PBE(const SECHashObject * + goto loser; + } + +- SLen = NSSPBE_ROUNDUP(salt->len, HMAC_BUFFER); +- PLen = NSSPBE_ROUNDUP(pwitem->len, HMAC_BUFFER); ++ SLen = NSSPBE_ROUNDUP(salt->len, bufferLength); ++ PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength); + I.len = SLen + PLen; + I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len); + if (I.data == NULL) { +# HG changeset patch +# User Daiki Ueno +# Date 1485768835 -3600 +# Mon Jan 30 10:33:55 2017 +0100 +# Node ID 09d1a0757431fa52ae025138da654c698141971b +# Parent 806c3106536feea0827ec54729a52b5cbac8a496 +Bug 1268141 - pk12util can't import PKCS#12 files encrypted with AES-128-CBC, r=rrelyea + +diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c +--- a/cmd/pk12util/pk12util.c ++++ b/cmd/pk12util/pk12util.c +@@ -861,6 +861,9 @@ p12u_EnableAllCiphers() + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); ++ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1); ++ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1); ++ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1); + SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); + } + +diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c +--- a/lib/pk11wrap/pk11pbe.c ++++ b/lib/pk11wrap/pk11pbe.c +@@ -4,6 +4,7 @@ + + #include "plarena.h" + ++#include "blapit.h" + #include "seccomon.h" + #include "secitem.h" + #include "secport.h" +@@ -301,17 +302,49 @@ SEC_PKCS5GetPBEAlgorithm(SECOidTag algTa + return SEC_OID_UNKNOWN; + } + ++static PRBool ++sec_pkcs5_is_algorithm_v2_aes_algorithm(SECOidTag algorithm) ++{ ++ switch (algorithm) { ++ case SEC_OID_AES_128_CBC: ++ case SEC_OID_AES_192_CBC: ++ case SEC_OID_AES_256_CBC: ++ return PR_TRUE; ++ default: ++ return PR_FALSE; ++ } ++} ++ ++static int ++sec_pkcs5v2_aes_key_length(SECOidTag algorithm) ++{ ++ switch (algorithm) { ++ /* The key length for the AES-CBC-Pad algorithms are ++ * determined from the undelying cipher algorithm. */ ++ case SEC_OID_AES_128_CBC: ++ return AES_128_KEY_LENGTH; ++ case SEC_OID_AES_192_CBC: ++ return AES_192_KEY_LENGTH; ++ case SEC_OID_AES_256_CBC: ++ return AES_256_KEY_LENGTH; ++ default: ++ break; ++ } ++ return 0; ++} ++ + /* + * get the key length in bytes from a PKCS5 PBE + */ +-int +-sec_pkcs5v2_key_length(SECAlgorithmID *algid) ++static int ++sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) + { + SECOidTag algorithm; + PLArenaPool *arena = NULL; + SEC_PKCS5PBEParameter p5_param; + SECStatus rv; + int length = -1; ++ SECOidTag cipherAlg = SEC_OID_UNKNOWN; + + algorithm = SECOID_GetAlgorithmTag(algid); + /* sanity check, they should all be PBKDF2 here */ +@@ -330,7 +363,12 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a + goto loser; + } + +- if (p5_param.keyLength.data != NULL) { ++ if (cipherAlgId) ++ cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); ++ ++ if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { ++ length = sec_pkcs5v2_aes_key_length(cipherAlg); ++ } else if (p5_param.keyLength.data != NULL) { + length = DER_GetInteger(&p5_param.keyLength); + } + +@@ -375,14 +413,15 @@ SEC_PKCS5GetKeyLength(SECAlgorithmID *al + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + return 16; + case SEC_OID_PKCS5_PBKDF2: +- return sec_pkcs5v2_key_length(algid); ++ return sec_pkcs5v2_key_length(algid, NULL); + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: { + sec_pkcs5V2Parameter *pbeV2_param; + int length = -1; + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param != NULL) { +- length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); ++ length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId, ++ &pbeV2_param->cipherAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + } + return length; +@@ -614,6 +653,8 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg + SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); + if (hashAlg != SEC_OID_UNKNOWN) { + keyLength = HASH_ResultLenByOidTag(hashAlg); ++ } else if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlgorithm)) { ++ keyLength = sec_pkcs5v2_aes_key_length(cipherAlgorithm); + } else { + CK_MECHANISM_TYPE cryptoMech; + cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); +diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c +--- a/lib/pkcs12/p12d.c ++++ b/lib/pkcs12/p12d.c +@@ -177,6 +177,9 @@ sec_pkcs12_decoder_get_decrypt_key(void + SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; + PK11SlotInfo *slot; + PK11SymKey *bulkKey; ++ SECItem *pwitem; ++ SECItem decodedPwitem = { 0 }; ++ SECOidTag algorithm; + + if (!p12dcx) { + return NULL; +@@ -189,7 +192,24 @@ sec_pkcs12_decoder_get_decrypt_key(void + slot = PK11_GetInternalKeySlot(); + } + +- bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, ++ algorithm = SECOID_GetAlgorithmTag(algid); ++ pwitem = p12dcx->pwitem; ++ ++ /* here we assume that the password is already encoded into ++ * BMPString by the caller. if the encryption scheme is not the ++ * one defined in PKCS #12, decode the password back into ++ * UTF-8. */ ++ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) { ++ if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem, ++ p12dcx->pwitem, ++ PR_TRUE, PR_FALSE, PR_FALSE)) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return NULL; ++ } ++ pwitem = &decodedPwitem; ++ } ++ ++ bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, + PR_FALSE, p12dcx->wincx); + /* some tokens can't generate PBE keys on their own, generate the + * key in the internal slot, and let the Import code deal with it, +@@ -198,7 +218,7 @@ sec_pkcs12_decoder_get_decrypt_key(void + if (!bulkKey && !PK11_IsInternal(slot)) { + PK11_FreeSlot(slot); + slot = PK11_GetInternalKeySlot(); +- bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, ++ bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, + PR_FALSE, p12dcx->wincx); + } + PK11_FreeSlot(slot); +@@ -208,6 +228,10 @@ sec_pkcs12_decoder_get_decrypt_key(void + PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL); + } + ++ if (decodedPwitem.data) { ++ SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE); ++ } ++ + return bulkKey; + } + +diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c +--- a/lib/pkcs12/p12e.c ++++ b/lib/pkcs12/p12e.c +@@ -10,6 +10,7 @@ + #include "seccomon.h" + #include "secport.h" + #include "cert.h" ++#include "secpkcs5.h" + #include "secpkcs7.h" + #include "secasn1.h" + #include "secerr.h" +@@ -378,19 +379,36 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC + safeInfo->itemCount = 0; + + /* create the encrypted safe */ +- safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, +- p12ctxt->pwfnarg); ++ if (!SEC_PKCS5IsAlgorithmPBEAlgTag(privAlg) && ++ PK11_AlgtagToMechanism(privAlg) == CKM_AES_CBC) { ++ safeInfo->cinfo = SEC_PKCS7CreateEncryptedDataWithPBEV2(SEC_OID_PKCS5_PBES2, ++ privAlg, ++ SEC_OID_UNKNOWN, ++ 0, ++ p12ctxt->pwfn, ++ p12ctxt->pwfnarg); ++ } else { ++ safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, ++ p12ctxt->pwfnarg); ++ } + if (!safeInfo->cinfo) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + safeInfo->arena = p12ctxt->arena; + +- /* convert the password to unicode */ +- if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, +- PR_TRUE, PR_TRUE, PR_TRUE)) { +- PORT_SetError(SEC_ERROR_NO_MEMORY); +- goto loser; ++ if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) { ++ /* convert the password to unicode */ ++ if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, ++ PR_TRUE, PR_TRUE, PR_TRUE)) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ goto loser; ++ } ++ } else { ++ if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ goto loser; ++ } + } + if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) { + PORT_SetError(SEC_ERROR_NO_MEMORY); +diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c +--- a/lib/pkcs12/p12local.c ++++ b/lib/pkcs12/p12local.c +@@ -949,6 +949,33 @@ sec_pkcs12_convert_item_to_unicode(PLAre + return PR_TRUE; + } + ++PRBool ++sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm) ++{ ++ switch (algorithm) { ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: ++ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: ++ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: ++ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: ++ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: ++ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: ++ /* those are actually PKCS #5 v1.5 PBEs, but we ++ * historically treat them in the same way as PKCS #12 ++ * PBEs */ ++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: ++ case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: ++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: ++ return PR_TRUE; ++ default: ++ return PR_FALSE; ++ } ++} ++ + /* pkcs 12 templates */ + static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser = + sec_pkcs12_choose_shroud_type; +diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h +--- a/lib/pkcs12/p12local.h ++++ b/lib/pkcs12/p12local.h +@@ -55,4 +55,6 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo + void *wincx, SEC_PKCS12SafeContents *safe, + SEC_PKCS12Baggage *baggage); + ++extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm); ++ + #endif +diff --git a/lib/pkcs12/p12plcy.c b/lib/pkcs12/p12plcy.c +--- a/lib/pkcs12/p12plcy.c ++++ b/lib/pkcs12/p12plcy.c +@@ -24,6 +24,9 @@ static pkcs12SuiteMap pkcs12SuiteMaps[] + { SEC_OID_RC2_CBC, 128, PKCS12_RC2_CBC_128, PR_FALSE, PR_FALSE }, + { SEC_OID_DES_CBC, 64, PKCS12_DES_56, PR_FALSE, PR_FALSE }, + { SEC_OID_DES_EDE3_CBC, 192, PKCS12_DES_EDE3_168, PR_FALSE, PR_FALSE }, ++ { SEC_OID_AES_128_CBC, 128, PKCS12_AES_CBC_128, PR_FALSE, PR_FALSE }, ++ { SEC_OID_AES_192_CBC, 192, PKCS12_AES_CBC_192, PR_FALSE, PR_FALSE }, ++ { SEC_OID_AES_256_CBC, 256, PKCS12_AES_CBC_256, PR_FALSE, PR_FALSE }, + { SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE }, + { SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE } + }; +diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c +--- a/lib/pkcs7/p7create.c ++++ b/lib/pkcs7/p7create.c +@@ -1245,3 +1245,56 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a + + return cinfo; + } ++ ++SEC_PKCS7ContentInfo * ++SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm, ++ SECOidTag cipher_algorithm, ++ SECOidTag prf_algorithm, ++ int keysize, ++ SECKEYGetPasswordKey pwfn, void *pwfn_arg) ++{ ++ SEC_PKCS7ContentInfo *cinfo; ++ SECAlgorithmID *algid; ++ SEC_PKCS7EncryptedData *enc_data; ++ SECStatus rv; ++ ++ PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm)); ++ ++ cinfo = sec_pkcs7_create_content_info(SEC_OID_PKCS7_ENCRYPTED_DATA, ++ PR_FALSE, pwfn, pwfn_arg); ++ if (cinfo == NULL) ++ return NULL; ++ ++ enc_data = cinfo->content.encryptedData; ++ algid = &(enc_data->encContentInfo.contentEncAlg); ++ ++ SECAlgorithmID *pbe_algid; ++ pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm, ++ cipher_algorithm, ++ prf_algorithm, ++ keysize, ++ NSS_PBE_DEFAULT_ITERATION_COUNT, ++ NULL); ++ if (pbe_algid == NULL) { ++ rv = SECFailure; ++ } else { ++ rv = SECOID_CopyAlgorithmID(cinfo->poolp, algid, pbe_algid); ++ SECOID_DestroyAlgorithmID(pbe_algid, PR_TRUE); ++ } ++ ++ if (rv != SECSuccess) { ++ SEC_PKCS7DestroyContentInfo(cinfo); ++ return NULL; ++ } ++ ++ rv = sec_pkcs7_init_encrypted_content_info(&(enc_data->encContentInfo), ++ cinfo->poolp, ++ SEC_OID_PKCS7_DATA, PR_FALSE, ++ cipher_algorithm, keysize); ++ if (rv != SECSuccess) { ++ SEC_PKCS7DestroyContentInfo(cinfo); ++ return NULL; ++ } ++ ++ return cinfo; ++} +diff --git a/lib/pkcs7/secpkcs7.h b/lib/pkcs7/secpkcs7.h +--- a/lib/pkcs7/secpkcs7.h ++++ b/lib/pkcs7/secpkcs7.h +@@ -287,6 +287,26 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a + SECKEYGetPasswordKey pwfn, void *pwfn_arg); + + /* ++ * Create an empty PKCS7 encrypted content info. ++ * ++ * Similar to SEC_PKCS7CreateEncryptedData(), but this is capable of ++ * creating encrypted content for PKCS #5 v2 algorithms. ++ * ++ * "pbe_algorithm" specifies the PBE algorithm to use. ++ * "cipher_algorithm" specifies the bulk encryption algorithm to use. ++ * "prf_algorithm" specifies the PRF algorithm which pbe_algorithm uses. ++ * ++ * An error results in a return value of NULL and an error set. ++ * (Retrieve specific errors via PORT_GetError()/XP_GetError().) ++ */ ++extern SEC_PKCS7ContentInfo * ++SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm, ++ SECOidTag cipher_algorithm, ++ SECOidTag prf_algorithm, ++ int keysize, ++ SECKEYGetPasswordKey pwfn, void *pwfn_arg); ++ ++/* + * All of the following things return SECStatus to signal success or failure. + * Failure should have a more specific error status available via + * PORT_GetError()/XP_GetError(). +diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh +--- a/tests/tools/tools.sh ++++ b/tests/tools/tools.sh +@@ -273,12 +273,9 @@ tools_p12_export_list_import_all_pkcs5v2 + CAMELLIA-256-CBC; do + + #--------------------------------------------------------------- +-# Bug 452464 - pk12util -o fails when -C option specifies AES or ++# Bug 452464 - pk12util -o fails when -C option specifies + # Camellia ciphers + # FIXME Restore these to the list +-# AES-128-CBC, \ +-# AES-192-CBC, \ +-# AES-256-CBC, \ + # CAMELLIA-128-CBC, \ + # CAMELLIA-192-CBC, \ + # CAMELLIA-256-CBC, \ +@@ -287,6 +284,9 @@ tools_p12_export_list_import_all_pkcs5v2 + for cert_cipher in \ + RC2-CBC \ + DES-EDE3-CBC \ ++ AES-128-CBC \ ++ AES-192-CBC \ ++ AES-256-CBC \ + null; do + export_list_import ${key_cipher} ${cert_cipher} + done +# HG changeset patch +# User Daiki Ueno +# Date 1491303138 -7200 +# Tue Apr 04 12:52:18 2017 +0200 +# Node ID ef11922df67881332f1fa200c7ae21b9c30cec76 +# Parent 7228445b43ac095ebc0eee330d6a351b898ebbdd +Bug 1353325, pkcs12: don't encode password if non-PKCS12 PBEs is used, r=rrelyea + +diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c +--- a/lib/pkcs12/p12d.c ++++ b/lib/pkcs12/p12d.c +@@ -177,8 +177,7 @@ sec_pkcs12_decoder_get_decrypt_key(void + SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; + PK11SlotInfo *slot; + PK11SymKey *bulkKey; +- SECItem *pwitem; +- SECItem decodedPwitem = { 0 }; ++ SECItem pwitem = { 0 }; + SECOidTag algorithm; + + if (!p12dcx) { +@@ -193,24 +192,10 @@ sec_pkcs12_decoder_get_decrypt_key(void + } + + algorithm = SECOID_GetAlgorithmTag(algid); +- pwitem = p12dcx->pwitem; +- +- /* here we assume that the password is already encoded into +- * BMPString by the caller. if the encryption scheme is not the +- * one defined in PKCS #12, decode the password back into +- * UTF-8. */ +- if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) { +- if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem, +- p12dcx->pwitem, +- PR_TRUE, PR_FALSE, PR_FALSE)) { +- PORT_SetError(SEC_ERROR_NO_MEMORY); +- return NULL; +- } +- pwitem = &decodedPwitem; +- } +- +- bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, +- PR_FALSE, p12dcx->wincx); ++ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) ++ return NULL; ++ ++ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); + /* some tokens can't generate PBE keys on their own, generate the + * key in the internal slot, and let the Import code deal with it, + * (if the slot can't generate PBEs, then we need to use the internal +@@ -218,8 +203,7 @@ sec_pkcs12_decoder_get_decrypt_key(void + if (!bulkKey && !PK11_IsInternal(slot)) { + PK11_FreeSlot(slot); + slot = PK11_GetInternalKeySlot(); +- bulkKey = PK11_PBEKeyGen(slot, algid, pwitem, +- PR_FALSE, p12dcx->wincx); ++ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); + } + PK11_FreeSlot(slot); + +@@ -228,8 +212,8 @@ sec_pkcs12_decoder_get_decrypt_key(void + PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL); + } + +- if (decodedPwitem.data) { +- SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE); ++ if (pwitem.data) { ++ SECITEM_ZfreeItem(&pwitem, PR_FALSE); + } + + return bulkKey; +@@ -2476,13 +2460,25 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke + nickName, publicValue, PR_TRUE, PR_TRUE, + keyUsage, wincx); + break; +- case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: ++ case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: { ++ SECItem pwitem = { 0 }; ++ SECAlgorithmID *algid = ++ &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; ++ SECOidTag algorithm = SECOID_GetAlgorithmTag(algid); ++ ++ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, ++ key->pwitem)) ++ return SECFailure; + rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot, + key->safeBagContent.pkcs8ShroudedKeyBag, +- key->pwitem, nickName, publicValue, ++ &pwitem, nickName, publicValue, + PR_TRUE, PR_TRUE, keyType, keyUsage, + wincx); ++ if (pwitem.data) { ++ SECITEM_ZfreeItem(&pwitem, PR_FALSE); ++ } + break; ++ } + default: + key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION; + key->problem = PR_TRUE; +diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c +--- a/lib/pkcs12/p12e.c ++++ b/lib/pkcs12/p12e.c +@@ -397,18 +397,9 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC + } + safeInfo->arena = p12ctxt->arena; + +- if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) { +- /* convert the password to unicode */ +- if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, +- PR_TRUE, PR_TRUE, PR_TRUE)) { +- PORT_SetError(SEC_ERROR_NO_MEMORY); +- goto loser; +- } +- } else { +- if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) { +- PORT_SetError(SEC_ERROR_NO_MEMORY); +- goto loser; +- } ++ if (!sec_pkcs12_encode_password(NULL, &uniPwitem, privAlg, pwitem)) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ goto loser; + } + if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) { + PORT_SetError(SEC_ERROR_NO_MEMORY); +@@ -1221,8 +1212,8 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12Export + SECKEYEncryptedPrivateKeyInfo *epki = NULL; + PK11SlotInfo *slot = NULL; + +- if (!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem, +- pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) { ++ if (!sec_pkcs12_encode_password(p12ctxt->arena, &uniPwitem, algorithm, ++ pwitem)) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } +diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c +--- a/lib/pkcs12/p12local.c ++++ b/lib/pkcs12/p12local.c +@@ -976,6 +976,46 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi + } + } + ++/* this function decodes a password from Unicode if necessary, ++ * according to the PBE algorithm. ++ * ++ * we assume that the pwitem is already encoded in Unicode by the ++ * caller. if the encryption scheme is not the one defined in PKCS ++ * #12, decode the pwitem back into UTF-8. */ ++PRBool ++sec_pkcs12_decode_password(PLArenaPool *arena, ++ SECItem *result, ++ SECOidTag algorithm, ++ const SECItem *pwitem) ++{ ++ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) ++ return sec_pkcs12_convert_item_to_unicode(arena, result, ++ (SECItem *)pwitem, ++ PR_TRUE, PR_FALSE, PR_FALSE); ++ ++ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; ++} ++ ++/* this function encodes a password into Unicode if necessary, ++ * according to the PBE algorithm. ++ * ++ * we assume that the pwitem holds a raw password. if the encryption ++ * scheme is the one defined in PKCS #12, encode the password into ++ * BMPString. */ ++PRBool ++sec_pkcs12_encode_password(PLArenaPool *arena, ++ SECItem *result, ++ SECOidTag algorithm, ++ const SECItem *pwitem) ++{ ++ if (sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) ++ return sec_pkcs12_convert_item_to_unicode(arena, result, ++ (SECItem *)pwitem, ++ PR_TRUE, PR_TRUE, PR_TRUE); ++ ++ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; ++} ++ + /* pkcs 12 templates */ + static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser = + sec_pkcs12_choose_shroud_type; +diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h +--- a/lib/pkcs12/p12local.h ++++ b/lib/pkcs12/p12local.h +@@ -57,4 +57,13 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo + + extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm); + ++extern PRBool sec_pkcs12_decode_password(PLArenaPool *arena, ++ SECItem *result, ++ SECOidTag algorithm, ++ const SECItem *pwitem); ++extern PRBool sec_pkcs12_encode_password(PLArenaPool *arena, ++ SECItem *result, ++ SECOidTag algorithm, ++ const SECItem *pwitem); ++ + #endif +# HG changeset patch +# User Daiki Ueno +# Date 1491397923 -7200 +# Wed Apr 05 15:12:03 2017 +0200 +# Node ID c9af3144ac8cd7e2203817a334a9f814649e86b0 +# Parent 769f9ae07b103494af809620478e60256a344adc +fix key length calculation for PKCS#5 DES-EDE3-CBC-Pad + +diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c +--- a/lib/pk11wrap/pk11pbe.c ++++ b/lib/pk11wrap/pk11pbe.c +@@ -370,6 +370,13 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a + length = sec_pkcs5v2_aes_key_length(cipherAlg); + } else if (p5_param.keyLength.data != NULL) { + length = DER_GetInteger(&p5_param.keyLength); ++ } else { ++ CK_MECHANISM_TYPE cipherMech; ++ cipherMech = PK11_AlgtagToMechanism(cipherAlg); ++ if (cipherMech == CKM_INVALID_MECHANISM) { ++ goto loser; ++ } ++ length = PK11_GetMaxKeyLength(cipherMech); + } + + loser: +diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h +--- a/lib/pk11wrap/pk11priv.h ++++ b/lib/pk11wrap/pk11priv.h +@@ -106,6 +106,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert( + void *wincx, PK11SlotInfo **pSlot); + PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); ++unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType); + + /********************************************************************** + * Certs +diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c +--- a/lib/pk11wrap/pk11slot.c ++++ b/lib/pk11wrap/pk11slot.c +@@ -2291,6 +2291,14 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE m + } + } + } ++ ++ /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */ ++ if (keyLength == 0) { ++ CK_KEY_TYPE keyType; ++ keyType = PK11_GetKeyType(mechanism, 0); ++ keyLength = pk11_GetPredefinedKeyLength(keyType); ++ } ++ + if (le) + PK11_FreeSlotListElement(list, le); + if (freeit) diff --git a/SOURCES/nss-prevent-abi-issue.patch b/SOURCES/nss-prevent-abi-issue.patch deleted file mode 100644 index 22df86e..0000000 --- a/SOURCES/nss-prevent-abi-issue.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up nss/lib/ssl/sslinfo.c.abi_lib nss/lib/ssl/sslinfo.c ---- nss/lib/ssl/sslinfo.c.abi_lib 2016-10-10 16:44:06.661038110 +0200 -+++ nss/lib/ssl/sslinfo.c 2016-10-10 16:44:54.436814398 +0200 -@@ -74,7 +74,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh - inf.creationTime = sid->creationTime; - inf.lastAccessTime = sid->lastAccessTime; - inf.expirationTime = sid->expirationTime; -- inf.extendedMasterSecretUsed = -+ inf.reservedNotSupported = - (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 || - sid->u.ssl3.keys.extendedMasterSecretUsed) - ? PR_TRUE -diff -up nss/lib/ssl/sslt.h.abi_lib nss/lib/ssl/sslt.h ---- nss/lib/ssl/sslt.h.abi_lib 2016-10-03 16:55:58.000000000 +0200 -+++ nss/lib/ssl/sslt.h 2016-10-10 16:44:06.661038110 +0200 -@@ -188,7 +188,7 @@ typedef struct SSLChannelInfoStr { - * This field only has meaning in TLS < 1.3 and will be set to - * PR_FALSE in TLS 1.3. - */ -- PRBool extendedMasterSecretUsed; -+ PRBool reservedNotSupported; - - /* The following fields were added in NSS 3.25. - * This field only has meaning in TLS >= 1.3, and indicates on the diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch index f08ca2f..9806190 100644 --- a/SOURCES/nss-reorder-cipher-suites.patch +++ b/SOURCES/nss-reorder-cipher-suites.patch @@ -1,7 +1,7 @@ -diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.reorder_cipher_suites 2017-02-15 13:11:24.960624359 +0100 -+++ nss/lib/ssl/ssl3con.c 2017-02-15 13:12:55.378720030 +0100 -@@ -91,83 +91,64 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi +diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2017-04-26 11:47:33.690047402 +0200 ++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:51:51.103013632 +0200 +@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi /* clang-format off */ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { /* cipher_suite policy enabled isPresent */ @@ -22,6 +22,7 @@ diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, @@ -34,48 +35,46 @@ diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - -- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - -- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, @@ -107,23 +106,20 @@ diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -@@ -175,6 +156,12 @@ static ssl3CipherSuiteCfg cipherSuites[s +@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, + { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, + { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, -+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, }; /* clang-format on */ -diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c ---- nss/lib/ssl/sslenum.c.reorder_cipher_suites 2017-02-15 13:11:35.724397659 +0100 -+++ nss/lib/ssl/sslenum.c 2017-02-15 13:12:26.332331787 +0100 -@@ -55,81 +55,64 @@ +diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c +--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2017-04-26 11:46:50.215066457 +0200 ++++ nss/lib/ssl/sslenum.c 2017-04-26 11:47:09.362617638 +0200 +@@ -55,53 +55,44 @@ * the third one. */ const PRUint16 SSL_ImplementedCiphers[] = { @@ -143,6 +139,7 @@ diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, @@ -155,48 +152,46 @@ diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, - -- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, -- TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -- TLS_DHE_DSS_WITH_AES_128_CBC_SHA, -- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, -- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, -+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, -+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, -+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, -+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, ++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, ++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, ++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, +- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, +- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_RC4_128_SHA, - -- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, -- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, -+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[] TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, @@ -227,16 +222,13 @@ diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, -@@ -137,6 +120,12 @@ const PRUint16 SSL_ImplementedCiphers[] +@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[] TLS_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_NULL_MD5, + TLS_AES_128_GCM_SHA256, + TLS_CHACHA20_POLY1305_SHA256, + TLS_AES_256_GCM_SHA384, -+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, -+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0 }; diff --git a/SOURCES/nss-rhel7.config b/SOURCES/nss-rhel7.config new file mode 100644 index 0000000..be6d690 --- /dev/null +++ b/SOURCES/nss-rhel7.config @@ -0,0 +1,7 @@ +# To re-enable legacy algorithms, edit this file +# Note that the last empty line in this file must be preserved +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" + diff --git a/SOURCES/nss-tests-prevent-abi-issue.patch b/SOURCES/nss-tests-prevent-abi-issue.patch deleted file mode 100644 index 766f2d7..0000000 --- a/SOURCES/nss-tests-prevent-abi-issue.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up nss/cmd/selfserv/selfserv.c.abi_tests nss/cmd/selfserv/selfserv.c ---- nss/cmd/selfserv/selfserv.c.abi_tests 2016-08-16 12:36:23.695996680 +0200 -+++ nss/cmd/selfserv/selfserv.c 2016-08-16 12:39:00.006879649 +0200 -@@ -425,7 +425,7 @@ printSecurityInfo(PRFileDesc *fd) - channel.authKeyBits, suite.authAlgorithmName, - channel.keaKeyBits, suite.keaTypeName, - channel.compressionMethodName, -- channel.extendedMasterSecretUsed ? "Yes" : "No"); -+ channel.reservedNotSupported ? "Yes": "No"); - } - } - if (verbose) { -diff -up nss/cmd/tstclnt/tstclnt.c.abi_tests nss/cmd/tstclnt/tstclnt.c ---- nss/cmd/tstclnt/tstclnt.c.abi_tests 2016-08-16 12:36:23.696996653 +0200 -+++ nss/cmd/tstclnt/tstclnt.c 2016-08-16 12:39:24.460235581 +0200 -@@ -129,7 +129,7 @@ printSecurityInfo(PRFileDesc *fd) - channel.authKeyBits, suite.authAlgorithmName, - channel.keaKeyBits, suite.keaTypeName, - channel.compressionMethodName, -- channel.extendedMasterSecretUsed ? "Yes" : "No"); -+ channel.reservedNotSupported ? "Yes": "No"); - } - } - cert = SSL_RevealCert(fd); -diff -up nss/external_tests/ssl_gtest/tls_agent.cc.abi_tests nss/external_tests/ssl_gtest/tls_agent.cc ---- nss/gtests/ssl_gtest/tls_agent.cc.abi_tests 2016-08-16 12:36:23.696996653 +0200 -+++ nss/gtests/ssl_gtest/tls_agent.cc 2016-08-16 12:39:45.167690174 +0200 -@@ -571,7 +571,7 @@ void TlsAgent::CheckExtendedMasterSecret - if (version() >= SSL_LIBRARY_VERSION_TLS_1_3) { - expected = PR_TRUE; - } -- ASSERT_EQ(expected, info_.extendedMasterSecretUsed != PR_FALSE) -+ ASSERT_EQ(expected, info_.reservedNotSupported != PR_FALSE) - << "unexpected extended master secret state for " << name_; - } - diff --git a/SOURCES/nss-tools-sha256-default.patch b/SOURCES/nss-tools-sha256-default.patch new file mode 100644 index 0000000..288d5d8 --- /dev/null +++ b/SOURCES/nss-tools-sha256-default.patch @@ -0,0 +1,107 @@ +# HG changeset patch +# User Kai Engert +# Date 1489096275 -3600 +# Thu Mar 09 22:51:15 2017 +0100 +# Node ID 848abc2061a45b8387893891e814b80db1e2bd53 +# Parent 482e9cbb16f13cd22f9ef7b5a73a4e3ea68ecf82 +Bug 1345106, Don't use SHA1 by default for signatures in the NSS library and in certutil, crlutil and cmsutil, r=rrelyea + +diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c +--- a/cmd/smimetools/cmsutil.c ++++ b/cmd/smimetools/cmsutil.c +@@ -84,7 +84,7 @@ Usage(char *progName) + " where id can be a certificate nickname or email address\n" + " -S create a CMS signed data message\n" + " -G include a signing time attribute\n" +- " -H hash use hash (default:SHA1)\n" ++ " -H hash use hash (default:SHA256)\n" + " -N nick use certificate named \"nick\" for signing\n" + " -P include a SMIMECapabilities attribute\n" + " -T do not include content in CMS message\n" +@@ -1097,7 +1097,7 @@ main(int argc, char **argv) + signOptions.signingTime = PR_FALSE; + signOptions.smimeProfile = PR_FALSE; + signOptions.encryptionKeyPreferenceNick = NULL; +- signOptions.hashAlgTag = SEC_OID_SHA1; ++ signOptions.hashAlgTag = SEC_OID_SHA256; + envelopeOptions.recipients = NULL; + encryptOptions.recipients = NULL; + encryptOptions.envmsg = NULL; +diff --git a/cmd/smimetools/smime b/cmd/smimetools/smime +--- a/cmd/smimetools/smime ++++ b/cmd/smimetools/smime +@@ -199,8 +199,8 @@ sub signentity($$) + # construct a new multipart/signed MIME entity consisting of the original content and + # the signature + # +- # (we assume that cmsutil generates a SHA1 digest) +- $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n"; ++ # (we assume that cmsutil generates a SHA256 digest) ++ $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n"; + $out .= "\n"; # end of entity header + $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment + $out .= "\n--${boundary}\n"; +diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c +--- a/lib/cryptohi/secsign.c ++++ b/lib/cryptohi/secsign.c +@@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECI + if (algID == SEC_OID_UNKNOWN) { + switch (pk->keyType) { + case rsaKey: +- algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; ++ algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; + break; + case dsaKey: + /* get Signature length (= q_len*2) and work from there */ + switch (PK11_SignatureLen(pk)) { ++ case 320: ++ algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; ++ break; + case 448: + algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; + break; + case 512: ++ default: + algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; + break; +- default: +- algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; +- break; + } + break; + case ecKey: +- algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; ++ algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); +@@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType + break; + case dsaKey: + switch (hashAlgTag) { +- case SEC_OID_UNKNOWN: /* default for DSA if not specified */ + case SEC_OID_SHA1: + sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + break; + case SEC_OID_SHA224: + sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; + break; ++ case SEC_OID_UNKNOWN: /* default for DSA if not specified */ + case SEC_OID_SHA256: + sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; + break; +@@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType + break; + case ecKey: + switch (hashAlgTag) { +- case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ + case SEC_OID_SHA1: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; + break; + case SEC_OID_SHA224: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; + break; ++ case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ + case SEC_OID_SHA256: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; + break; diff --git a/SOURCES/nsspem-use-system-freebl.patch b/SOURCES/nsspem-use-system-freebl.patch deleted file mode 100644 index 115b49c..0000000 --- a/SOURCES/nsspem-use-system-freebl.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk ---- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700 -+++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700 -@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m - # are specifed as dependencies within rules.mk. - # - -+ -+EXTRA_LIBS += \ -+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ -+ $(NULL) -+ - TARGETS = $(SHARED_LIBRARY) - LIBRARY = - IMPORT_LIBRARY = -@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS) - MKSHLIB += -R '$$ORIGIN' - endif - -+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and -+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil -+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf. -+ifdef USE_SYSTEM_NSSUTIL -+OS_LIBS += $(NSSUTIL_LIBS) -+else -+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) -+EXTRA_LIBS += $(NSSUTIL_LIBS) -+endif -+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and -+# FREEBL_LIBS to the linker command-line arguments for the system nssutil -+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf. -+ifdef USE_SYSTEM_FREEBL -+OS_LIBS += $(FREEBL_LIBS) -+else -+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX) -+EXTRA_LIBS += $(FREEBL_LIBS) -+endif -+ -diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile ---- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700 -+++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700 -@@ -43,8 +43,7 @@ include config.mk - EXTRA_LIBS = \ - $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ - $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ -- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ -- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \ -+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ - $(NULL) - - # can't do this in manifest.mn because OS_TARGET isn't defined there. -@@ -56,6 +55,9 @@ EXTRA_LIBS += \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ -+ -L$(NSSUTIL_LIB_DIR) \ -+ -lnssutil3 \ -+ -lfreebl3 - $(NULL) - else - EXTRA_SHARED_LIBS += \ -@@ -74,6 +76,9 @@ EXTRA_LIBS += \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ -+ -L$(NSSUTIL_LIB_DIR) \ -+ -lnssutil3 \ -+ -lfreebl3 \ - $(NULL) - endif - -diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn ---- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700 -+++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700 -@@ -65,4 +65,4 @@ REQUIRES = nspr - - LIBRARY_NAME = nsspem - --#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3 diff --git a/SOURCES/pem-compile-with-Werror.patch b/SOURCES/pem-compile-with-Werror.patch deleted file mode 100644 index 392d74a..0000000 --- a/SOURCES/pem-compile-with-Werror.patch +++ /dev/null @@ -1,146 +0,0 @@ -diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h ---- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800 -@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr { - }; - typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey; - -+/* NOTE: Discrepancy with the the way callers use of the return value as a count -+ * Fix this when we sync. up with the cleanup work being done at nss-pem project. -+ */ - SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly); - const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type); - void pem_PopulateModulusExponent(pemInternalObject *io); -diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c ---- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800 -@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key - char *ivstring = NULL; - int cipher; - -- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); -+ /* TODO: Fix discrepancy between our usage of the return value as -+ * as an int (a count) and the declaration as a SECStatus. */ -+ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); - if (nobjs <= 0) { - nss_ZFreeIf(objs); - return CKR_GENERAL_ERROR; -@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key - if (keyfile) { /* add the private key */ - SECItem **keyobjs = NULL; - int kobjs = 0; -+ /* TODO: Fix discrepancy between our usage of the return value as -+ * as an int and the declaration as a SECStatus. */ - kobjs = -- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, -+ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, - &ivstring, PR_FALSE); - if (kobjs < 1) { - error = CKR_GENERAL_ERROR; -diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c ---- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800 -@@ -630,6 +630,11 @@ pem_DestroyInternalObject - if (io->u.key.ivstring) - free(io->u.key.ivstring); - break; -+ case pemAll: -+ /* pemAll is not used, keep the compiler happy -+ * TODO: investigate a proper solution -+ */ -+ return; - } - - if (NULL != gobj) -@@ -1044,7 +1049,9 @@ pem_CreateObject - int nobjs = 0; - int i; - int objid; -+#if 0 - pemToken *token; -+#endif - int cipher; - char *ivstring = NULL; - pemInternalObject *listObj = NULL; -@@ -1073,7 +1080,9 @@ pem_CreateObject - } - slotID = nssCKFWSlot_GetSlotID(fwSlot); - -+#if 0 - token = (pemToken *) mdToken->etc; -+#endif - - /* - * only create keys and certs. -@@ -1114,7 +1123,11 @@ pem_CreateObject - } - - if (objClass == CKO_CERTIFICATE) { -- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); -+ /* TODO: Fix discrepancy between our usage of the return value as -+ * as an int and the declaration as a SECStatus. Typecasting as a -+ * temporary workaround. -+ */ -+ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); - if (nobjs < 1) - goto loser; - -diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c ---- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800 -@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey - return 0; - } - -+/* unused functions */ -+#if 0 - static SHA1Context *SHA1_CloneContext(SHA1Context * original) - { - SHA1Context *clone = NULL; -@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un - - return SECSuccess; - } -+#endif /* unused functions */ - - /* - * Format one block of data for public/private key encryption using -diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c ---- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800 -@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds - return SECFailure; - } - --int -+/* FIX: Returns a SECStatus yet callers take result as a count */ -+SECStatus - ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii, - int *cipher, char **ivstring, PRBool certsonly) - { -@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha - goto loser; - } - if ((certsonly && !key) || (!certsonly && key)) { -+ error = CKR_OK; - PUT_Object(der, error); -+ if (error != CKR_OK) { -+ free(der); -+ goto loser; -+ } - } else { - free(der->data); - free(der); -@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha - } - - /* NOTE: This code path has never been tested. */ -+ error = CKR_OK; - PUT_Object(der, error); -+ if (error != CKR_OK) { -+ free(der); -+ goto loser; -+ } - } - - nss_ZFreeIf(filedata.data); diff --git a/SOURCES/ssl-server-min-key-sizes.patch b/SOURCES/ssl-server-min-key-sizes.patch deleted file mode 100644 index e66e8cb..0000000 --- a/SOURCES/ssl-server-min-key-sizes.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up nss/lib/nss/nssoptions.h.min_key_sizes nss/lib/nss/nssoptions.h ---- nss/lib/nss/nssoptions.h.min_key_sizes 2017-02-20 16:42:23.456894585 +0100 -+++ nss/lib/nss/nssoptions.h 2017-02-20 16:43:02.687942525 +0100 -@@ -16,5 +16,5 @@ - /* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be - * only 1023 bits and similar. We don't have good data on whether this - * happens because NSS used to count bit lengths incorrectly. */ --#define SSL_DH_MIN_P_BITS 1023 -+#define SSL_DH_MIN_P_BITS 768 - #define SSL_DSA_MIN_P_BITS 1023 -diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.min_key_sizes 2017-02-20 16:42:23.459894513 +0100 -+++ nss/lib/ssl/ssl3con.c 2017-02-20 16:43:42.744970411 +0100 -@@ -7093,7 +7093,7 @@ ssl_HandleDHServerKeyExchange(sslSocket - minDH = SSL_DH_MIN_P_BITS; - } - dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); -- if (dh_p_bits < minDH) { -+ if (dh_p_bits < SSL_DH_MIN_P_BITS) { - errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; - goto alert_loser; - } diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 5199c33..aaaa8d1 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.13.1 -%global nss_util_version 3.28.2 -%global nss_util_build -1.1 +%global nss_util_version 3.28.4 +%global nss_util_build -2 # adjust to the version that gets submitted for FIPS validation %global nss_softokn_fips_version 3.16.2 -%global nss_softokn_version 3.16.2.3 +%global nss_softokn_version 3.28.3 # Attention: Separate softokn versions for build and runtime. -%global runtime_required_softokn_build_version -14.2 +%global runtime_required_softokn_build_version -4 # Building NSS doesn't require the softokn -13 build. -%global build_required_softokn_build_version -13 +%global build_required_softokn_build_version -4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -27,7 +27,7 @@ Summary: Network Security Services Name: nss Version: 3.28.4 -Release: 1.2%{?dist} +Release: 8%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -51,6 +51,12 @@ BuildRequires: gawk BuildRequires: psmisc BuildRequires: perl +# nss-pem used to be bundled with the nss package on Fedora -- make sure that +# programs relying on that continue to work until they are fixed to require +# nss-pem instead. Once all of them are fixed, the following line can be +# removed. See https://bugzilla.redhat.com/1346806 for details. +Requires: nss-pem%{?_isa} + %if %{defined nss_ckbi_suffix} %define full_nss_version %{version}%{nss_ckbi_suffix} %else @@ -68,7 +74,6 @@ Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh Source10: PayPalEE.cert -Source12: %{name}-pem-20140125.tar.bz2 Source17: TestCA.ca.cert Source18: TestUser50.cert Source19: TestUser51.cert @@ -82,15 +87,12 @@ Source26: key4.db.xml Source27: secmod.db.xml Source30: PayPalRootCA.cert Source31: PayPalICA.cert +Source32: nss-rhel7.config Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch -Patch6: nss-enable-pem.patch Patch16: nss-539183.patch Patch18: nss-646045.patch -# must statically link pem against the freebl in the buildroot -# Needed only when sources on tree have new APIS -Patch25: nsspem-use-system-freebl.patch # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator @@ -104,13 +106,6 @@ Patch49: nss-skip-bltest-and-fipstest.patch # headers are older. Such is the case when starting an update with API changes or even private export changes. # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch -# As of nss-3.21 we compile NSS with -Werror. -# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667 -# This requires a cleanup of the PEM module as we have it here. -# TODO: submit a patch to the interim nss-pem upstream project -# The submission will be very different from this patch as -# cleanup there is already in progress there. -Patch51: pem-compile-with-Werror.patch Patch52: Bug-1001841-disable-sslv2-libssl.patch Patch53: Bug-1001841-disable-sslv2-tests.patch Patch55: enable-fips-when-system-is-in-fips-mode.patch @@ -122,39 +117,40 @@ Patch62: nss-fix-deadlock-squash.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373 Patch74: race.patch Patch94: nss-3.16-token-init-race.patch -Patch99: ssl-server-min-key-sizes.patch Patch100: fix-min-library-version-in-SSLVersionRange.patch -Patch106: nss-old-pkcs11-num.patch Patch108: nss-sni-c-v-fix.patch -# Local: keep as long nss-softokn lacks support -Patch113: disable-extended-master-secret-with-old-softoken.patch -Patch115: nss-prevent-abi-issue.patch -Patch116: nss-tests-prevent-abi-issue.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1298692 -Patch122: disable-ems-gtests.patch Patch123: nss-skip-util-gtest.patch -# Disable X25519 and ChaCha20, until nss-softokn is rebased -Patch124: nss-disable-curve25519.patch Patch126: nss-reorder-cipher-suites.patch Patch127: nss-disable-cipher-suites.patch Patch128: nss-enable-cipher-suites.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932 Patch129: moz-1320932.patch -# Disable RSA-PSS until we get a new nss-softokn (taken from RHEL-6 -# for rhbz#1390161) +# Disable RSA-PSS until the feature is complete Patch130: disable-pss.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054 Patch132: nss-tstclnt-optspec.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1336487 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345083 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1350859 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1349705 +Patch133: nss-1334976-1336487-1345083-ca-2.14.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=956866 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1360207 +Patch134: nss-alert-handler.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 +Patch135: nss-check-policy-file.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345106 +Patch136: nss-tools-sha256-default.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1297397 +Patch137: nss-is-token-present-race.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1353724 +Patch138: nss-pk12util.patch +Patch139: nss-disable-pss-gtests.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1328122 -Patch133: nss-ssl3gthr.patch -Patch134: nss-ca-2.14.patch -Patch200: nss-disable-curve25519-gtests.patch -Patch201: nss-disable-curve25519-tests.patch -Patch202: nss-disable-chacha20-gtests.patch -Patch203: nss-disable-chacha20-tests.patch -Patch204: nss-disable-pss-gtests.patch -Patch205: nss-disable-unsupported-gtests.patch -Patch206: nss-disable-unsupported-tests.patch +Patch140: nss-ssl3gthr.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -231,54 +227,42 @@ low level services. %{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs -%setup -q -T -D -n %{name}-%{version} -a 12 +%setup -q -T -D -n %{name}-%{version} %patch2 -p0 -b .relro %patch3 -p0 -b .transitional -%patch6 -p0 -b .libpem %patch16 -p0 -b .539183 -# link pem against buildroot's freebl, essential when mixing and matching -%patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest %patch47 -p0 -b .templates %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote -%patch51 -p1 -b -Werror pushd nss %patch52 -p1 -b .disableSSL2libssl %patch53 -p1 -b .disableSSL2tests %patch55 -p1 -b .852023_enable_fips_when_in_fips_mode %patch56 -p1 -b .1026677_ignore_set_policy %patch62 -p1 -b .fix_deadlock -%patch99 -p1 -b .min_key_sizes %patch100 -p0 -b .1171318 -%patch113 -p1 -b .disable-ems -%patch115 -p1 -b .abi_lib -%patch116 -p1 -b .abi_tests %patch74 -p1 -b .race popd %patch94 -p0 -b .init-token-race -%patch106 -p0 -b .old_pkcs11_num %patch108 -p0 -b .sni_c_v_fix pushd nss -%patch122 -p1 -b .disable_ems_gtests %patch123 -p1 -b .skip-util-gtests -%patch124 -p1 -b .disable-curve25519 %patch126 -p1 -b .reorder-cipher-suites %patch127 -p1 -b .disable-cipher-suites %patch128 -p1 -b .enable-cipher-suites %patch129 -p1 -b .fix_ssl_sh_typo %patch130 -p1 -b .disable_pss %patch132 -p1 -b .tstclnt-optspec -%patch133 -p1 -b .ssl3gthr -%patch134 -p1 -b .ca-2.14.patch -%patch200 -p1 -b .disable-curve25519-gtests -%patch201 -p1 -b .disable-curve25519-tests -%patch202 -p1 -b .disable-chacha20-gtests -%patch203 -p1 -b .disable-chacha20-tests -%patch204 -p1 -b .disable-pss-gtests -%patch205 -p1 -b .disable-unsupported-gtests -%patch206 -p1 -b .disable-unsupported-tests +%patch133 -p1 -b .mozilla-ca-policy-plus-ca-2.14 +%patch134 -p1 -b .alert-handler +%patch135 -p1 -b .check_policy_file +%patch136 -p1 -b .tools-sha256-default +%patch137 -p1 -b .is-token-present-race +%patch138 -p1 -b .pk12util +%patch139 -p1 -b .disable-pss-gtests +%patch140 -p1 -b .ssl3gthr popd ######################################################### @@ -287,11 +271,6 @@ popd # until fixed upstream we must copy some headers locally ######################################################### -pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt" -for file in ${pemNeedsFromSoftoken}; do - %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/ -done - # Copying these header until the upstream bug is accepted # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf @@ -390,6 +369,12 @@ export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm +# Set the policy file location +# if set NSS will always check for the policy file and load if it exists +export POLICY_FILE="nss-rhel7.config" +# location of the policy file +export POLICY_PATH="/etc/pki/nss-legacy" + # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c # need nss/lib/util/verref.h which is exported privately, # copy the one we saved during prep so it they can find it. @@ -611,7 +596,7 @@ touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so %{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so # Copy the binary libraries we want -for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so +for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so do %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done @@ -683,6 +668,9 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done +%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy +%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config + %clean %{__rm} -rf $RPM_BUILD_ROOT @@ -729,7 +717,6 @@ fi %{_libdir}/libsmime3.so %ghost %{_libdir}/libnssckbi.so %{_libdir}/nss/libnssckbi.so -%{_libdir}/libnsspem.so %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db @@ -743,6 +730,8 @@ fi %attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz +%dir %{_sysconfdir}/pki/nss-legacy +%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config %files sysinit %defattr(-,root,root) @@ -820,7 +809,6 @@ fi %{_includedir}/nss3/keythi.h %{_includedir}/nss3/nss.h %{_includedir}/nss3/nssckbi.h -%{_includedir}/nss3/nsspem.h %{_includedir}/nss3/ocsp.h %{_includedir}/nss3/ocspt.h %{_includedir}/nss3/p12.h @@ -865,37 +853,66 @@ fi %changelog -* Tue May 16 2017 Kai Engert - 3.28.4-1.2 +* Fri May 5 2017 Kai Engert - 3.28.4-8 - Include CKBI 2.14 and updated CA constraints from NSS 3.28.5 -* Mon May 15 2017 Daiki Ueno - 3.28.4-1.1 -- Fix zero-length record treatment in SSL3_GatherData +* Fri May 5 2017 Daiki Ueno - 3.28.4-7 +- Update nss-pk12util.patch to include fix from mozbz#1353724. -* Fri Apr 7 2017 Daiki Ueno - 3.28.4-1.0 -- Rebase to NSS 3.28.4 +* Wed May 3 2017 Daiki Ueno - 3.28.4-6 +- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207. -* Mon Feb 20 2017 Daiki Ueno - 3.28.2-1.6 -- Restore ssl-server-min-key-sizes.patch +* Fri Apr 28 2017 Daiki Ueno - 3.28.4-5 +- Fix zero-length record treatment for stream ciphers and SSLv2 + +* Thu Apr 27 2017 Daiki Ueno - 3.28.4-4 +- Correctly set policy file location when building + +* Wed Apr 26 2017 Daiki Ueno - 3.28.4-3 +- Reorder ChaCha20-Poly1305 cipher suites, as suggested in: + https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9 + +* Thu Apr 20 2017 Daiki Ueno - 3.28.4-2 +- Rebase to NSS 3.28.4 +- Update nss-pk12util.patch with backport of mozbz#1353325 + +* Thu Mar 16 2017 Daiki Ueno - 3.28.3-5 +- Switch default hash algorithm used by tools from SHA-1 to SHA-256 +- Avoid race condition in nssSlot_IsTokenPresent() +- Enable SHA-2 and AES in pk12util +- Disable RSA-PSS for now + +* Fri Mar 10 2017 Daiki Ueno - 3.28.3-4 +- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert +- Backport changes adding SSL alert callbacks from upstream +- Add nss-check-policy-file.patch from Fedora +- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config + +* Mon Mar 6 2017 Daiki Ueno - 3.28.3-3 +- Make sure 32bit nss-pem always be installed with 32bit nss in + multlib environment, patch by Kamil Dudka +- Enable new algorithms supported by the new nss-softokn + +* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2 +- Rebase to NSS 3.28.3 +- Bump required version of nss-softokn + +* Wed Feb 15 2017 Daiki Ueno - 3.28.2-3 +- Remove %%nss_cycles setting, which was also mistakenly added +- Re-enable BUILD_OPT, mistakenly disabled in the previous build +- Prevent ABI incompatibilty of SECKEYECPublicKey - Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default - Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream patch in the previous release - Fix crash with tstclnt -W - -* Fri Feb 17 2017 Daiki Ueno - 3.28.2-1.5 - Always enable gtests for supported features -- Prevent ABI incompatibilty of SECKEYECPublicKey - -* Thu Feb 16 2017 Daiki Ueno - 3.28.2-1.4 - Add patch to fix bash syntax error in tests/ssl.sh - Build with support for SSLKEYLOGFILE - Disable the use of RSA-PSS with SSL/TLS -* Wed Feb 15 2017 Daiki Ueno - 3.28.2-1.3 -- Remove %%nss_cycles setting, which was also mistakenly added - -* Wed Feb 15 2017 Daiki Ueno - 3.28.2-1.2 -- Reorder cipher suites for compatibility -- Re-enable BUILD_OPT, mistakenly disabled in the previous build +* Tue Feb 14 2017 Daiki Ueno - 3.28.2-2 +- Decouple nss-pem from the nss package +- Resolves: #1316546 * Mon Feb 13 2017 Daiki Ueno - 3.28.2-1.1 - Remove mistakenly added R: nss-pem @@ -922,12 +939,6 @@ fi fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch, call-restartmodules-in-nssinit.patch -* Tue Nov 08 2016 Kai Engert - 3.21.3-2 -- Mozilla #1314604 / Red Hat CVE-2016-8635 - -* Wed Nov 02 2016 Kai Engert - 3.21.3-1.1 -- rebuild - * Wed Oct 26 2016 Daiki Ueno - 3.21.3-1 - Rebase to NSS 3.21.3 - Resolves: #1383887