diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c246a40 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/python-nss-0.16.0.tar.bz2 diff --git a/.python-nss.metadata b/.python-nss.metadata new file mode 100644 index 0000000..462e07c --- /dev/null +++ b/.python-nss.metadata @@ -0,0 +1 @@ +f1f760f478bb784472675e77a433a01bb3da050f SOURCES/python-nss-0.16.0.tar.bz2 diff --git a/SOURCES/nss-version.patch b/SOURCES/nss-version.patch new file mode 100644 index 0000000..545c5a7 --- /dev/null +++ b/SOURCES/nss-version.patch @@ -0,0 +1,75 @@ +diff -r -u python-nss-0.16.0.orig/doc/examples/ssl_version_range.py python-nss-0.16.0/doc/examples/ssl_version_range.py +--- python-nss-0.16.0.orig/doc/examples/ssl_version_range.py 2014-11-25 12:20:58.744325434 -0500 ++++ python-nss-0.16.0/doc/examples/ssl_version_range.py 2014-11-25 14:50:42.530189512 -0500 +@@ -96,13 +96,12 @@ + + names = [ + 'ssl2', 'ssl3', +- 'tls1.0', 'tls1.1', 'tls1.2', 'tls1.3', ++ 'tls1.0', 'tls1.1', 'tls1.2', + 'SSL_LIBRARY_VERSION_2', + 'SSL_LIBRARY_VERSION_3_0', + 'SSL_LIBRARY_VERSION_TLS_1_0', + 'SSL_LIBRARY_VERSION_TLS_1_1', + 'SSL_LIBRARY_VERSION_TLS_1_2', +- 'SSL_LIBRARY_VERSION_TLS_1_3', + ] + + print +diff -r -u python-nss-0.16.0.orig/src/py_ssl.c python-nss-0.16.0/src/py_ssl.c +--- python-nss-0.16.0.orig/src/py_ssl.c 2014-11-25 12:20:58.766325459 -0500 ++++ python-nss-0.16.0/src/py_ssl.c 2014-11-25 14:49:47.032128344 -0500 +@@ -193,9 +193,11 @@ + case 3: + version_enum = SSL_LIBRARY_VERSION_TLS_1_2; + break; ++#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 17) + case 4: + version_enum = SSL_LIBRARY_VERSION_TLS_1_3; + break; ++#endif + default: + PyErr_Format(PyExc_ValueError, + "Verson %d.%d has unkown minor version", +@@ -4411,7 +4413,9 @@ + ExportConstant(SSL_LIBRARY_VERSION_TLS_1_0); + ExportConstant(SSL_LIBRARY_VERSION_TLS_1_1); + ExportConstant(SSL_LIBRARY_VERSION_TLS_1_2); ++#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 17) + ExportConstant(SSL_LIBRARY_VERSION_TLS_1_3); ++#endif + + + if ((ssl_library_version_alias_to_value = PyDict_New()) == NULL) { +@@ -4430,7 +4434,9 @@ + ExportConstantAlias(SSL_LIBRARY_VERSION_TLS_1_0, "tls1.0"); + ExportConstantAlias(SSL_LIBRARY_VERSION_TLS_1_1, "tls1.1"); + ExportConstantAlias(SSL_LIBRARY_VERSION_TLS_1_2, "tls1.2"); ++#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 17) + ExportConstantAlias(SSL_LIBRARY_VERSION_TLS_1_3, "tls1.3"); ++#endif + + + #undef ExportConstant +@@ -4639,7 +4645,9 @@ + /* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a + * handshake is the result of TLS version fallback. + */ ++#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 17) + ExportConstant(TLS_FALLBACK_SCSV); ++#endif + + /* Cipher Suite Values starting with 0xC000 are defined in informational + * RFCs. +diff -r -u python-nss-0.16.0.orig/src/SSLerrs.h python-nss-0.16.0/src/SSLerrs.h +--- python-nss-0.16.0.orig/src/SSLerrs.h 2014-11-25 12:20:58.766325459 -0500 ++++ python-nss-0.16.0/src/SSLerrs.h 2014-11-25 14:49:47.033128345 -0500 +@@ -419,6 +419,8 @@ + ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130), + "The server supports no protocols that the client advertises in the ALPN extension.") + ++#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 17) + ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131), + "The server rejected the handshake because the client downgraded to a lower " + "TLS version than the server supports.") ++#endif diff --git a/SOURCES/python-nss-doc-manifest.patch b/SOURCES/python-nss-doc-manifest.patch new file mode 100644 index 0000000..4ddee79 --- /dev/null +++ b/SOURCES/python-nss-doc-manifest.patch @@ -0,0 +1,28 @@ +# HG changeset patch +# User John Dennis +# Date 1420558515 18000 +# Tue Jan 06 10:35:15 2015 -0500 +# Node ID 22895012dc87281141bf15494bb860e68b37ecc6 +# Parent 46403a1eb97050a09eb8c4e6adf428c742ab9c5f +fix install_doc manifest, it omitted the run_tests script. + +Tighten up the manifest regular expressions. +Exclude the pki directory from doc/examples and test. + +diff --git a/setup.py b/setup.py +--- a/setup.py ++++ b/setup.py +@@ -21,9 +21,11 @@ + + doc_manifest = [ + [['include README LICENSE* doc/ChangeLog', +- 'recursive-include doc *.py *.txt',], ++ 'recursive-include doc *.py *.txt', ++ 'prune doc/examples/pki'], + [('^doc/', '')], None], +- [['recursive-include test *.py *.txt',], ++ [['recursive-include test run_tests setup_certs.py test_*.py util.py *.txt', ++ 'prune test/pki'], + None , None], + [['recursive-include lib *.py *.txt',], + [('^lib/', '')] , 'examples'], diff --git a/SOURCES/python-nss-file-like-read.patch b/SOURCES/python-nss-file-like-read.patch new file mode 100644 index 0000000..b7d64cb --- /dev/null +++ b/SOURCES/python-nss-file-like-read.patch @@ -0,0 +1,49 @@ +fix read_data_from_file(), make it accept any file like object + +read_data_from_file() was supposed to accept either a string +representing a filename to open or a file object on which it will +call read() to load the contents. However the test for a file object +was too restrictive, it literally checked for a file object which +excluded objects supporting the file interface +(e.g. StringIO). Therefore the test was changed to test if the object +has a read() method. + +diff -r -u python-nss-0.16.0.orig/src/py_nss.c python-nss-0.16.0/src/py_nss.c +--- python-nss-0.16.0.orig/src/py_nss.c 2014-10-23 19:15:12.000000000 -0400 ++++ python-nss-0.16.0/src/py_nss.c 2015-05-26 17:16:50.373886276 -0400 +@@ -1796,6 +1796,20 @@ + return py_sec_item; + } + ++static bool ++pyobject_has_method(PyObject* obj, const char *method_name) ++{ ++ PyObject *attr; ++ int is_callable; ++ ++ if ((attr = PyObject_GetAttrString(obj, method_name)) == NULL) { ++ return false; ++ } ++ is_callable = PyCallable_Check(attr); ++ Py_DECREF(attr); ++ return is_callable ? true : false; ++} ++ + /* + * read_data_from_file(PyObject *file_arg) + * +@@ -1819,11 +1833,11 @@ + if ((py_file = PyFile_FromString(PyString_AsString(file_arg), "r")) == NULL) { + return NULL; + } +- } else if (PyFile_Check(file_arg)) { ++ } else if (pyobject_has_method(file_arg, "read")) { + py_file = file_arg; + Py_INCREF(py_file); + } else { +- PyErr_SetString(PyExc_TypeError, "Bad file, must be pathname or file object"); ++ PyErr_SetString(PyExc_TypeError, "Bad file, must be pathname or file like object with read() method"); + return NULL; + } + +Only in python-nss-0.16.0/src: py_nss.c~ diff --git a/SOURCES/python-nss-set_certificate_db.patch b/SOURCES/python-nss-set_certificate_db.patch new file mode 100644 index 0000000..c597e83 --- /dev/null +++ b/SOURCES/python-nss-set_certificate_db.patch @@ -0,0 +1,26 @@ +# HG changeset patch +# User John Dennis +# Date 1434146562 14400 +# Fri Jun 12 18:02:42 2015 -0400 +# Node ID 932c56dbe8dbf74ca90461770f40c4ae2c79fe62 +# Parent 6096d0660e2abefcee12e502fed029663d435c54 +SSLSocket.set_certificate_db() fails with TypeError + +Resolves bug +https://bugzilla.redhat.com/show_bug.cgi?id=1230584 + +The PyArg_ParseTuple parameters were incorrectly specified, +it passed a type instead of a pointer to type. + +diff --git a/src/py_ssl.c b/src/py_ssl.c +--- a/src/py_ssl.c ++++ b/src/py_ssl.c +@@ -1638,7 +1638,7 @@ + { + CertDB *py_certdb = NULL; + +- if (!PyArg_ParseTuple(args, "O!:set_certificate_db", CertDBType, &py_certdb)) ++ if (!PyArg_ParseTuple(args, "O!:set_certificate_db", &CertDBType, &py_certdb)) + return NULL; + + if (SSL_CertDBHandleSet(self->pr_socket, py_certdb->handle) != SECSuccess) { diff --git a/SOURCES/python-nss-test-fips.patch b/SOURCES/python-nss-test-fips.patch new file mode 100644 index 0000000..b280e53 --- /dev/null +++ b/SOURCES/python-nss-test-fips.patch @@ -0,0 +1,228 @@ +# HG changeset patch +# User John Dennis +# Date 1434146324 14400 +# Fri Jun 12 17:58:44 2015 -0400 +# Node ID 6096d0660e2abefcee12e502fed029663d435c54 +# Parent a5e07e90e9c8cb08c5fb46eba16bdb43b94d67c3 +Some unit tests fail in FIPS mode + +Resolves bug +https://bugzilla.redhat.com/show_bug.cgi?id=1194349 + +Essentially there were 2 problems: + +1. The DB password 'db_passwd' was not complex enough for FIPS + changing it to 'DB_passwd' with upper case was sufficient. + Also changed the pkcs password 'pk12_passwd' to 'PK12_passwd' + +2. NSS adds a random salt in FIPS mode for the PKCS12 operations. + The presence of this salt was causing a comparision to fail, + the exact salt is insignificant to the operation of the test + so it was stripped out prior to comparision. + +At the same time setup_certs.py was augmented to accept a --fips +parameter to put the DB into fips mode and setup_certs.py also +now reports the status of the system FIPS mode and DB FIPS mode in +addtion to the existing info displayed at its conclusion. + +diff --git a/test/setup_certs.py b/test/setup_certs.py +--- a/test/setup_certs.py ++++ b/test/setup_certs.py +@@ -4,6 +4,7 @@ + import atexit + import logging + import os ++import re + import shutil + import subprocess + import sys +@@ -11,6 +12,12 @@ + import tempfile + + #------------------------------------------------------------------------------- ++logger = None ++ ++FIPS_SWITCH_FAILED_ERR = 11 ++FIPS_ALREADY_ON_ERR = 12 ++FIPS_ALREADY_OFF_ERR = 13 ++ + + class CmdError(Exception): + def __init__(self, cmd_args, returncode, message=None, stdout=None, stderr=None): +@@ -41,7 +48,7 @@ + returncode = p.returncode + if returncode != 0: + raise CmdError(cmd_args, returncode, +- 'failed %s' % (', '.join(cmd_args)), ++ 'failed %s' % (' '.join(cmd_args)), + stdout, stderr) + return stdout, stderr + except OSError as e: +@@ -319,9 +326,75 @@ + run_cmd(cmd_args) + return name + ++def parse_fips_enabled(string): ++ if re.search('FIPS mode disabled', string): ++ return False ++ if re.search('FIPS mode enabled', string): ++ return True ++ raise ValueError('unknown fips enabled string: "%s"' % string) ++ ++def get_system_fips_enabled(): ++ fips_path = '/proc/sys/crypto/fips_enabled' ++ ++ try: ++ with open(fips_path) as f: ++ data = f.read() ++ except Exception as e: ++ logger.warning("Unable to determine system FIPS mode: %s" % e) ++ data = '0' ++ ++ value = int(data) ++ if value: ++ return True ++ else: ++ return False ++ ++ ++def get_db_fips_enabled(db_name): ++ cmd_args = ['/usr/bin/modutil', ++ '-dbdir', db_name, # NSS database ++ '-chkfips', 'true', # enable/disable fips ++ ] ++ ++ try: ++ stdout, stderr = run_cmd(cmd_args) ++ return parse_fips_enabled(stdout) ++ except CmdError as e: ++ if e.returncode == FIPS_SWITCH_FAILED_ERR: ++ return parse_fips_enabled(e.stdout) ++ else: ++ raise ++ ++def set_fips_mode(options): ++ if options.fips: ++ state = 'true' ++ else: ++ if get_system_fips_enabled(): ++ logger.warning("System FIPS enabled, cannot disable FIPS") ++ return ++ state = 'false' ++ ++ logging.info('setting fips: %s', state) ++ ++ cmd_args = ['/usr/bin/modutil', ++ '-dbdir', options.db_name, # NSS database ++ '-fips', state, # enable/disable fips ++ '-force' ++ ] ++ ++ try: ++ stdout, stderr = run_cmd(cmd_args) ++ except CmdError as e: ++ if options.fips and e.returncode == FIPS_ALREADY_ON_ERR: ++ pass ++ elif not options.fips and e.returncode == FIPS_ALREADY_OFF_ERR: ++ pass ++ else: ++ raise + #------------------------------------------------------------------------------- + + def setup_certs(args): ++ global logger + + # --- cmd --- + parser = argparse.ArgumentParser(description='create certs for testing', +@@ -393,6 +466,9 @@ + parser.add_argument('--serial-file', dest='serial_file', + help='name of file used to track next serial number') + ++ parser.add_argument('--db-fips', action='store_true', ++ help='enable FIPS mode on NSS Database') ++ + parser.set_defaults(verbose = False, + debug = False, + quiet = False, +@@ -402,7 +478,7 @@ + hostname = os.uname()[1], + db_type = 'sql', + db_dir = 'pki', +- db_passwd = 'db_passwd', ++ db_passwd = 'DB_passwd', + ca_subject = 'CN=Test CA', + ca_nickname = 'test_ca', + server_subject = 'CN=${hostname}', +@@ -416,6 +492,7 @@ + valid_months = 12, + ca_path_len = 2, + serial_file = '${db_dir}/serial', ++ fips = False, + ) + + +@@ -468,6 +545,7 @@ + + try: + create_database(options) ++ set_fips_mode(options) + cert_nicknames.append(create_ca_cert(options)) + cert_nicknames.append(create_server_cert(options)) + cert_nicknames.append(create_client_cert(options)) +@@ -488,6 +566,8 @@ + logging.info('---------- Summary ----------') + logging.info('NSS database name="%s", password="%s"', + options.db_name, options.db_passwd) ++ logging.info('system FIPS mode=%s', get_system_fips_enabled()); ++ logging.info('DB FIPS mode=%s', get_db_fips_enabled(options.db_name)); + logging.info('CA nickname="%s", CA subject="%s"', + options.ca_nickname, options.ca_subject) + logging.info('server nickname="%s", server subject="%s"', +diff --git a/test/test_client_server.py b/test/test_client_server.py +--- a/test/test_client_server.py ++++ b/test/test_client_server.py +@@ -22,7 +22,7 @@ + + verbose = False + info = False +-password = 'db_passwd' ++password = 'DB_passwd' + use_ssl = True + client_cert_action = NO_CLIENT_CERT + db_name = 'sql:pki' +diff --git a/test/test_pkcs12.py b/test/test_pkcs12.py +--- a/test/test_pkcs12.py ++++ b/test/test_pkcs12.py +@@ -15,8 +15,8 @@ + + verbose = False + db_name = 'sql:pki' +-db_passwd = 'db_passwd' +-pk12_passwd = 'pk12_passwd' ++db_passwd = 'DB_passwd' ++pk12_passwd = 'PK12_passwd' + + cert_nickname = 'test_user' + pk12_filename = '%s.p12' % cert_nickname +@@ -115,6 +115,9 @@ + raise ValueError('Could not file Key section in pk12 listing') + return text[match.start(0):] + ++def strip_salt_from_pk12_listing(text): ++ return re.sub(r'\s+Salt:\s*\n.*', '', text) ++ + #------------------------------------------------------------------------------- + + def load_tests(loader, tests, pattern): +@@ -206,9 +209,11 @@ + + pk12_listing = list_pk12(pk12_filename) + pk12_listing = strip_key_from_pk12_listing(pk12_listing) ++ pk12_listing = strip_salt_from_pk12_listing(pk12_listing) + + exported_pk12_listing = list_pk12(exported_pk12_filename) + exported_pk12_listing = strip_key_from_pk12_listing(exported_pk12_listing) ++ exported_pk12_listing = strip_salt_from_pk12_listing(exported_pk12_listing) + + self.assertEqual(pk12_listing, exported_pk12_listing) + diff --git a/SPECS/python-nss.spec b/SPECS/python-nss.spec new file mode 100644 index 0000000..1cd632b --- /dev/null +++ b/SPECS/python-nss.spec @@ -0,0 +1,1087 @@ +# sitelib for noarch packages, sitearch for others (remove the unneeded one) +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%global build_api_doc 1 + +Name: python-nss +Version: 0.16.0 +Release: 3%{?dist} +Summary: Python bindings for Network Security Services (NSS) + +Group: Development/Languages +License: MPLv2.0 or GPLv2+ or LGPLv2+ +URL: ftp://ftp.mozilla.org/pub/mozilla.org/security/python-nss +Source0: ftp://ftp.mozilla.org/pub/mozilla.org/security/python-nss/releases/PYNSS_RELEASE_0_16_0/src/python-nss-%{version}.tar.bz2 +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +Patch1: nss-version.patch +Patch2: python-nss-file-like-read.patch +Patch3: python-nss-test-fips.patch +Patch4: python-nss-set_certificate_db.patch +Patch5: python-nss-doc-manifest.patch + +%global docdir %{_docdir}/%{name}-%{version} + +# We don't want to provide private python extension libs +%{?filter_setup: +%filter_provides_in %{python_sitearch}/.*\.so$ +%filter_setup +} + +BuildRequires: python-devel +BuildRequires: python-setuptools +BuildRequires: python-docutils +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: epydoc + +%description +This package provides Python bindings for Network Security Services +(NSS) and the Netscape Portable Runtime (NSPR). + +NSS is a set of libraries supporting security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +certificates, and other security standards. Specific NSS +implementations have been FIPS-140 certified. + +%package doc +Group: Documentation +Summary: API documentation and examples +Requires: %{name} = %{version}-%{release} + +%description doc +API documentation and examples + +%prep +%setup -q +%patch1 -p1 -b .nss-version +%patch2 -p1 -b .file-like +%patch3 -p1 -b .fips-test +%patch4 -p1 -b .set_certificate_db +%patch5 -p1 -b .doc-manifest + +%build +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" %{__python} setup.py build +%if %build_api_doc +%{__python} setup.py build_doc +%endif + +%install +rm -rf $RPM_BUILD_ROOT +%{__python} setup.py install -O1 --install-platlib %{python_sitearch} --skip-build --root $RPM_BUILD_ROOT +%{__python} setup.py install_doc --docdir %{docdir} --skip-build --root $RPM_BUILD_ROOT + +# Remove execution permission from any example/test files in docdir +find $RPM_BUILD_ROOT/%{docdir} -type f | xargs chmod a-x + +# Set correct permissions on .so files +chmod 0755 $RPM_BUILD_ROOT/%{python_sitearch}/nss/*.so + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root,-) +%{python_sitearch}/* +%doc %{docdir}/ChangeLog +%doc %{docdir}/LICENSE.gpl +%doc %{docdir}/LICENSE.lgpl +%doc %{docdir}/LICENSE.mpl +%doc %{docdir}/README + +%files doc +%defattr(-,root,root,-) +%doc %{docdir}/examples +%doc %{docdir}/test +%if %build_api_doc +%doc %{docdir}/api +%endif + +%changelog +* Tue May 26 2015 John Dennis - 0.16.0-3 +- Resolves: #1225212 + Reads from file like objects actually only worked for file objects +- Resolves: #1179573 + python-nss-doc package is missing the run_tests script +- Resolves: #1194349 + test_pkcs12.py does not works in FIPS mode + +* Tue Nov 25 2014 John Dennis - 0.16.0-2 +- Remove the TLS 1.3 symbols from ssl_version_range.py example + because RHEL only has NSS 3.16. + +* Mon Nov 24 2014 John Dennis - 0.16.0-1 +- resolves: bug#1155703 - Add API call for SSL_VersionRangeSet (rebase) + rebased to 0.16.0 +- The primary enhancements in this version is adding support for the + setting trust attributes on a Certificate, the SSL version range API, + information on the SSL cipher suites and information on the SSL connection. + + * The following module functions were added: + + - ssl.get_ssl_version_from_major_minor + - ssl.get_default_ssl_version_range + - ssl.get_supported_ssl_version_range + - ssl.set_default_ssl_version_range + - ssl.ssl_library_version_from_name + - ssl.ssl_library_version_name + - ssl.get_cipher_suite_info + - ssl.ssl_cipher_suite_name + - ssl.ssl_cipher_suite_from_name + + * The following deprecated module functions were removed: + + - ssl.nssinit + - ssl.nss_ini + - ssl.nss_shutdown + + * The following classes were added: + + - SSLCipherSuiteInfo + - SSLChannelInfo + + * The following class methods were added: + + - Certificate.trust_flags + - Certificate.set_trust_attributes + + - SSLSocket.set_ssl_version_range + - SSLSocket.get_ssl_version_range + - SSLSocket.get_ssl_channel_info + - SSLSocket.get_negotiated_host + - SSLSocket.connection_info_format_lines + - SSLSocket.connection_info_format + - SSLSocket.connection_info_str + + - SSLCipherSuiteInfo.format_lines + - SSLCipherSuiteInfo.format + + - SSLChannelInfo.format_lines + - SSLChannelInfo.format + + * The following class properties were added: + + - Certificate.ssl_trust_flags + - Certificate.email_trust_flags + - Certificate.signing_trust_flags + + - SSLCipherSuiteInfo.cipher_suite + - SSLCipherSuiteInfo.cipher_suite_name + - SSLCipherSuiteInfo.auth_algorithm + - SSLCipherSuiteInfo.auth_algorithm_name + - SSLCipherSuiteInfo.kea_type + - SSLCipherSuiteInfo.kea_type_name + - SSLCipherSuiteInfo.symmetric_cipher + - SSLCipherSuiteInfo.symmetric_cipher_name + - SSLCipherSuiteInfo.symmetric_key_bits + - SSLCipherSuiteInfo.symmetric_key_space + - SSLCipherSuiteInfo.effective_key_bits + - SSLCipherSuiteInfo.mac_algorithm + - SSLCipherSuiteInfo.mac_algorithm_name + - SSLCipherSuiteInfo.mac_bits + - SSLCipherSuiteInfo.is_fips + - SSLCipherSuiteInfo.is_exportable + - SSLCipherSuiteInfo.is_nonstandard + + - SSLChannelInfo.protocol_version + - SSLChannelInfo.protocol_version_str + - SSLChannelInfo.protocol_version_enum + - SSLChannelInfo.major_protocol_version + - SSLChannelInfo.minor_protocol_version + - SSLChannelInfo.cipher_suite + - SSLChannelInfo.auth_key_bits + - SSLChannelInfo.kea_key_bits + - SSLChannelInfo.creation_time + - SSLChannelInfo.creation_time_utc + - SSLChannelInfo.last_access_time + - SSLChannelInfo.last_access_time_utc + - SSLChannelInfo.expiration_time + - SSLChannelInfo.expiration_time_utc + - SSLChannelInfo.compression_method + - SSLChannelInfo.compression_method_name + - SSLChannelInfo.session_id + + * The following files were added: + + - doc/examples/cert_trust.py + - doc/examples/ssl_version_range.py + + * The following constants were added: + - nss.CERTDB_TERMINAL_RECORD + - nss.CERTDB_VALID_PEER + - nss.CERTDB_TRUSTED + - nss.CERTDB_SEND_WARN + - nss.CERTDB_VALID_CA + - nss.CERTDB_TRUSTED_CA + - nss.CERTDB_NS_TRUSTED_CA + - nss.CERTDB_USER + - nss.CERTDB_TRUSTED_CLIENT_CA + - nss.CERTDB_GOVT_APPROVED_CA + - ssl.SRTP_AES128_CM_HMAC_SHA1_32 + - ssl.SRTP_AES128_CM_HMAC_SHA1_80 + - ssl.SRTP_NULL_HMAC_SHA1_32 + - ssl.SRTP_NULL_HMAC_SHA1_80 + - ssl.SSL_CK_DES_192_EDE3_CBC_WITH_MD5 + - ssl.SSL_CK_DES_64_CBC_WITH_MD5 + - ssl.SSL_CK_IDEA_128_CBC_WITH_MD5 + - ssl.SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 + - ssl.SSL_CK_RC2_128_CBC_WITH_MD5 + - ssl.SSL_CK_RC4_128_EXPORT40_WITH_MD5 + - ssl.SSL_CK_RC4_128_WITH_MD5 + - ssl.SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA + - ssl.SSL_FORTEZZA_DMS_WITH_NULL_SHA + - ssl.SSL_FORTEZZA_DMS_WITH_RC4_128_SHA + - ssl.SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA + - ssl.SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA + - ssl.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA + - ssl.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA + - ssl.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 + - ssl.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_DHE_DSS_WITH_DES_CBC_SHA + - ssl.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA + - ssl.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + - ssl.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + - ssl.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + - ssl.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + - ssl.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_DHE_RSA_WITH_DES_CBC_SHA + - ssl.TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA + - ssl.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA + - ssl.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_DH_DSS_WITH_DES_CBC_SHA + - ssl.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA + - ssl.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA + - ssl.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_DH_RSA_WITH_DES_CBC_SHA + - ssl.TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA + - ssl.TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 + - ssl.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA + - ssl.TLS_DH_anon_WITH_AES_128_CBC_SHA + - ssl.TLS_DH_anon_WITH_AES_256_CBC_SHA + - ssl.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_DH_anon_WITH_DES_CBC_SHA + - ssl.TLS_DH_anon_WITH_RC4_128_MD5 + - ssl.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + - ssl.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - ssl.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + - ssl.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - ssl.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + - ssl.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + - ssl.TLS_EMPTY_RENEGOTIATION_INFO_SCSV + - ssl.TLS_FALLBACK_SCSV + - ssl.TLS_NULL_WITH_NULL_NULL + - ssl.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA + - ssl.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 + - ssl.TLS_RSA_EXPORT_WITH_RC4_40_MD5 + - ssl.TLS_RSA_WITH_3DES_EDE_CBC_SHA + - ssl.TLS_RSA_WITH_AES_128_CBC_SHA256 + - ssl.TLS_RSA_WITH_AES_128_GCM_SHA256 + - ssl.TLS_RSA_WITH_AES_256_CBC_SHA256 + - ssl.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + - ssl.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + - ssl.TLS_RSA_WITH_DES_CBC_SHA + - ssl.TLS_RSA_WITH_IDEA_CBC_SHA + - ssl.TLS_RSA_WITH_NULL_MD5 + - ssl.TLS_RSA_WITH_NULL_SHA + - ssl.TLS_RSA_WITH_NULL_SHA256 + - ssl.TLS_RSA_WITH_RC4_128_MD5 + - ssl.TLS_RSA_WITH_RC4_128_SHA + - ssl.TLS_RSA_WITH_SEED_CBC_SHA + - ssl.SSL_VARIANT_DATAGRAM + - ssl.SSL_VARIANT_STREAM + - ssl.SSL_LIBRARY_VERSION_2 + - ssl.SSL_LIBRARY_VERSION_3_0 + - ssl.SSL_LIBRARY_VERSION_TLS_1_0 + - ssl.SSL_LIBRARY_VERSION_TLS_1_1 + - ssl.SSL_LIBRARY_VERSION_TLS_1_2 + - ssl.SSL_LIBRARY_VERSION_TLS_1_3 + - ssl.ssl2 + - ssl.ssl3 + - ssl.tls1.0 + - ssl.tls1.1 + - ssl.tls1.2 + - ssl.tls1.3 + + * The following methods were missing thread locks, this has been fixed. + + - nss.nss_initialize + - nss.nss_init_context + - nss.nss_shutdown_context + +* Mon Jun 16 2014 John Dennis - 0.15.0-1 +- resolves: bug#1109769 rebase to 0.15.0 +- includes fixes for 1087031 and 1060314 + See doc/Changelog for details + +* Fri Jan 24 2014 Daniel Mach - 0.14.0-5 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.14.0-4 +- Mass rebuild 2013-12-27 + +* Fri Oct 18 2013 John Dennis - 0.14.0-3 +- resolves: bug#1003979 +- In coordination with QE with regards to bz 1019934 it was requested + the unittest patches be enhanced with a more robust version of + test_pkcs12, no actual bug, just better testing. + +* Tue Oct 8 2013 John Dennis - 0.14.0-2 +- resolves: bug#1002589 +- resolves: bug#1003979 + +- Rewrite setup_certs.py. No longer behaves like an expect script + which was fragile. By default now creates a sql style database. +- By default all examples & tests use new sql format for NSS database +- db-name is now used instead of dbdir to provide distinction between + the database directory and it's scheme (e.g. 'sql:') +- all examples and tests now default db-name to 'sql:pki' +- replaced legacy getopt & optparse command line argument handling + with modern argparse. + +* Mon May 13 2013 John Dennis - 0.14-1 + External Changes: + ----------------- + + The primary enhancements in this version is support of certifcate + validation, OCSP support, and support for the certificate "Authority + Information Access" extension. + + Enhanced certifcate validation including CA certs can be done via + Certificate.verify() or Certificate.is_ca_cert(). When cert + validation fails you can now obtain diagnostic information as to why + the cert failed to validate. This is encapsulated in the + CertVerifyLog class which is a iterable collection of + CertVerifyLogNode objects. Most people will probablby just print the + string representation of the returned CertVerifyLog object. Cert + validation logging is handled by the Certificate.verify() method. + Support has also been added for the various key usage and cert type + entities which feature prominently during cert validation. + + + * Certificate() constructor signature changed from + + Certificate(data=None, der_is_signed=True) + + to + + Certificate(data, certdb=cert_get_default_certdb(), perm=False, nickname=None) + + This change was necessary because all certs should be added to the + NSS temporary database when they are loaded, but earlier code + failed to to that. It's is not likely that an previous code was + failing to pass initialization data or the der_is_signed flag so + this change should be backwards compatible. + + * Fix bug #922247, PKCS12Decoder.database_import() method. Importing into + a NSS database would sometimes fail or segfault. + + * Error codes and descriptions were updated from upstream NSPR & NSS. + + * The password callback did not allow for breaking out of a password + prompting loop, now if None is returned from the password callback + the password prompting is terminated. + + * nss.nss_shutdown_context now called from InitContext destructor, + this assures the context is shutdown even if the programmer forgot + to. It's still best to explicitly shut it down, this is just + failsafe. + + * Support was added for shutdown callbacks. + + * The following classes were added: + - nss.CertVerifyLogNode + - nss.CertVerifyLog + - error.CertVerifyError (exception) + - nss.AuthorityInfoAccess + - nss.AuthorityInfoAccesses + + + * The following class methods were added: + - nss.Certificate.is_ca_cert + - nss.Certificate.verify + - nss.Certificate.verify_with_log + - nss.Certificate.get_cert_chain + - nss.Certificate.check_ocsp_status + - nss.PK11Slot.list_certs + - nss.CertVerifyLogNode.format_lines + - nss.CertVerifyLog.format_lines + - nss.CRLDistributionPts.format_lines + + * The following class properties were added: + - nss.CertVerifyLogNode.certificate + - nss.CertVerifyLogNode.error + - nss.CertVerifyLogNode.depth + - nss.CertVerifyLog.count + + * The following module functions were added: + - nss.x509_cert_type + - nss.key_usage_flags + - nss.list_certs + - nss.find_certs_from_email_addr + - nss.find_certs_from_nickname + - nss.nss_get_version + - nss.nss_version_check + - nss.set_shutdown_callback + - nss.get_use_pkix_for_validation + - nss.set_use_pkix_for_validation + - nss.enable_ocsp_checking + - nss.disable_ocsp_checking + - nss.set_ocsp_cache_settings + - nss.set_ocsp_failure_mode + - nss.set_ocsp_timeout + - nss.clear_ocsp_cache + - nss.set_ocsp_default_responder + - nss.enable_ocsp_default_responder + - nss.disable_ocsp_default_responder + + * The following files were added: + src/py_traceback.h + doc/examples/verify_cert.py + test/test_misc.py + + * The following constants were added: + - nss.KU_DIGITAL_SIGNATURE + - nss.KU_NON_REPUDIATION + - nss.KU_KEY_ENCIPHERMENT + - nss.KU_DATA_ENCIPHERMENT + - nss.KU_KEY_AGREEMENT + - nss.KU_KEY_CERT_SIGN + - nss.KU_CRL_SIGN + - nss.KU_ENCIPHER_ONLY + - nss.KU_ALL + - nss.KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION + - nss.KU_KEY_AGREEMENT_OR_ENCIPHERMENT + - nss.KU_NS_GOVT_APPROVED + - nss.PK11CertListUnique + - nss.PK11CertListUser + - nss.PK11CertListRootUnique + - nss.PK11CertListCA + - nss.PK11CertListCAUnique + - nss.PK11CertListUserUnique + - nss.PK11CertListAll + - nss.certUsageSSLClient + - nss.certUsageSSLServer + - nss.certUsageSSLServerWithStepUp + - nss.certUsageSSLCA + - nss.certUsageEmailSigner + - nss.certUsageEmailRecipient + - nss.certUsageObjectSigner + - nss.certUsageUserCertImport + - nss.certUsageVerifyCA + - nss.certUsageProtectedObjectSigner + - nss.certUsageStatusResponder + - nss.certUsageAnyCA + - nss.ocspMode_FailureIsVerificationFailure + - nss.ocspMode_FailureIsNotAVerificationFailure + + * cert_dump.py extended to print NS_CERT_TYPE_EXTENSION + + * cert_usage_flags, nss_init_flags now support optional repr_kind parameter + + Internal Changes: + ----------------- + + * Reimplement exception handling + - NSPRError is now derived from StandardException instead of + EnvironmentError. It was never correct to derive from + EnvironmentError but was difficult to implement a new subclassed + exception with it's own attributes, using EnvironmentError had + been expedient. + + - NSPRError now derived from StandardException, provides: + * errno (numeric error code) + * strerror (error description associated with error code) + * error_message (optional detailed message) + * error_code (alias for errno) + * error_desc (alias for strerror) + + - CertVerifyError derived from NSPRError, extends with: + * usages (bitmask of returned usages) + * log (CertVerifyLog object) + + * Expose error lookup to sibling modules + + * Use macros for bitmask_to_list functions to reduce code + duplication and centralize logic. + + * Add repr_kind parameter to cert_trust_flags_str() + + * Add support for repr_kind AsEnumName to bitstring table lookup. + + * Add cert_type_bitstr_to_tuple() lookup function + + * Add PRTimeConvert(), used to convert Python time values + to PRTime, centralizes conversion logic, reduces duplication + + * Add UTF8OrNoneConvert to better handle unicode parameters which + are optional. + + * Add Certificate_summary_format_lines() utility to generate + concise certificate identification info for output. + + * Certificate_new_from_CERTCertificate now takes add_reference parameter + to properly reference count certs, should fix shutdown busy problems. + + * Add print_traceback(), print_cert() debugging support. + +* Mon Feb 18 2013 John Dennis - 0.13-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Oct 8 2012 John Dennis - 0.13-0 +- Update to version 0.13 + Introduced in 0.13: + + * Fix NSS SECITEM_CompareItem bug via workaround. + + * Fix incorrect format strings in PyArg_ParseTuple* for: + - GeneralName + - BasicConstraints + - cert_x509_key_usage + + * Fix bug when decoding certificate BasicConstraints extension + + * Fix hang in setup_certs. + + * For NSS >= 3.13 support CERTDB_TERMINAL_RECORD + + * You can now query for a specific certificate extension + Certficate.get_extension() + + * The following classes were added: + - RSAGenParams + + * The following class methods were added: + - nss.nss.Certificate.get_extension + - nss.nss.PK11Slot.generate_key_pair + - nss.nss.DSAPublicKey.format + - nss.nss.DSAPublicKey.format_lines + + * The following module functions were added: + - nss.nss.pub_wrap_sym_key + + * The following internal utilities were added: + - PyString_UTF8 + - SecItem_new_alloc() + + * The following class constructors were modified to accept + intialization parameters + + - KEYPQGParams (DSA generation parameters) + + * The PublicKey formatting (i.e. format_lines) was augmented + to format DSA keys (formerly it only recognized RSA keys). + + * Allow lables and values to be justified when printing objects + + * The following were deprecated: + - nss.nss.make_line_pairs (replaced by nss.nss.make_line_fmt_tuples) + + Deprecated Functionality: + ------------------------- + - make_line_pairs() has been replaced by make_line_fmt_tuples() + because 2-valued tuples were not sufficently general. It is + expected very few programs will have used this function, it's mostly + used internally but provided as a support utility. + +* Sat Jul 21 2012 Fedora Release Engineering - 0.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 0.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 17 2011 John Dennis - 0.12-2 +- add patch python-nss-0.12-rsapssparams.patch to fix build problem + which appears only with nss 3.13 and later. + +* Mon Jun 6 2011 John Dennis - 0.12-1 + * Major new enhancement is additon of PKCS12 support and + AlgorithmID's. + + * setup.py build enhancements + - Now searches for the NSS and NSPR header files rather + than hardcoding their location. This makes building friendlier + on other systems (i.e. debian) + - Now takes optional command line arguments, -d or --debug + will turn on debug options during the build. + + * Fix reference counting bug in PK11_password_callback() which + contributed to NSS not being able to shutdown due to + resources still in use. + + * Add UTF-8 support to ssl.config_server_session_id_cache() + + * Added unit tests for cipher, digest, client_server. + + * All unittests now run, added test/run_tests to invoke + full test suite. + + * Fix bug in test/setup_certs.py, hardcoded full path to + libnssckbi.so was causing failures on 64-bit systems, + just use the libnssckbi.so basename, modutil will find + it on the standard search path. + + * doc/examples/cert_dump.py uses new AlgorithmID class to + dump Signature Algorithm + + * doc/examples/ssl_example.py now can cleanly shutdown NSS. + + * Exception error messages now include PR error text if available. + + * The following classes were replaced: + - SignatureAlgorithm replaced by new class AlgorithmID + + * The following classes were added: + - AlgorithmID + - PKCS12DecodeItem + - PKCS12Decoder + + * The following class methods were added: + - PK11Slot.authenticate() + - PK11Slot.get_disabled_reason() + - PK11Slot.has_protected_authentication_path() + - PK11Slot.has_root_certs() + - PK11Slot.is_disabled() + - PK11Slot.is_friendly() + - PK11Slot.is_internal() + - PK11Slot.is_logged_in() + - PK11Slot.is_removable() + - PK11Slot.logout() + - PK11Slot.need_login() + - PK11Slot.need_user_init() + - PK11Slot.user_disable() + - PK11Slot.user_enable() + - PKCS12DecodeItem.format() + - PKCS12DecodeItem.format_lines() + - PKCS12Decoder.database_import() + - PKCS12Decoder.format() + - PKCS12Decoder.format_lines() + + * The following class properties were added: + - AlgorithmID.id_oid + - AlgorithmID.id_str + - AlgorithmID.id_tag + - AlgorithmID.parameters + - PKCS12DecodeItem.certificate + - PKCS12DecodeItem.friendly_name + - PKCS12DecodeItem.has_key + - PKCS12DecodeItem.shroud_algorithm_id + - PKCS12DecodeItem.signed_cert_der + - PKCS12DecodeItem.type + - SignedData.data + - SignedData.der + + * The following module functions were added: + - nss.nss.dump_certificate_cache_info() + - nss.nss.find_slot_by_name() + - nss.nss.fingerprint_format_lines() + - nss.nss.get_internal_slot() + - nss.nss.is_fips() + - nss.nss.need_pw_init() + - nss.nss.nss_init_read_write() + - nss.nss.pk11_disabled_reason_name() + - nss.nss.pk11_disabled_reason_str() + - nss.nss.pk11_logout_all() + - nss.nss.pkcs12_cipher_from_name() + - nss.nss.pkcs12_cipher_name() + - nss.nss.pkcs12_enable_all_ciphers() + - nss.nss.pkcs12_enable_cipher() + - nss.nss.pkcs12_export() + - nss.nss.pkcs12_map_cipher() + - nss.nss.pkcs12_set_nickname_collision_callback() + - nss.nss.pkcs12_set_preferred_cipher() + - nss.nss.token_exists() + - nss.ssl.config_mp_server_sid_cache() + - nss.ssl.config_server_session_id_cache_with_opt() + - nss.ssl.get_max_server_cache_locks() + - nss.ssl.set_max_server_cache_locks() + - nss.ssl.shutdown_server_session_id_cache() + + * The following constants were added: + - nss.nss.int.PK11_DIS_COULD_NOT_INIT_TOKEN + - nss.nss.int.PK11_DIS_NONE + - nss.nss.int.PK11_DIS_TOKEN_NOT_PRESENT + - nss.nss.int.PK11_DIS_TOKEN_VERIFY_FAILED + - nss.nss.int.PK11_DIS_USER_SELECTED + - nss.nss.int.PKCS12_DES_56 + - nss.nss.int.PKCS12_DES_EDE3_168 + - nss.nss.int.PKCS12_RC2_CBC_128 + - nss.nss.int.PKCS12_RC2_CBC_40 + - nss.nss.int.PKCS12_RC4_128 + - nss.nss.int.PKCS12_RC4_40 + + * The following files were added: + - test/run_tests + - test/test_cipher.py (replaces cipher_test.py) + - test/test_client_server.py + - test/test_digest.py (replaces digest_test.py) + - test/test_pkcs12.py + + * The following were deprecated: + - SignatureAlgorithm + +* Tue Mar 22 2011 John Dennis - 0.11-2 +- Resolves: #689059 + Add family parameter to Socket constructors in examples and doc. + Mark implicit family parameter as deprecated. + Raise exception if Socket family does not match NetworkAddress family. + Add --server-subject to setup_certs.py (made testing IPv6 easier without DNS) + +* Mon Feb 21 2011 John Dennis - 0.11-1 + * Better support for IPv6 + + * Add AddrInfo class to support IPv6 address resolution. Supports + iteration over it's set of NetworkAddress objects and provides + hostname, canonical_name object properties. + + * Add PR_AI_* constants. + + * NetworkAddress constructor and NetworkAddress.set_from_string() added + optional family parameter. This is necessary for utilizing + PR_GetAddrInfoByName(). + + * NetworkAddress initialized via a string paramter are now initalized via + PR_GetAddrInfoByName using family. + + * Add NetworkAddress.address property to return the address sans the + port as a string. NetworkAddress.str() includes the port. For IPv6 the + a hex string must be enclosed in brackets if a port is appended to it, + the bracketed hex address with appended with a port is unappropriate + in some circumstances, hence the new address property to permit either + the address string with a port or without a port. + + * Fix the implementation of the NetworkAddress.family property, it was + returning bogus data due to wrong native data size. + + * HostEntry objects now support iteration and indexing of their + NetworkAddress members. + + * Add io.addr_family_name() function to return string representation of + PR_AF_* constants. + + * Modify example and test code to utilize AddrInfo instead of deprecated + NetworkAddress functionality. Add address family command argument to + ssl_example. + + * Fix pty import statement in test/setup_certs.py + + Deprecated Functionality: + ------------------------- + + * NetworkAddress initialized via a string paramter is now + deprecated. AddrInfo should be used instead. + + * NetworkAddress.set_from_string is now deprecated. AddrInfo should be + used instead. + + * NetworkAddress.hostentry is deprecated. It was a bad idea, + NetworkAddress objects can support both IPv4 and IPv6, but a HostEntry + object can only support IPv4. Plus the implementation depdended on + being able to perform a reverse DNS lookup which is not always + possible. + + * HostEntry.get_network_addresses() and HostEntry.get_network_address() + are now deprecated. In addition their port parameter is now no longer + respected. HostEntry objects now support iteration and + indexing of their NetworkAddress and that should be used to access + their NetworkAddress objects instead. + +* Tue Feb 08 2011 Fedora Release Engineering - 0.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 John Dennis - 0.10-3 +- Fix all rpmlint warnings +- doc for license, changelog etc. now in main package, + doc subpackage now only contains api doc, examples, test, etc. +- Filter provides for .so files +- Remove execute permission on everything in docdir +- Capitalize description + +* Tue Jan 11 2011 John Dennis - 0.10-2 +- split documentation out into separate doc sub-package + and make building api documentation optional + +* Mon Jan 10 2011 John Dennis - 0.10-1 +- The following classes were added: + InitParameters + InitContext + +-The following module functions were added: + nss.nss.nss_initialize() + nss.nss.nss_init_context() + nss.nss.nss_shutdown_context() + nss.nss.nss_init_flags() + +* Thu Jul 22 2010 David Malcolm - 0.9-9 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Fri Jul 16 2010 John Dennis - 0.9-8 +- add nss_is_initialized() + +* Thu Jul 8 2010 John Dennis - 0.9-7 +- Remove nss_init_nodb() when nss modules loads from previous version + apparently this prevents subsequent calls to nss_init with a + database to silently fail. +- Clean up some cruft in doc/examples/verify_server.py + +* Thu Jun 24 2010 John Dennis - 0.9-6 +- Invoke nss_init_nodb() when nss modules loads, this prevents segfaults + in NSS if Python programmer forgot to call one of the NSS + initialization routines. + +- Rename the classes X500Name, X500RDN, X500AVA to DN, RDN, AVA + respectively. + +- DN and RDN objects now return a list of their contents when indexed by + type, this is to support multi-valued items. + +- Fix bug where AVA object's string representation did not include it's + type. + +- Enhance test/test_cert_components.py unit test to test for above + changes. + +- Add CertificateRequest object + +* Mon Jun 14 2010 John Dennis - 0.9-5 +- Fix incomplete read bug (due to read ahead buffer bookkeeping). +- Remove python-nss specific httplib.py, no longer needed + python-nss now compatible with standard library +- Rewrite httplib_example.py to use standard library and illustrate + ssl, non-ssl, connection class, http class usage + +* Wed Jun 9 2010 John Dennis - 0.9-4 +- add nss.cert_usage_flags(), use it in ssl_example.py + +* Sun Jun 6 2010 John Dennis - 0.9-3 +- Add format_lines() & format() methods to the new certificate extension objects. +- Add printing of certificate extensions. +- Add BasicContstraints certificate extension. +- Fix several reference counting and memory problems discovered with valgrind. + +* Tue Jun 1 2010 John Dennis - 0.9-2 +- fold in more ref counting patches from Miloslav Trmač + into upstream. + Did not bump upstream version, just bumped release ver in this spec file. + +* Fri May 28 2010 John Dennis - 0.9-1 +- Unicode objects now accepted as well as str objects for + interfaces expecting a string. + +- Sockets were enhanced thusly: + - Threads will now yield during blocking IO. + - Socket.makefile() reimplemented + file object methods that had been missing (readlines(), sendall(), + and iteration) were implemented, makefile now just returns the same + Socket object but increments an "open" ref count. Thus a Socket + object behaves like a file object and must be closed once for each + makefile() call before it's actually closed. + - Sockets now support the iter protocol + - Add Socket.readlines(), Socket.sendall() + +- The following classes were added: + AuthKeyID + BasicConstraints + CRLDistributionPoint + CRLDistributionPts + CertificateExtension + GeneralName + SignedCRL + X500AVA + X500Name + X500RDN + +- The following module functions were added: + nss.nss.cert_crl_reason_from_name() + nss.nss.cert_crl_reason_name() + nss.nss.cert_general_name_type_from_name() + nss.nss.cert_general_name_type_name() + nss.nss.cert_usage_flags() + nss.nss.decode_der_crl() + nss.nss.der_universal_secitem_fmt_lines() + nss.nss.import_crl() + nss.nss.make_line_pairs() + nss.nss.oid_dotted_decimal() + nss.nss.oid_str() + nss.nss.oid_tag() + nss.nss.oid_tag_name() + nss.nss.read_der_from_file() + nss.nss.x509_alt_name() + nss.nss.x509_ext_key_usage() + nss.nss.x509_key_usage() + +- The following class methods and properties were added: + Note: it's a method if the name is suffixed with (), a propety otherwise + Socket.next() + Socket.readlines() + Socket.sendall() + SSLSocket.next() + SSLSocket.readlines() + SSLSocket.sendall() + AuthKeyID.key_id + AuthKeyID.serial_number + AuthKeyID.get_general_names() + CRLDistributionPoint.issuer + CRLDistributionPoint.get_general_names() + CRLDistributionPoint.get_reasons() + CertDB.find_crl_by_cert() + CertDB.find_crl_by_name() + Certificate.extensions + CertificateExtension.critical + CertificateExtension.name + CertificateExtension.oid + CertificateExtension.oid_tag + CertificateExtension.value + GeneralName.type_enum + GeneralName.type_name + GeneralName.type_string + SecItem.der_to_hex() + SecItem.get_oid_sequence() + SecItem.to_hex() + SignedCRL.delete_permanently() + X500AVA.oid + X500AVA.oid_tag + X500AVA.value + X500AVA.value_str + X500Name.cert_uid + X500Name.common_name + X500Name.country_name + X500Name.dc_name + X500Name.email_address + X500Name.locality_name + X500Name.org_name + X500Name.org_unit_name + X500Name.state_name + X500Name.add_rdn() + X500Name.has_key() + X500RDN.has_key() + +- The following module functions were removed: + Note: use nss.nss.oid_tag() instead + nss.nss.sec_oid_tag_from_name() + nss.nss.sec_oid_tag_name() + nss.nss.sec_oid_tag_str() + +- The following files were added: + doc/examples/cert_dump.py + test/test_cert_components.py + +- Apply patches from Miloslav Trmač + for ref counting and threading support. Thanks Miloslav! + +- Review all ref counting, numerous ref counting fixes + +- Implement cyclic garbage collection support by + adding object traversal and clear methods + +- Identify static variables, move to thread local storage + + +* Wed Mar 24 2010 John Dennis - 0.8-2 +- change %%define to %%global + +* Mon Sep 21 2009 John Dennis - 0.8-1 +- The following methods, properties and functions were added: + SecItem.type SecItem.len, SecItem.data + PK11SymKey.key_data, PK11SymKey.key_length, PK11SymKey.slot + create_context_by_sym_key + param_from_iv + generate_new_param + get_iv_length + get_block_size + get_pad_mechanism +- SecItem's now support indexing and slicing on their data +- Clean up parsing and parameter validation of variable arg functions + +* Fri Sep 18 2009 John Dennis - 0.7-1 +- add support for symmetric encryption/decryption + more support for digests (hashes) + + The following classes were added: + PK11SymKey PK11Context + + The following methods and functions were added: + get_best_wrap_mechanism get_best_key_length + key_gen derive + get_key_length digest_key + clone_context digest_begin + digest_op cipher_op + finalize digest_final + read_hex hash_buf + sec_oid_tag_str sec_oid_tag_name + sec_oid_tag_from_name key_mechanism_type_name + key_mechanism_type_from_name pk11_attribute_type_name + pk11_attribute_type_from_name get_best_slot + get_internal_key_slot create_context_by_sym_key + import_sym_key create_digest_context + param_from_iv param_from_algid + generate_new_param algtag_to_mechanism + mechanism_to_algtag + + The following files were added: + cipher_test.py digest_test.py + +* Sun Jul 26 2009 Fedora Release Engineering - 0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 9 2009 John Dennis - 0.6-2 +- restore nss.nssinit(), make deprecated + +* Wed Jul 8 2009 John Dennis - 0.6-1 +- fix bug #510343 client_auth_data_callback seg faults if False + is returned from callback + +* Wed Jul 1 2009 John Dennis - 0.5-1 +- restore ssl.nss_init and ssl.nss_shutdown but make them deprecated + add __version__ string to nss module + +* Tue Jun 30 2009 John Dennis - 0.4-1 +- add binding for NSS_NoDB_Init(), bug #509002 + move nss_init and nss_shutdown from ssl module to nss module + +* Thu Jun 4 2009 John Dennis - 0.3-1 +- installed source code in Mozilla CVS repository + update URL tag to point to CVS repositoy + (not yet a valid URL, still have to coordinate with Mozilla) + minor tweak to src directory layout + +* Mon Jun 1 2009 John Dennis - 0.2-1 +- Convert licensing to MPL tri-license +- apply patch from bug #472805, (Miloslav Trmač) + Don't allow closing a socket twice, that causes crashes. + New function nss.io.Socket.new_socket_pair() + New function nss.io.Socket.poll() + New function nss.io.Socket.import_tcp_socket() + New method nss.nss.Certificate.get_subject_common_name() + New function nss.nss.generate_random() + Fix return value creation in SSLSocket.get_security_status + New function nss.ssl.SSLSocket.import_tcp_socket() + +* Thu Feb 26 2009 Fedora Release Engineering - 0.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 0.1-2 +- Rebuild for Python 2.6 + +* Tue Sep 9 2008 John Dennis - 0.1-1 +- clean up ssl_example.py, fix arg list in get_cert_nicknames, + make certdir cmd line arg consistent with other NSS tools +- update httplib.py to support client auth, add httplib_example.py which illustrates it's use +- fix some documentation +- fix some type usage which were unsafe on 64-bit + +* Wed Jul 9 2008 John Dennis - 0.0-2 +- add docutils to build requires so restructured text works + +* Fri Jun 27 2008 John Dennis - 0.0-1 +- initial release