diff --git a/.hgtags b/.hgtags index a1f9a71c30..ee6d9af2e7 100644 --- a/.hgtags +++ b/.hgtags @@ -1590,3 +1590,4 @@ bdf702cc0f766757d8221b1bb9a8a5a12f0183da NSS_3_25_BETA1 cc982d5a9904b9ec478eced92a3eea8ee0ee313a NSS_3_27_BETA1 d36a5c8225914f92c12f8e182d83f5b4727d327b NSS_3_27_BETA2 06ed5314230a8abc5436bdca2cc79e7de7f2828f NSS_3_27_BETA3 +32c9bbad265504522441f601333f0b89861a15d1 NSS_3_34_BETA1 diff --git a/automation/abi-check/previous-nss-release b/automation/abi-check/previous-nss-release index a4803f0fa3..a91a569f53 100644 --- a/automation/abi-check/previous-nss-release +++ b/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_33_BRANCH +NSS_3_34_BRANCH diff --git a/automation/buildbot-slave/build.sh b/automation/buildbot-slave/build.sh index e30f78d1d9..7675136ddf 100755 --- a/automation/buildbot-slave/build.sh +++ b/automation/buildbot-slave/build.sh @@ -256,26 +256,41 @@ check_abi() fi popd + ABI_PROBLEM_FOUND=0 ABI_REPORT=${OUTPUTDIR}/abi-diff.txt rm -f ${ABI_REPORT} PREVDIST=${HGDIR}/baseline/dist NEWDIST=${HGDIR}/dist ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" for SO in ${ALL_SOs}; do - if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then - touch nss/automation/abi-check/expected-report-$SO.txt + if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then + touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt fi abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \ $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \ - > nss/automation/abi-check/new-report-$SO.txt - diff -u nss/automation/abi-check/expected-report-$SO.txt \ - nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT} + > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt + if [ $? -ne 0 ]; then + ABI_PROBLEM_FOUND=1 + fi + if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then + ABI_PROBLEM_FOUND=1 + fi + + diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \ + ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT} + if [ ! -f ${ABI_REPORT} ]; then + ABI_PROBLEM_FOUND=1 + fi done if [ -s ${ABI_REPORT} ]; then print_log "FAILED: there are new unexpected ABI changes" cat ${ABI_REPORT} return 1 + elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then + print_log "FAILED: failure executing the ABI checks" + cat ${ABI_REPORT} + return 1 fi return 0 diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c index 9bbb940b8f..5f637e11c1 100644 --- a/cmd/certutil/certutil.c +++ b/cmd/certutil/certutil.c @@ -194,6 +194,8 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, PLArenaPool *arena; void *extHandle; SECItem signedReq = { siBuffer, NULL, 0 }; + SECAlgorithmID signAlg; + SECItem *params = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { @@ -211,11 +213,25 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, /* Change cert type to RSA-PSS, if desired. */ if (pssCertificate) { + params = SEC_CreateSignatureAlgorithmParameters(arena, + NULL, + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, + hashAlgTag, + NULL, + privk); + if (!params) { + PORT_FreeArena(arena, PR_FALSE); + SECKEY_DestroySubjectPublicKeyInfo(spki); + SECU_PrintError(progName, "unable to create RSA-PSS parameters"); + return SECFailure; + } + spki->algorithm.parameters.data = NULL; rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0); + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params); if (rv != SECSuccess) { PORT_FreeArena(arena, PR_FALSE); + SECKEY_DestroySubjectPublicKeyInfo(spki); SECU_PrintError(progName, "unable to set algorithm ID"); return SECFailure; } @@ -256,16 +272,34 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, return SECFailure; } - /* Sign the request */ - signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); - if (signAlgTag == SEC_OID_UNKNOWN) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unknown Key or Hash type"); - return SECFailure; + PORT_Memset(&signAlg, 0, sizeof(signAlg)); + if (pssCertificate) { + rv = SECOID_SetAlgorithmID(arena, &signAlg, + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + SECU_PrintError(progName, "unable to set algorithm ID"); + return SECFailure; + } + } else { + signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); + if (signAlgTag == SEC_OID_UNKNOWN) { + PORT_FreeArena(arena, PR_FALSE); + SECU_PrintError(progName, "unknown Key or Hash type"); + return SECFailure; + } + rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + SECU_PrintError(progName, "unable to set algorithm ID"); + return SECFailure; + } } - rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len, - privk, signAlgTag); + /* Sign the request */ + rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq, + encoding->data, encoding->len, + privk, &signAlg); if (rv) { PORT_FreeArena(arena, PR_FALSE); SECU_PrintError(progName, "signing of data failed"); @@ -1183,6 +1217,8 @@ luC(enum usage_level ul, const char *command) " -o output-cert"); FPS "%-20s Self sign\n", " -x"); + FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", + " --pss-sign"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", @@ -1516,6 +1552,8 @@ luR(enum usage_level ul, const char *command) " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); + FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n", + " --pss"); FPS "%-20s Name of file containing PQG parameters (dsa only)\n", " -q pqgfile"); FPS "%-20s Elliptic curve name (ec only)\n", @@ -1693,6 +1731,8 @@ luS(enum usage_level ul, const char *command) " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); + FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n", + " --pss"); FPS "%-20s Name of file containing PQG parameters (dsa only)\n", " -q pqgfile"); FPS "%-20s Elliptic curve name (ec only)\n", @@ -1701,6 +1741,8 @@ luS(enum usage_level ul, const char *command) ""); FPS "%-20s Self sign\n", " -x"); + FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", + " --pss-sign"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", @@ -1864,47 +1906,120 @@ MakeV1Cert(CERTCertDBHandle *handle, return (cert); } +static SECStatus +SetSignatureAlgorithm(PLArenaPool *arena, + SECAlgorithmID *signAlg, + SECAlgorithmID *spkiAlg, + SECOidTag hashAlgTag, + SECKEYPrivateKey *privKey, + PRBool pssSign) +{ + SECStatus rv; + + if (pssSign || + SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + SECItem *srcParams; + SECItem *params; + + if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + srcParams = &spkiAlg->parameters; + } else { + /* If the issuer's public key is RSA, the parameter field + * of the SPKI should be NULL, which can't be used as a + * basis of RSA-PSS parameters. */ + srcParams = NULL; + } + params = SEC_CreateSignatureAlgorithmParameters(arena, + NULL, + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, + hashAlgTag, + srcParams, + privKey); + if (!params) { + SECU_PrintError(progName, "Could not create RSA-PSS parameters"); + return SECFailure; + } + rv = SECOID_SetAlgorithmID(arena, signAlg, + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, + params); + if (rv != SECSuccess) { + SECU_PrintError(progName, "Could not set signature algorithm id."); + return rv; + } + } else { + KeyType keyType = SECKEY_GetPrivateKeyType(privKey); + SECOidTag algID; + + algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); + if (algID == SEC_OID_UNKNOWN) { + SECU_PrintError(progName, "Unknown key or hash type for issuer."); + return SECFailure; + } + rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0); + if (rv != SECSuccess) { + SECU_PrintError(progName, "Could not set signature algorithm id."); + return rv; + } + } + return SECSuccess; +} + static SECStatus SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, SECOidTag hashAlgTag, SECKEYPrivateKey *privKey, char *issuerNickName, - int certVersion, void *pwarg) + int certVersion, PRBool pssSign, void *pwarg) { SECItem der; SECKEYPrivateKey *caPrivateKey = NULL; SECStatus rv; PLArenaPool *arena; - SECOidTag algID; + CERTCertificate *issuer; void *dummy; - if (!selfsign) { - CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg); + arena = cert->arena; + + if (selfsign) { + issuer = cert; + } else { + issuer = PK11_FindCertFromNickname(issuerNickName, pwarg); if ((CERTCertificate *)NULL == issuer) { SECU_PrintError(progName, "unable to find issuer with nickname %s", issuerNickName); - return SECFailure; + rv = SECFailure; + goto done; } - privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg); - CERT_DestroyCertificate(issuer); if (caPrivateKey == NULL) { SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName); - return SECFailure; + rv = SECFailure; + CERT_DestroyCertificate(issuer); + goto done; } } - arena = cert->arena; - - algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag); - if (algID == SEC_OID_UNKNOWN) { - fprintf(stderr, "Unknown key or hash type for issuer."); + if (pssSign && + (SECKEY_GetPrivateKeyType(privKey) != rsaKey && + SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) { + SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s", + issuerNickName); rv = SECFailure; + if (!selfsign) { + CERT_DestroyCertificate(issuer); + } goto done; } - rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0); + rv = SetSignatureAlgorithm(arena, + &cert->signature, + &issuer->subjectPublicKeyInfo.algorithm, + hashAlgTag, + privKey, + pssSign); + if (!selfsign) { + CERT_DestroyCertificate(issuer); + } if (rv != SECSuccess) { - fprintf(stderr, "Could not set signature algorithm id."); goto done; } @@ -1923,7 +2038,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + rv = SECFailure; + goto done; } der.len = 0; @@ -1936,7 +2052,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, goto done; } - rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID); + rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len, + privKey, &cert->signature); if (rv != SECSuccess) { fprintf(stderr, "Could not sign encoded certificate data.\n"); /* result allocated out of the arena, it will be freed @@ -1969,6 +2086,7 @@ CreateCert( certutilExtnList extnList, const char *extGeneric, int certVersion, + PRBool pssSign, SECItem *certDER) { void *extHandle = NULL; @@ -2029,7 +2147,7 @@ CreateCert( rv = SignCert(handle, subjectCert, selfsign, hashAlgTag, *selfsignprivkey, issuerNickName, - certVersion, pwarg); + certVersion, pssSign, pwarg); if (rv != SECSuccess) break; @@ -2352,6 +2470,7 @@ enum certutilOpts { opt_GenericExtensions, opt_NewNickname, opt_Pss, + opt_PssSign, opt_Help }; @@ -2472,6 +2591,8 @@ static const secuCommandFlag options_init[] = "new-n" }, { /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE, "pss" }, + { /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE, + "pss-sign" }, }; #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) @@ -3363,6 +3484,25 @@ certutil_main(int argc, char **argv, PRBool initialize) } } + /* --pss-sign is to sign a certificate with RSA-PSS, even if the + * issuer's key is an RSA key. If the key is an RSA-PSS key, the + * generated signature is always RSA-PSS. */ + if (certutil.options[opt_PssSign].activated) { + if (!certutil.commands[cmd_CreateNewCert].activated && + !certutil.commands[cmd_CreateAndAddCert].activated) { + PR_fprintf(PR_STDERR, + "%s -%c: --pss-sign only works with -C or -S.\n", + progName, commandToRun); + return 255; + } + if (keytype != rsaKey) { + PR_fprintf(PR_STDERR, + "%s -%c: --pss-sign only works with RSA keys.\n", + progName, commandToRun); + return 255; + } + } + /* If we need a list of extensions convert the flags into list format */ if (certutil.commands[cmd_CertReq].activated || certutil.commands[cmd_CreateAndAddCert].activated || @@ -3500,6 +3640,7 @@ certutil_main(int argc, char **argv, PRBool initialize) (certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg : NULL), certVersion, + certutil.options[opt_PssSign].activated, &certDER); if (rv) goto shutdown; diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c index cf52269c3b..cedecee2dd 100644 --- a/cmd/lib/secutil.c +++ b/cmd/lib/secutil.c @@ -1312,15 +1312,12 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) return; } - if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); - return; - } - if (a->parameters.len == 0 || (a->parameters.len == 2 && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { /* No arguments or NULL argument */ + } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); } else { /* Print args to algorithm */ SECU_PrintAsHex(out, &a->parameters, "Args", level + 1); diff --git a/cmd/listsuites/listsuites.c b/cmd/listsuites/listsuites.c index 458130e5ec..8eb2c3553e 100644 --- a/cmd/listsuites/listsuites.c +++ b/cmd/listsuites/listsuites.c @@ -10,7 +10,9 @@ #include #include +#include "nss.h" #include "secport.h" +#include "secutil.h" #include "ssl.h" int @@ -19,6 +21,43 @@ main(int argc, char **argv) const PRUint16 *cipherSuites = SSL_ImplementedCiphers; int i; int errCount = 0; + SECStatus rv; + PRErrorCode err; + char *certDir = NULL; + + /* load policy from $SSL_DIR/pkcs11.txt, for testing */ + certDir = SECU_DefaultSSLDir(); + if (certDir) { + rv = NSS_Init(certDir); + } else { + rv = NSS_NoDB_Init(NULL); + } + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err)); + goto out; + } + + /* apply policy */ + rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n", + PORT_ErrorToString(err)); + goto out; + } + + /* update the default cipher suites according to the policy */ + rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "SSL_OptionSetDefault failed: %s\n", + PORT_ErrorToString(err)); + goto out; + } fputs("This version of libSSL supports these cipher suites:\n\n", stdout); @@ -58,5 +97,14 @@ main(int argc, char **argv) info.isFIPS ? "FIPS" : "", info.nonStandard ? "nonStandard" : ""); } + +out: + rv = NSS_Shutdown(); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err)); + } + return errCount; } diff --git a/cmd/manifest.mn b/cmd/manifest.mn index 153384ce14..f5e6bc2366 100644 --- a/cmd/manifest.mn +++ b/cmd/manifest.mn @@ -63,6 +63,7 @@ NSS_SRCDIRS = \ pp \ pwdecrypt \ rsaperf \ + rsapoptst \ sdrtest \ selfserv \ signtool \ diff --git a/cmd/rsapoptst/rsapoptst.c b/cmd/rsapoptst/rsapoptst.c index 81ddcd6c43..800c754733 100644 --- a/cmd/rsapoptst/rsapoptst.c +++ b/cmd/rsapoptst/rsapoptst.c @@ -23,7 +23,7 @@ static const struct test_args test_array[] = { { "d_n_q", 0x02, "private exponent, modulus, prime2" }, { "d_p_q", 0x04, "private exponent, prime1, prime2" }, { "e_d_q", 0x08, "public exponent, private exponent, prime2" }, - { "e_d_n", 0x10, "public exponent, private exponent, moduls" } + { "e_d_n", 0x10, "public exponent, private exponent, modulus" } }; static const int test_array_size = (sizeof(test_array) / sizeof(struct test_args)); @@ -58,6 +58,7 @@ const static CK_ATTRIBUTE rsaTemplate[] = { { CKA_TOKEN, NULL, 0 }, { CKA_SENSITIVE, NULL, 0 }, { CKA_PRIVATE, NULL, 0 }, + { CKA_ID, NULL, 0 }, { CKA_MODULUS, NULL, 0 }, { CKA_PUBLIC_EXPONENT, NULL, 0 }, { CKA_PRIVATE_EXPONENT, NULL, 0 }, @@ -123,46 +124,77 @@ readKey(PK11ObjectType objType, void *object, CK_ATTRIBUTE *template, #define ATTR_STRING(x) getNameFromAttribute(x) +static void +dumphex(FILE *file, const unsigned char *cpval, int start, int end) +{ + int i; + for (i = start; i < end; i++) { + if ((i % 16) == 0) + fprintf(file, "\n "); + fprintf(file, " %02x", cpval[i]); + } + return; +} + void -dumpTemplate(CK_ATTRIBUTE *template, int start, int end) +dumpTemplate(FILE *file, const CK_ATTRIBUTE *template, int start, int end) { - int i, j; - for (i = 0; i < end; i++) { + int i; + for (i = start; i < end; i++) { unsigned char cval; CK_ULONG ulval; - unsigned char *cpval; + const unsigned char *cpval; - fprintf(stderr, "%s:", ATTR_STRING(template[i].type)); + fprintf(file, "%s:", ATTR_STRING(template[i].type)); switch (template[i].ulValueLen) { case 1: cval = *(unsigned char *)template[i].pValue; switch (cval) { case 0: - fprintf(stderr, " false"); + fprintf(file, " false"); break; case 1: - fprintf(stderr, " true"); + fprintf(file, " true"); break; default: - fprintf(stderr, " %d (=0x%02x,'%c')", cval, cval, cval); + fprintf(file, " %d (=0x%02x,'%c')", cval, cval, cval); break; } break; case sizeof(CK_ULONG): ulval = *(CK_ULONG *)template[i].pValue; - fprintf(stderr, " %ld (=0x%04lx)", ulval, ulval); + fprintf(file, " %ld (=0x%04lx)", ulval, ulval); break; default: - cpval = (unsigned char *)template[i].pValue; - for (j = 0; j < template[i].ulValueLen; j++) { - if ((j % 16) == 0) - fprintf(stderr, "\n "); - fprintf(stderr, " %02x", cpval[j]); - } + cpval = (const unsigned char *)template[i].pValue; + dumphex(file, cpval, 0, template[i].ulValueLen); break; } - fprintf(stderr, "\n"); + fprintf(file, "\n"); + } +} + +void +dumpItem(FILE *file, const SECItem *item) +{ + const unsigned char *cpval; + + if (item == NULL) { + fprintf(file, " pNULL "); + return; + } + if (item->data == NULL) { + fprintf(file, " NULL "); + return; } + if (item->len == 0) { + fprintf(file, " Empty "); + return; + } + cpval = item->data; + dumphex(file, cpval, 0, item->len); + fprintf(file, " "); + return; } PRBool @@ -191,6 +223,9 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src, } for (i = 0; i < RSA_ATTRIBUTES; i++) { + if (srcTemplate[i].type == CKA_ID) { + continue; /* we purposefully make the CKA_ID different */ + } if (srcTemplate[i].ulValueLen != destTemplate[i].ulValueLen) { printf("key->%s not equal src_len = %ld, dest_len=%ld\n", ATTR_STRING(srcTemplate[i].type), @@ -204,18 +239,22 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src, } if (!areEqual) { fprintf(stderr, "original key:\n"); - dumpTemplate(srcTemplate, 0, RSA_ATTRIBUTES); + dumpTemplate(stderr, srcTemplate, 0, RSA_ATTRIBUTES); fprintf(stderr, "created key:\n"); - dumpTemplate(destTemplate, 0, RSA_ATTRIBUTES); + dumpTemplate(stderr, destTemplate, 0, RSA_ATTRIBUTES); } + resetTemplate(srcTemplate, 0, RSA_ATTRIBUTES); + resetTemplate(destTemplate, 0, RSA_ATTRIBUTES); return areEqual; } static int exp_exp_prime_fail_count = 0; +#define LEAK_ID 0xf + static int doRSAPopulateTest(unsigned int keySize, unsigned long exponent, - int mask, void *pwarg) + int mask, int round, void *pwarg) { SECKEYPrivateKey *rsaPrivKey; SECKEYPublicKey *rsaPubKey; @@ -227,7 +266,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY; CK_KEY_TYPE key_type = CKK_RSA; CK_BBOOL ck_false = CK_FALSE; + CK_BYTE cka_id[2] = { 0, 0 }; int failed = 0; + int leak_found; /* did we find the expected leak */ + int expect_leak = 0; /* are we expecting a leak? */ rsaParams.pe = exponent; rsaParams.keySizeInBits = keySize; @@ -259,11 +301,15 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, tstTemplate[3].ulValueLen = sizeof(ck_false); tstTemplate[4].pValue = &ck_false; tstTemplate[4].ulValueLen = sizeof(ck_false); - tstHeaderCount = 5; + tstTemplate[5].pValue = &cka_id[0]; + tstTemplate[5].ulValueLen = sizeof(cka_id); + tstHeaderCount = 6; + cka_id[0] = round; if (mask & 1) { printf("%s\n", test_array[1].description); resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); + cka_id[1] = 0; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PUBLIC_EXPONENT); copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, @@ -271,10 +317,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount + 2, CKA_PRIME_1); - tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: pubExp mod p\n"); failed = 1; @@ -290,6 +336,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, printf("%s\n", test_array[2].description); /* test the basic2 case, public exponent, modulus, prime2 */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); + cka_id[1] = 1; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PUBLIC_EXPONENT); copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, @@ -299,10 +346,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, /* test with q in the prime1 position */ tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1; - tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: pubExp mod q\n"); failed = 1; @@ -318,6 +365,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, printf("%s\n", test_array[3].description); /* test the medium case, private exponent, prime1, prime2 */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); + cka_id[1] = 2; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PRIVATE_EXPONENT); @@ -329,10 +377,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1; tstTemplate[tstHeaderCount + 1].type = CKA_PRIME_2; - tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: privExp p q\n"); failed = 1; @@ -348,6 +396,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, printf("%s\n", test_array[4].description); /* test the advanced case, public exponent, private exponent, prime2 */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); + cka_id[1] = 3; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PRIVATE_EXPONENT); copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, @@ -355,10 +404,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount + 2, CKA_PRIME_2); - tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: pubExp privExp q\n"); fprintf(stderr, " this is expected periodically. It means we\n"); @@ -373,11 +422,12 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, if (tstPrivKey) PK11_DestroyGenericObject(tstPrivKey); } - if (mask & 16) { + if (mask & 0x10) { printf("%s\n", test_array[5].description); /* test the advanced case2, public exponent, private exponent, modulus */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); + cka_id[1] = LEAK_ID; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PRIVATE_EXPONENT); @@ -386,6 +436,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount + 2, CKA_MODULUS); + /* purposefully use the old version. This will create a leak */ tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, tstHeaderCount + 3, @@ -398,9 +449,59 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, fprintf(stderr, "RSA Populate key mismatch: pubExp privExp mod\n"); failed = 1; } + expect_leak = 1; if (tstPrivKey) PK11_DestroyGenericObject(tstPrivKey); } + resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); + SECKEY_DestroyPrivateKey(rsaPrivKey); + SECKEY_DestroyPublicKey(rsaPubKey); + + /* make sure we didn't leak */ + leak_found = 0; + tstPrivKey = PK11_FindGenericObjects(slot, CKO_PRIVATE_KEY); + if (tstPrivKey) { + SECStatus rv; + PK11GenericObject *thisKey; + int i; + + fprintf(stderr, "Leaking keys...\n"); + for (i = 0, thisKey = tstPrivKey; thisKey; i++, + thisKey = PK11_GetNextGenericObject(thisKey)) { + SECItem id = { 0, NULL, 0 }; + + rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisKey, + CKA_ID, &id); + if (rv != SECSuccess) { + fprintf(stderr, "Key %d: couldn't read CKA_ID: %s\n", + i, PORT_ErrorToString(PORT_GetError())); + continue; + } + fprintf(stderr, "id = { "); + dumpItem(stderr, &id); + fprintf(stderr, "};"); + if (id.data[1] == LEAK_ID) { + fprintf(stderr, " ---> leak expected\n"); + if (id.data[0] == round) + leak_found = 1; + } else { + if (id.len != sizeof(cka_id)) { + fprintf(stderr, + " ---> ERROR unexpected leak in generated key\n"); + } else { + fprintf(stderr, + " ---> ERROR unexpected leak in constructed key\n"); + } + failed = 1; + } + SECITEM_FreeItem(&id, PR_FALSE); + } + PK11_DestroyGenericObjects(tstPrivKey); + } + if (expect_leak && !leak_found) { + fprintf(stderr, "ERROR expected leak not found\n"); + failed = 1; + } PK11_FreeSlot(slot); return failed ? -1 : 0; @@ -517,7 +618,7 @@ main(int argc, char **argv) exp_exp_prime_fail_count = 0; for (i = 0; i < repeat; i++) { printf("Running RSA Populate test run %d\n", i); - ret = doRSAPopulateTest(keySize, exponent, mask, NULL); + ret = doRSAPopulateTest(keySize, exponent, mask, i, NULL); if (ret != 0) { i++; break; @@ -531,5 +632,9 @@ main(int argc, char **argv) exp_exp_prime_fail_count, i, (((double)exp_exp_prime_fail_count) * 100.0) / (double)i); } + if (NSS_Shutdown() != SECSuccess) { + fprintf(stderr, "Shutdown failed\n"); + ret = -1; + } return ret; } diff --git a/cmd/rsapoptst/rsapoptst.gyp b/cmd/rsapoptst/rsapoptst.gyp new file mode 100644 index 0000000000..325a109095 --- /dev/null +++ b/cmd/rsapoptst/rsapoptst.gyp @@ -0,0 +1,25 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../../cmd/platlibs.gypi' + ], + 'targets': [ + { + 'target_name': 'rsapoptst', + 'type': 'executable', + 'sources': [ + 'rsapoptst.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:dbm_exports', + '<(DEPTH)/exports.gyp:nss_exports', + ] + } + ], + 'variables': { + 'module': 'nss', + } +} diff --git a/cpputil/cpputil.gyp b/cpputil/cpputil.gyp index 82183f241d..5042acf5cd 100644 --- a/cpputil/cpputil.gyp +++ b/cpputil/cpputil.gyp @@ -10,6 +10,7 @@ 'target_name': 'cpputil', 'type': 'static_library', 'sources': [ + 'databuffer.cc', 'dummy_io.cc', 'dummy_io_fwd.cc', 'tls_parser.cc', diff --git a/cpputil/databuffer.cc b/cpputil/databuffer.cc new file mode 100644 index 0000000000..d60ebccb34 --- /dev/null +++ b/cpputil/databuffer.cc @@ -0,0 +1,127 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "databuffer.h" +#include +#include +#include +#include +#include +#if defined(WIN32) || defined(WIN64) +#include +#else +#include +#endif + +namespace nss_test { + +void DataBuffer::Assign(const uint8_t* data, size_t len) { + if (data) { + Allocate(len); + memcpy(static_cast(data_), static_cast(data), len); + } else { + assert(len == 0); + data_ = nullptr; + len_ = 0; + } +} + +// Write will do a new allocation and expand the size of the buffer if needed. +// Returns the offset of the end of the write. +size_t DataBuffer::Write(size_t index, const uint8_t* val, size_t count) { + assert(val); + if (index + count > len_) { + size_t newlen = index + count; + uint8_t* tmp = new uint8_t[newlen]; // Always > 0. + if (data_) { + memcpy(static_cast(tmp), static_cast(data_), len_); + } + if (index > len_) { + memset(static_cast(tmp + len_), 0, index - len_); + } + delete[] data_; + data_ = tmp; + len_ = newlen; + } + if (data_) { + memcpy(static_cast(data_ + index), static_cast(val), + count); + } + return index + count; +} + +// Write an integer, also performing host-to-network order conversion. +// Returns the offset of the end of the write. +size_t DataBuffer::Write(size_t index, uint32_t val, size_t count) { + assert(count <= sizeof(uint32_t)); + uint32_t nvalue = htonl(val); + auto* addr = reinterpret_cast(&nvalue); + return Write(index, addr + sizeof(uint32_t) - count, count); +} + +void DataBuffer::Splice(const uint8_t* ins, size_t ins_len, size_t index, + size_t remove) { + assert(ins); + uint8_t* old_value = data_; + size_t old_len = len_; + + // The amount of stuff remaining from the tail of the old. + size_t tail_len = old_len - (std::min)(old_len, index + remove); + // The new length: the head of the old, the new, and the tail of the old. + len_ = index + ins_len + tail_len; + data_ = new uint8_t[len_ ? len_ : 1]; + + // The head of the old. + if (old_value) { + Write(0, old_value, (std::min)(old_len, index)); + } + // Maybe a gap. + if (old_value && index > old_len) { + memset(old_value + index, 0, index - old_len); + } + // The new. + Write(index, ins, ins_len); + // The tail of the old. + if (tail_len > 0) { + Write(index + ins_len, old_value + index + remove, tail_len); + } + + delete[] old_value; +} + +// This can't use the same trick as Write(), since we might be reading from a +// smaller data source. +bool DataBuffer::Read(size_t index, size_t count, uint64_t* val) const { + assert(count <= sizeof(uint64_t)); + assert(val); + if ((index > len()) || (count > (len() - index))) { + return false; + } + *val = 0; + for (size_t i = 0; i < count; ++i) { + *val = (*val << 8) | data()[index + i]; + } + return true; +} + +bool DataBuffer::Read(size_t index, size_t count, uint32_t* val) const { + assert(count <= sizeof(uint32_t)); + uint64_t tmp; + + if (!Read(index, count, &tmp)) { + return false; + } + *val = tmp & 0xffffffff; + return true; +} + +size_t DataBuffer::logging_limit = 32; + +/* static */ void DataBuffer::SetLogLimit(size_t limit) { + DataBuffer::logging_limit = limit; +} + +} // namespace nss_test diff --git a/cpputil/databuffer.h b/cpputil/databuffer.h index d229a360a1..58e07efe19 100644 --- a/cpputil/databuffer.h +++ b/cpputil/databuffer.h @@ -8,17 +8,9 @@ #define databuffer_h__ #include -#include #include #include #include -#if defined(WIN32) || defined(WIN64) -#include -#else -#include -#endif - -extern bool g_ssl_gtest_verbose; namespace nss_test { @@ -50,80 +42,18 @@ class DataBuffer { void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); } - void Assign(const uint8_t* data, size_t len) { - if (data) { - Allocate(len); - memcpy(static_cast(data_), static_cast(data), len); - } else { - assert(len == 0); - data_ = nullptr; - len_ = 0; - } - } + void Assign(const uint8_t* data, size_t len); // Write will do a new allocation and expand the size of the buffer if needed. // Returns the offset of the end of the write. - size_t Write(size_t index, const uint8_t* val, size_t count) { - assert(val); - if (index + count > len_) { - size_t newlen = index + count; - uint8_t* tmp = new uint8_t[newlen]; // Always > 0. - if (data_) { - memcpy(static_cast(tmp), static_cast(data_), len_); - } - if (index > len_) { - memset(static_cast(tmp + len_), 0, index - len_); - } - delete[] data_; - data_ = tmp; - len_ = newlen; - } - if (data_) { - memcpy(static_cast(data_ + index), static_cast(val), - count); - } - return index + count; - } - + size_t Write(size_t index, const uint8_t* val, size_t count); size_t Write(size_t index, const DataBuffer& buf) { return Write(index, buf.data(), buf.len()); } // Write an integer, also performing host-to-network order conversion. // Returns the offset of the end of the write. - size_t Write(size_t index, uint32_t val, size_t count) { - assert(count <= sizeof(uint32_t)); - uint32_t nvalue = htonl(val); - auto* addr = reinterpret_cast(&nvalue); - return Write(index, addr + sizeof(uint32_t) - count, count); - } - - // This can't use the same trick as Write(), since we might be reading from a - // smaller data source. - bool Read(size_t index, size_t count, uint64_t* val) const { - assert(count <= sizeof(uint64_t)); - assert(val); - if ((index > len()) || (count > (len() - index))) { - return false; - } - *val = 0; - for (size_t i = 0; i < count; ++i) { - *val = (*val << 8) | data()[index + i]; - } - return true; - } - - // Overload because we have a lot of places where we are doing uint32_t - bool Read(size_t index, size_t count, uint32_t* val) const { - assert(count <= sizeof(uint32_t)); - uint64_t tmp; - - if (!Read(index, count, &tmp)) { - return false; - } - *val = tmp & 0xffffffff; - return true; - } + size_t Write(size_t index, uint32_t val, size_t count); // Starting at |index|, remove |remove| bytes and replace them with the // contents of |buf|. @@ -132,53 +62,30 @@ class DataBuffer { } void Splice(const uint8_t* ins, size_t ins_len, size_t index, - size_t remove = 0) { - assert(ins); - uint8_t* old_value = data_; - size_t old_len = len_; - - // The amount of stuff remaining from the tail of the old. - size_t tail_len = old_len - (std::min)(old_len, index + remove); - // The new length: the head of the old, the new, and the tail of the old. - len_ = index + ins_len + tail_len; - data_ = new uint8_t[len_ ? len_ : 1]; - - // The head of the old. - if (old_value) { - Write(0, old_value, (std::min)(old_len, index)); - } - // Maybe a gap. - if (old_value && index > old_len) { - memset(old_value + index, 0, index - old_len); - } - // The new. - Write(index, ins, ins_len); - // The tail of the old. - if (tail_len > 0) { - Write(index + ins_len, old_value + index + remove, tail_len); - } - - delete[] old_value; - } - + size_t remove = 0); void Append(const DataBuffer& buf) { Splice(buf, len_); } + bool Read(size_t index, size_t count, uint64_t* val) const; + bool Read(size_t index, size_t count, uint32_t* val) const; + const uint8_t* data() const { return data_; } uint8_t* data() { return data_; } size_t len() const { return len_; } bool empty() const { return len_ == 0; } + static void SetLogLimit(size_t limit); + friend std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf); + private: + static size_t logging_limit; uint8_t* data_; size_t len_; }; -static const size_t kMaxBufferPrint = 32; - inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) { stream << "[" << buf.len() << "] "; for (size_t i = 0; i < buf.len(); ++i) { - if (!g_ssl_gtest_verbose && i >= kMaxBufferPrint) { + if (i >= DataBuffer::logging_limit) { stream << "..."; break; } diff --git a/cpputil/manifest.mn b/cpputil/manifest.mn index c515b8c2c7..b3ccad8b59 100644 --- a/cpputil/manifest.mn +++ b/cpputil/manifest.mn @@ -13,6 +13,7 @@ CPPSRCS = \ $(NULL) else CPPSRCS = \ + databuffer.cc \ dummy_io.cc \ dummy_io_fwd.cc \ tls_parser.cc \ diff --git a/doc/certutil.xml b/doc/certutil.xml index 461b213898..d5062bd5eb 100644 --- a/doc/certutil.xml +++ b/doc/certutil.xml @@ -455,6 +455,16 @@ of the attribute codes: Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17. + + --pss + Restrict the generated certificate (with the option) or certificate request (with the option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA. + + + + --pss-sign + Sign the generated certificate with the RSA-PSS signature scheme (with the or option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option. + + -z noise-file Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes. diff --git a/doc/html/certutil.html b/doc/html/certutil.html index eb2e94322b..902d1309a4 100644 --- a/doc/html/certutil.html +++ b/doc/html/certutil.html @@ -1,4 +1,4 @@ -CERTUTIL
CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +CERTUTIL

CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the -d argument. Use the -k argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname.

@@ -20,25 +20,26 @@ duplicate nicknames. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates). -

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

-o output-file

Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, certutil generates its own PQG value. PQG files are created with a separate DSA utility.

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

If a token is available that supports more curves, the foolowing curves are supported as well: - sect163k1, nistk163, sect163r1, sect163r2, - nistb163, sect193r1, sect193r2, sect233k1, nistk233, - sect233r1, nistb233, sect239k1, sect283k1, nistk283, - sect283r1, nistb283, sect409k1, nistk409, sect409r1, - nistb409, sect571k1, nistk571, sect571r1, nistb571, - secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, - nistp192, secp224k1, secp224r1, nistp224, secp256k1, - secp256r1, secp384r1, secp521r1, - prime192v1, prime192v2, prime192v3, - prime239v1, prime239v2, prime239v3, c2pnb163v1, - c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, - c2tnb191v2, c2tnb191v3, - c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, - c2pnb272w1, c2pnb304w1, - c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, - secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, - sect131r1, sect131r2

-
-r

Display a certificate's binary DER encoding when listing information about that certificate with the -L option.

-s subject

Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.

-t trustargs

Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all +

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

-o output-file

Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, certutil generates its own PQG value. PQG files are created with a separate DSA utility.

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

+ If a token is available that supports more curves, the foolowing curves are supported as well: + sect163k1, nistk163, sect163r1, sect163r2, + nistb163, sect193r1, sect193r2, sect233k1, nistk233, + sect233r1, nistb233, sect239k1, sect283k1, nistk283, + sect283r1, nistb283, sect409k1, nistk409, sect409r1, + nistb409, sect571k1, nistk571, sect571r1, nistb571, + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, + nistp192, secp224k1, secp224r1, nistp224, secp256k1, + secp256r1, secp384r1, secp521r1, + prime192v1, prime192v2, prime192v3, + prime239v1, prime239v2, prime239v3, c2pnb163v1, + c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, + c2tnb191v2, c2tnb191v3, + c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, + c2pnb272w1, c2pnb304w1, + c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, + secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, + sect131r1, sect131r2 +

-r

Display a certificate's binary DER encoding when listing information about that certificate with the -L option.

-s subject

Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.

-t trustargs

Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all of the attribute codes:

  • p - Valid peer @@ -59,7 +60,7 @@ the certificate or adding it to a database. Express the offset in integers, using a minus sign (-) to indicate a negative offset. If this argument is not used, the validity period begins at the current system time. The length - of the validity period is set with the -v argument.

-X

Force the key and certificate database to open in read-write mode. This is used with the -U and -L command options.

-x

Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

-y exp

Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

-z noise-file

Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.

-Z hashAlg

Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:

  • MD2

  • MD4

  • MD5

  • SHA1

  • SHA224

  • SHA256

  • SHA384

  • SHA512

-0 SSO_password

Set a site security officer password on a token.

-1 | --keyUsage keyword,keyword

Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:

  • + of the validity period is set with the -v argument.

-X

Force the key and certificate database to open in read-write mode. This is used with the -U and -L command options.

-x

Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

-y exp

Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

--pss

Restrict the generated certificate (with the -S option) or certificate request (with the -R option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.

--pss-sign

Sign the generated certificate with the RSA-PSS signature scheme (with the -C or -S option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.

-z noise-file

Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.

-Z hashAlg

Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:

  • MD2

  • MD4

  • MD5

  • SHA1

  • SHA224

  • SHA256

  • SHA384

  • SHA512

-0 SSO_password

Set a site security officer password on a token.

-1 | --keyUsage keyword,keyword

Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:

  • digitalSignature

  • nonRepudiation diff --git a/doc/html/pk12util.html b/doc/html/pk12util.html index fe516dd83a..94dbf51e97 100644 --- a/doc/html/pk12util.html +++ b/doc/html/pk12util.html @@ -1,6 +1,6 @@ -PK12UTIL

    PK12UTIL

    Name

    pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

    Synopsis

    pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

    STATUS

    This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

    Description

    The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.

    Options and Arguments

    Options

    -i p12file

    Import keys and certificates from a PKCS#12 file into a security database.

    -l p12file

    List the keys and certificates in PKCS#12 file.

    -o p12file

    Export keys and certificates from the security database to a PKCS#12 file.

    Arguments

    -c keyCipher

    Specify the key encryption algorithm.

    -C certCipher

    Specify the key cert (overall package) encryption algorithm.

    -d [sql:]directory

    Specify the database directory into which to import to or export from certificates and keys.

    pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

    -h tokenname

    Specify the name of the token to import into or export from.

    -k slotPasswordFile

    Specify the text file containing the slot's password.

    -K slotPassword

    Specify the slot's password.

    -m | --key-len keyLength

    Specify the desired length of the symmetric key to be used to encrypt the private key.

    -n | --cert-key-len certKeyLength

    Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

    -n certname

    Specify the nickname of the cert and private key to export.

    -P prefix

    Specify the prefix used on the certificate and key databases. This option is provided as a special case. - Changing the names of the certificate and key databases is not recommended.

    -r

    Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.

    -v

    Enable debug logging when importing.

    -w p12filePasswordFile

    Specify the text file containing the pkcs #12 file password.

    -W p12filePassword

    Specify the pkcs #12 file password.

    Return Codes

    • 0 - No error

    • 1 - User Cancelled

    • 2 - Usage error

    • 6 - NLS init error

    • 8 - Certificate DB open error

    • 9 - Key DB open error

    • 10 - File initialization error

    • 11 - Unicode conversion error

    • 12 - Temporary file creation error

    • 13 - PKCS11 get slot error

    • 14 - PKCS12 decoder start error

    • 15 - error read from import file

    • 16 - pkcs12 decode error

    • 17 - pkcs12 decoder verify error

    • 18 - pkcs12 decoder validate bags error

    • 19 - pkcs12 decoder import bags error

    • 20 - key db conversion version 3 to version 2 error

    • 21 - cert db conversion version 7 to version 5 error

    • 22 - cert and key dbs patch error

    • 23 - get default cert db error

    • 24 - find cert by nickname error

    • 25 - create export context error

    • 26 - PKCS12 add password itegrity error

    • 27 - cert and key Safes creation error

    • 28 - PKCS12 add cert and key error

    • 29 - PKCS12 encode error

    Examples

    Importing Keys and Certificates

    The most basic usage of pk12util for importing a certificate or key is the PKCS#12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token). +PK12UTIL

    PK12UTIL

    Name

    pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

    Synopsis

    pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

    STATUS

    This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

    Description

    The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.

    Options and Arguments

    Options

    -i p12file

    Import keys and certificates from a PKCS #12 file into a security database.

    -l p12file

    List the keys and certificates in PKCS #12 file.

    -o p12file

    Export keys and certificates from the security database to a PKCS #12 file.

    Arguments

    -c keyCipher

    Specify the key encryption algorithm.

    -C certCipher

    Specify the certiticate encryption algorithm.

    -d [sql:]directory

    Specify the database directory into which to import to or export from certificates and keys.

    pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

    -h tokenname

    Specify the name of the token to import into or export from.

    -k slotPasswordFile

    Specify the text file containing the slot's password.

    -K slotPassword

    Specify the slot's password.

    -m | --key-len keyLength

    Specify the desired length of the symmetric key to be used to encrypt the private key.

    -n | --cert-key-len certKeyLength

    Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

    -n certname

    Specify the nickname of the cert and private key to export.

    -P prefix

    Specify the prefix used on the certificate and key databases. This option is provided as a special case. + Changing the names of the certificate and key databases is not recommended.

    -r

    Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.

    -v

    Enable debug logging when importing.

    -w p12filePasswordFile

    Specify the text file containing the pkcs #12 file password.

    -W p12filePassword

    Specify the pkcs #12 file password.

    Return Codes

    • 0 - No error

    • 1 - User Cancelled

    • 2 - Usage error

    • 6 - NLS init error

    • 8 - Certificate DB open error

    • 9 - Key DB open error

    • 10 - File initialization error

    • 11 - Unicode conversion error

    • 12 - Temporary file creation error

    • 13 - PKCS11 get slot error

    • 14 - PKCS12 decoder start error

    • 15 - error read from import file

    • 16 - pkcs12 decode error

    • 17 - pkcs12 decoder verify error

    • 18 - pkcs12 decoder validate bags error

    • 19 - pkcs12 decoder import bags error

    • 20 - key db conversion version 3 to version 2 error

    • 21 - cert db conversion version 7 to version 5 error

    • 22 - cert and key dbs patch error

    • 23 - get default cert db error

    • 24 - find cert by nickname error

    • 25 - create export context error

    • 26 - PKCS12 add password itegrity error

    • 27 - cert and key Safes creation error

    • 28 - PKCS12 add cert and key error

    • 29 - PKCS12 encode error

    Examples

    Importing Keys and Certificates

    The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token).

    pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

    For example:

    # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
@@ -12,7 +12,7 @@
 Enter new password: 
 Re-enter password: 
 Enter password for PKCS12 file: 
-pk12util: PKCS12 IMPORT SUCCESSFUL

    Exporting Keys and Certificates

    Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database (-n) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. +pk12util: PKCS12 IMPORT SUCCESSFUL

    Exporting Keys and Certificates

    Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database (-n) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.

    pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

    For example:

    # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
 Enter password for PKCS12 file: 
 Re-enter password:

    Listing Keys and Certificates

    The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file. @@ -48,7 +48,7 @@ Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID -

    Password Encryption

    PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.

    The private key is always protected with strong encryption by default.

    Several types of ciphers are supported.

    Symmetric CBC ciphers for PKCS#5 V2

    • DES-CBC

    • RC2-CBC

    • RC5-CBCPad

    • DES-EDE3-CBC (the default for key encryption)

    • AES-128-CBC

    • AES-192-CBC

    • AES-256-CBC

    • CAMELLIA-128-CBC

    • CAMELLIA-192-CBC

    • CAMELLIA-256-CBC

    PKCS#12 PBE ciphers

    • PKCS #12 PBE with Sha1 and 128 Bit RC4

    • PKCS #12 PBE with Sha1 and 40 Bit RC4

    • PKCS #12 PBE with Sha1 and Triple DES CBC

    • PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC

    • PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC

    • PKCS12 V2 PBE with SHA1 and 128 Bit RC4

    • PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)

    • PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc

    • PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc

    • PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC

    • PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC

    PKCS#5 PBE ciphers

    • PKCS #5 Password Based Encryption with MD2 and DES CBC

    • PKCS #5 Password Based Encryption with MD5 and DES CBC

    • PKCS #5 Password Based Encryption with SHA1 and DES CBC

    With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation.

    NSS Database Types

    NSS originally used BerkeleyDB databases to store security information. +

    Password Encryption

    PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the -C option.

    The private key is always protected with strong encryption by default.

    Several types of ciphers are supported.

    PKCS #5 password-based encryption

    • PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC")

    PKCS #12 password-based encryption

    • SHA-1 and 128-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" or "RC4")

    • SHA-1 and 40-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4") (used by default for certificate encryption in non-FIPS mode)

    • SHA-1 and 3-key triple-DES ("PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" or "DES-EDE3-CBC")

    • SHA-1 and 128-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" or "RC2-CBC")

    • SHA-1 and 40-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC")

    With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation.

    NSS Database Types

    NSS originally used BerkeleyDB databases to store security information. The last versions of these legacy databases are:

    • cert8.db for certificates

    • @@ -68,7 +68,7 @@ Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example:

      # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb

      To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:

      export NSS_DEFAULT_DB_TYPE="sql"

      This line can be set added to the ~/.bashrc file to make the change permanent.

      Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:

      • https://wiki.mozilla.org/NSS_Shared_DB_Howto

      For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

      • https://wiki.mozilla.org/NSS_Shared_DB -

    See Also

    certutil (1)

    modutil (1)

    The NSS wiki has information on the new database design and how to configure applications to use it.

    • +

    Compatibility Notes

    The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported.

    Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.

    Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme.

    For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools.

    See Also

    certutil (1)

    modutil (1)

    The NSS wiki has information on the new database design and how to configure applications to use it.

    • https://wiki.mozilla.org/NSS_Shared_DB_Howto

    • https://wiki.mozilla.org/NSS_Shared_DB

    Additional Resources

    For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

    Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

    IRC: Freenode at #dogtag-pki

    Authors

    The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

    diff --git a/doc/nroff/certutil.1 b/doc/nroff/certutil.1 index b2a8bd2bb8..80a02fc276 100644 --- a/doc/nroff/certutil.1 +++ b/doc/nroff/certutil.1 @@ -1,13 +1,13 @@ '\" t .\" Title: CERTUTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 8 September 2016 +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 27 October 2017 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CERTUTIL" "1" "8 September 2016" "nss-tools" "NSS Security Tools" +.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -371,9 +371,9 @@ Read an alternate PQG value from the specified file when generating DSA key pair \fBcertutil\fR generates its own PQG value\&. PQG files are created with a separate DSA utility\&. .sp -Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519. +Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519\&. .sp -If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 +If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 .RE .PP \-r @@ -609,6 +609,24 @@ to generate the signature for a certificate being created or added to a database Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&. .RE .PP +\-\-pss +.RS 4 +Restrict the generated certificate (with the +\fB\-S\fR +option) or certificate request (with the +\fB\-R\fR +option) to be used with the RSA\-PSS signature scheme\&. This only works when the private key of the certificate or certificate request is RSA\&. +.RE +.PP +\-\-pss\-sign +.RS 4 +Sign the generated certificate with the RSA\-PSS signature scheme (with the +\fB\-C\fR +or +\fB\-S\fR +option)\&. This only works when the private key of the signer\*(Aqs certificate is RSA\&. If the signer\*(Aqs certificate is restricted to RSA\-PSS, it is not necessary to specify this option\&. +.RE +.PP \-z noise\-file .RS 4 Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&. @@ -1512,7 +1530,8 @@ There are ways to narrow the keys listed in the search results: .IP \(bu 2.3 .\} To return a specific key, use the -\fB\-n\fR\fIname\fR +\fB\-n\fR +\fIname\fR argument with the name of the key\&. .RE .sp @@ -1525,7 +1544,8 @@ argument with the name of the key\&. .IP \(bu 2.3 .\} If there are multiple security devices loaded, then the -\fB\-h\fR\fItokenname\fR +\fB\-h\fR +\fItokenname\fR argument can search a specific token or all tokens\&. .RE .sp @@ -1538,7 +1558,8 @@ argument can search a specific token or all tokens\&. .IP \(bu 2.3 .\} If there are multiple key types available, then the -\fB\-k\fR\fIkey\-type\fR +\fB\-k\fR +\fIkey\-type\fR argument can search a specific type of key, like RSA, DSA, or ECC\&. .RE .PP diff --git a/doc/nroff/pk12util.1 b/doc/nroff/pk12util.1 index c4fa972c0a..e0a8da833e 100644 --- a/doc/nroff/pk12util.1 +++ b/doc/nroff/pk12util.1 @@ -1,13 +1,13 @@ '\" t .\" Title: PK12UTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 5 June 2014 +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 27 October 2017 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" +.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,24 +39,24 @@ This documentation is still work in progress\&. Please contribute to the initial .SH "DESCRIPTION" .PP The PKCS #12 utility, -\fBpk12util\fR, enables sharing certificates among any server that supports PKCS#12\&. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys\&. +\fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&. .SH "OPTIONS AND ARGUMENTS" .PP \fBOptions\fR .PP \-i p12file .RS 4 -Import keys and certificates from a PKCS#12 file into a security database\&. +Import keys and certificates from a PKCS #12 file into a security database\&. .RE .PP \-l p12file .RS 4 -List the keys and certificates in PKCS#12 file\&. +List the keys and certificates in PKCS #12 file\&. .RE .PP \-o p12file .RS 4 -Export keys and certificates from the security database to a PKCS#12 file\&. +Export keys and certificates from the security database to a PKCS #12 file\&. .RE .PP \fBArguments\fR @@ -68,7 +68,7 @@ Specify the key encryption algorithm\&. .PP \-C certCipher .RS 4 -Specify the key cert (overall package) encryption algorithm\&. +Specify the certiticate encryption algorithm\&. .RE .PP \-d [sql:]directory @@ -432,7 +432,7 @@ Specify the pkcs #12 file password\&. .PP The most basic usage of \fBpk12util\fR -for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either +for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either \fB\-d\fR for a directory or \fB\-h\fR @@ -467,7 +467,7 @@ pk12util: PKCS12 IMPORT SUCCESSFUL .PP Using the \fBpk12util\fR -command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. +command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. .PP pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] .PP @@ -559,17 +559,17 @@ Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pt .\} .SH "PASSWORD ENCRYPTION" .PP -PKCS#12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package\&. If no algorithm is specified, the tool defaults to using -\fBPKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc\fR -for private key encryption\&. -\fBPKCS12 V2 PBE with SHA1 and 40 Bit RC4\fR -is the default for the overall package encryption when not in FIPS mode\&. When in FIPS mode, there is no package encryption\&. +PKCS #12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates\&. If no algorithm is specified, the tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used for certificate encryption\&. When in FIPS mode, there is no certificate encryption\&. If certificate encryption is not wanted, specify +\fB"NONE"\fR +as the argument of the +\fB\-C\fR +option\&. .PP The private key is always protected with strong encryption by default\&. .PP Several types of ciphers are supported\&. .PP -Symmetric CBC ciphers for PKCS#5 V2 +PKCS #5 password\-based encryption .RS 4 .sp .RS 4 @@ -580,110 +580,13 @@ Symmetric CBC ciphers for PKCS#5 V2 .sp -1 .IP \(bu 2.3 .\} -DES\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -RC2\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -RC5\-CBCPad -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -DES\-EDE3\-CBC (the default for key encryption) -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -AES\-128\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -AES\-192\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -AES\-256\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -CAMELLIA\-128\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -CAMELLIA\-192\-CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -CAMELLIA\-256\-CBC +PBES2 with AES\-CBC\-Pad as underlying encryption scheme (\fB"AES\-128\-CBC"\fR, +\fB"AES\-192\-CBC"\fR, and +\fB"AES\-256\-CBC"\fR) .RE .RE .PP -PKCS#12 PBE ciphers +PKCS #12 password\-based encryption .RS 4 .sp .RS 4 @@ -694,7 +597,9 @@ PKCS#12 PBE ciphers .sp -1 .IP \(bu 2.3 .\} -PKCS #12 PBE with Sha1 and 128 Bit RC4 +SHA\-1 and 128\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC4"\fR +or +\fB"RC4"\fR) .RE .sp .RS 4 @@ -705,7 +610,7 @@ PKCS #12 PBE with Sha1 and 128 Bit RC4 .sp -1 .IP \(bu 2.3 .\} -PKCS #12 PBE with Sha1 and 40 Bit RC4 +SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode) .RE .sp .RS 4 @@ -716,7 +621,9 @@ PKCS #12 PBE with Sha1 and 40 Bit RC4 .sp -1 .IP \(bu 2.3 .\} -PKCS #12 PBE with Sha1 and Triple DES CBC +SHA\-1 and 3\-key triple\-DES (\fB"PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC"\fR +or +\fB"DES\-EDE3\-CBC"\fR) .RE .sp .RS 4 @@ -727,7 +634,9 @@ PKCS #12 PBE with Sha1 and Triple DES CBC .sp -1 .IP \(bu 2.3 .\} -PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC +SHA\-1 and 128\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC2 CBC"\fR +or +\fB"RC2\-CBC"\fR) .RE .sp .RS 4 @@ -738,114 +647,11 @@ PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC .sp -1 .IP \(bu 2.3 .\} -PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS12 V2 PBE with SHA1 and 128 Bit RC4 -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non\-FIPS mode) -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS12 V2 PBE with SHA1 and 2KEY Triple DES\-cbc -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC +SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC2 CBC"\fR) .RE .RE .PP -PKCS#5 PBE ciphers -.RS 4 -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS #5 Password Based Encryption with MD2 and DES CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS #5 Password Based Encryption with MD5 and DES CBC -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -PKCS #5 Password Based Encryption with SHA1 and DES CBC -.RE -.RE -.PP -With PKCS#12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error +With PKCS #12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error \fIno security module can perform the requested operation\fR\&. .SH "NSS DATABASE TYPES" .PP @@ -987,6 +793,27 @@ For an engineering draft on the changes in the shared NSS databases, see the NSS .\} https://wiki\&.mozilla\&.org/NSS_Shared_DB .RE +.SH "COMPATIBILITY NOTES" +.PP +The exporting behavior of +\fBpk12util\fR +has changed over time, while importing files exported with older versions of NSS is still supported\&. +.PP +Until the 3\&.30 release, +\fBpk12util\fR +used the UTF\-16 encoding for the PKCS #5 password\-based encryption schemes, while the recommendation is to encode passwords in UTF\-8 if the used encryption scheme is defined outside of the PKCS #12 standard\&. +.PP +Until the 3\&.31 release, even when +\fB"AES\-128\-CBC"\fR +or +\fB"AES\-192\-CBC"\fR +is given from the command line, +\fBpk12util\fR +always used 256\-bit AES as the underlying encryption scheme\&. +.PP +For historical reasons, +\fBpk12util\fR +accepts password\-based encryption schemes not listed in this document\&. However, those schemes are not officially supported and may have issues in interoperability with other tools\&. .SH "SEE ALSO" .PP certutil (1) diff --git a/doc/pk12util.xml b/doc/pk12util.xml index 03ee356e65..c267949653 100644 --- a/doc/pk12util.xml +++ b/doc/pk12util.xml @@ -46,7 +46,7 @@ Description - The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys. + The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys. @@ -55,17 +55,17 @@ -i p12file - Import keys and certificates from a PKCS#12 file into a security database. + Import keys and certificates from a PKCS #12 file into a security database. -l p12file - List the keys and certificates in PKCS#12 file. + List the keys and certificates in PKCS #12 file. -o p12file - Export keys and certificates from the security database to a PKCS#12 file. + Export keys and certificates from the security database to a PKCS #12 file. @@ -78,7 +78,7 @@ -C certCipher - Specify the key cert (overall package) encryption algorithm. + Specify the certiticate encryption algorithm. @@ -233,7 +233,7 @@ Examples Importing Keys and Certificates - The most basic usage of pk12util for importing a certificate or key is the PKCS#12 input file () and some way to specify the security database being accessed (either for a directory or for a token). + The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file () and some way to specify the security database being accessed (either for a directory or for a token). pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] @@ -252,7 +252,7 @@ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL Exporting Keys and Certificates - Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. + Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] For example: @@ -304,58 +304,34 @@ Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L Password Encryption - PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption. + PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. The private key is always protected with strong encryption by default. Several types of ciphers are supported. - Symmetric CBC ciphers for PKCS#5 V2 + PKCS #5 password-based encryption - - DES-CBC - RC2-CBC - RC5-CBCPad - DES-EDE3-CBC (the default for key encryption) - AES-128-CBC - AES-192-CBC - AES-256-CBC - CAMELLIA-128-CBC - CAMELLIA-192-CBC - CAMELLIA-256-CBC - + + PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") + - PKCS#12 PBE ciphers + PKCS #12 password-based encryption - - PKCS #12 PBE with Sha1 and 128 Bit RC4 - PKCS #12 PBE with Sha1 and 40 Bit RC4 - PKCS #12 PBE with Sha1 and Triple DES CBC - PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC - PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC - PKCS12 V2 PBE with SHA1 and 128 Bit RC4 - PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode) - PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc - PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc - PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC - PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC - - - - PKCS#5 PBE ciphers - - - PKCS #5 Password Based Encryption with MD2 and DES CBC - PKCS #5 Password Based Encryption with MD5 and DES CBC - PKCS #5 Password Based Encryption with SHA1 and DES CBC - + + SHA-1 and 128-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" or "RC4") + SHA-1 and 40-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4") (used by default for certificate encryption in non-FIPS mode) + SHA-1 and 3-key triple-DES ("PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" or "DES-EDE3-CBC") + SHA-1 and 128-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" or "RC2-CBC") + SHA-1 and 40-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC") + - With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation. + With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation. NSS Database Types @@ -432,6 +408,14 @@ Using the SQLite databases must be manually specified by using the sql: + + Compatibility Notes + The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported. + Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard. + Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme. + For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools. + + See Also certutil (1) diff --git a/fuzz/tls_mutators.cc b/fuzz/tls_mutators.cc index ad61ff8487..228bd0bb7a 100644 --- a/fuzz/tls_mutators.cc +++ b/fuzz/tls_mutators.cc @@ -2,6 +2,7 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include #include "shared.h" #include "tls_parser.h" diff --git a/gtests/common/util.h b/gtests/common/util.h index ccab5604e1..7ed1fd7991 100644 --- a/gtests/common/util.h +++ b/gtests/common/util.h @@ -10,7 +10,7 @@ #include #include -std::vector hex_string_to_bytes(std::string s) { +static inline std::vector hex_string_to_bytes(std::string s) { std::vector bytes; for (size_t i = 0; i < s.length(); i += 2) { bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16)); diff --git a/gtests/cryptohi_gtest/Makefile b/gtests/cryptohi_gtest/Makefile new file mode 100644 index 0000000000..0d547e0803 --- /dev/null +++ b/gtests/cryptohi_gtest/Makefile @@ -0,0 +1,43 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../common/gtest.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### diff --git a/gtests/cryptohi_gtest/cryptohi_gtest.gyp b/gtests/cryptohi_gtest/cryptohi_gtest.gyp new file mode 100644 index 0000000000..72c815ecac --- /dev/null +++ b/gtests/cryptohi_gtest/cryptohi_gtest.gyp @@ -0,0 +1,29 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../common/gtest.gypi', + ], + 'targets': [ + { + 'target_name': 'cryptohi_gtest', + 'type': 'executable', + 'sources': [ + 'cryptohi_unittest.cc', + '<(DEPTH)/gtests/common/gtests.cc' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/gtests/google_test/google_test.gyp:gtest', + '<(DEPTH)/lib/util/util.gyp:nssutil3', + '<(DEPTH)/lib/ssl/ssl.gyp:ssl3', + '<(DEPTH)/lib/nss/nss.gyp:nss3', + ] + } + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/gtests/cryptohi_gtest/cryptohi_unittest.cc b/gtests/cryptohi_gtest/cryptohi_unittest.cc new file mode 100644 index 0000000000..ab553ee012 --- /dev/null +++ b/gtests/cryptohi_gtest/cryptohi_unittest.cc @@ -0,0 +1,373 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include + +#include "gtest/gtest.h" + +#include "scoped_ptrs.h" +#include "cryptohi.h" +#include "secitem.h" +#include "secerr.h" + +namespace nss_test { + +class SignParamsTestF : public ::testing::Test { + protected: + ScopedPLArenaPool arena_; + ScopedSECKEYPrivateKey privk_; + ScopedSECKEYPublicKey pubk_; + ScopedSECKEYPrivateKey ecPrivk_; + ScopedSECKEYPublicKey ecPubk_; + + void SetUp() { + arena_.reset(PORT_NewArena(2048)); + + SECKEYPublicKey *pubk; + SECKEYPrivateKey *privk = SECKEY_CreateRSAPrivateKey(1024, &pubk, NULL); + ASSERT_NE(nullptr, pubk); + pubk_.reset(pubk); + ASSERT_NE(nullptr, privk); + privk_.reset(privk); + + SECKEYECParams ecParams = {siBuffer, NULL, 0}; + SECOidData *oidData; + oidData = SECOID_FindOIDByTag(SEC_OID_CURVE25519); + ASSERT_NE(nullptr, oidData); + ASSERT_NE(nullptr, + SECITEM_AllocItem(NULL, &ecParams, (2 + oidData->oid.len))) + << "Couldn't allocate memory for OID."; + ecParams.data[0] = SEC_ASN1_OBJECT_ID; /* we have to prepend 0x06 */ + ecParams.data[1] = oidData->oid.len; + memcpy(ecParams.data + 2, oidData->oid.data, oidData->oid.len); + SECKEYPublicKey *ecPubk; + SECKEYPrivateKey *ecPrivk = + SECKEY_CreateECPrivateKey(&ecParams, &ecPubk, NULL); + ASSERT_NE(nullptr, ecPubk); + ecPubk_.reset(ecPubk); + ASSERT_NE(nullptr, ecPrivk); + ecPrivk_.reset(ecPrivk); + } + + void CreatePssParams(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag) { + PORT_Memset(params, 0, sizeof(SECKEYRSAPSSParams)); + + params->hashAlg = (SECAlgorithmID *)PORT_ArenaZAlloc( + arena_.get(), sizeof(SECAlgorithmID)); + ASSERT_NE(nullptr, params->hashAlg); + SECStatus rv = + SECOID_SetAlgorithmID(arena_.get(), params->hashAlg, hashAlgTag, NULL); + ASSERT_EQ(SECSuccess, rv); + } + + void CreatePssParams(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag, + SECOidTag maskHashAlgTag) { + CreatePssParams(params, hashAlgTag); + + SECAlgorithmID maskHashAlg; + PORT_Memset(&maskHashAlg, 0, sizeof(maskHashAlg)); + SECStatus rv = + SECOID_SetAlgorithmID(arena_.get(), &maskHashAlg, maskHashAlgTag, NULL); + ASSERT_EQ(SECSuccess, rv); + + SECItem *maskHashAlgItem = + SEC_ASN1EncodeItem(arena_.get(), NULL, &maskHashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); + + params->maskAlg = (SECAlgorithmID *)PORT_ArenaZAlloc( + arena_.get(), sizeof(SECAlgorithmID)); + ASSERT_NE(nullptr, params->maskAlg); + + rv = SECOID_SetAlgorithmID(arena_.get(), params->maskAlg, + SEC_OID_PKCS1_MGF1, maskHashAlgItem); + ASSERT_EQ(SECSuccess, rv); + } + + void CreatePssParams(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag, + SECOidTag maskHashAlgTag, unsigned long saltLength) { + CreatePssParams(params, hashAlgTag, maskHashAlgTag); + + SECItem *saltLengthItem = + SEC_ASN1EncodeInteger(arena_.get(), ¶ms->saltLength, saltLength); + ASSERT_EQ(¶ms->saltLength, saltLengthItem); + } + + void CheckHashAlg(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag) { + // If hash algorithm is SHA-1, it must be omitted in the parameters + if (hashAlgTag == SEC_OID_SHA1) { + EXPECT_EQ(nullptr, params->hashAlg); + } else { + EXPECT_NE(nullptr, params->hashAlg); + EXPECT_EQ(hashAlgTag, SECOID_GetAlgorithmTag(params->hashAlg)); + } + } + + void CheckMaskAlg(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag) { + SECStatus rv; + + // If hash algorithm is SHA-1, it must be omitted in the parameters + if (hashAlgTag == SEC_OID_SHA1) + EXPECT_EQ(nullptr, params->hashAlg); + else { + EXPECT_NE(nullptr, params->maskAlg); + EXPECT_EQ(SEC_OID_PKCS1_MGF1, SECOID_GetAlgorithmTag(params->maskAlg)); + + SECAlgorithmID hashAlg; + rv = SEC_QuickDERDecodeItem(arena_.get(), &hashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + ¶ms->maskAlg->parameters); + ASSERT_EQ(SECSuccess, rv); + + EXPECT_EQ(hashAlgTag, SECOID_GetAlgorithmTag(&hashAlg)); + } + } + + void CheckSaltLength(SECKEYRSAPSSParams *params, SECOidTag hashAlg) { + // If the salt length parameter is missing, that means it is 20 (default) + if (!params->saltLength.data) { + return; + } + + unsigned long value; + SECStatus rv = SEC_ASN1DecodeInteger(¶ms->saltLength, &value); + ASSERT_EQ(SECSuccess, rv); + + // The salt length are usually the same as the hash length, + // except for the case where the hash length exceeds the limit + // set by the key length + switch (hashAlg) { + case SEC_OID_SHA1: + EXPECT_EQ(20UL, value); + break; + case SEC_OID_SHA224: + EXPECT_EQ(28UL, value); + break; + case SEC_OID_SHA256: + EXPECT_EQ(32UL, value); + break; + case SEC_OID_SHA384: + EXPECT_EQ(48UL, value); + break; + case SEC_OID_SHA512: + // Truncated from 64, because our private key is 1024-bit + EXPECT_EQ(62UL, value); + break; + default: + FAIL(); + } + } +}; + +class SignParamsTest + : public SignParamsTestF, + public ::testing::WithParamInterface> {}; + +class SignParamsSourceTest : public SignParamsTestF, + public ::testing::WithParamInterface {}; + +TEST_P(SignParamsTest, CreateRsa) { + SECOidTag hashAlg = std::get<0>(GetParam()); + SECOidTag srcHashAlg = std::get<1>(GetParam()); + + SECItem *srcParams; + if (srcHashAlg != SEC_OID_UNKNOWN) { + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, srcHashAlg, srcHashAlg)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + } else { + srcParams = NULL; + } + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_ENCRYPTION, hashAlg, srcParams, + privk_.get()); + + // PKCS#1 RSA actually doesn't take any parameters, but if it is + // given, return a copy of it + if (srcHashAlg != SEC_OID_UNKNOWN) { + EXPECT_EQ(srcParams->len, params->len); + EXPECT_EQ(0, memcmp(params->data, srcParams->data, srcParams->len)); + } else { + EXPECT_EQ(nullptr, params); + } +} + +TEST_P(SignParamsTest, CreateRsaPss) { + SECOidTag hashAlg = std::get<0>(GetParam()); + SECOidTag srcHashAlg = std::get<1>(GetParam()); + + SECItem *srcParams; + if (srcHashAlg != SEC_OID_UNKNOWN) { + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, srcHashAlg, srcHashAlg)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + } else { + srcParams = NULL; + } + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg, + srcParams, privk_.get()); + + if (hashAlg != SEC_OID_UNKNOWN && srcHashAlg != SEC_OID_UNKNOWN && + hashAlg != srcHashAlg) { + EXPECT_EQ(nullptr, params); + return; + } + + EXPECT_NE(nullptr, params); + + SECKEYRSAPSSParams pssParams; + PORT_Memset(&pssParams, 0, sizeof(pssParams)); + SECStatus rv = + SEC_QuickDERDecodeItem(arena_.get(), &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate), params); + ASSERT_EQ(SECSuccess, rv); + + if (hashAlg == SEC_OID_UNKNOWN) { + if (!pssParams.hashAlg) { + hashAlg = SEC_OID_SHA1; + } else { + hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } + + if (srcHashAlg == SEC_OID_UNKNOWN) { + // If both hashAlg and srcHashAlg is unset, NSS will decide the hash + // algorithm based on the key length; in this case it's SHA256 + EXPECT_EQ(SEC_OID_SHA256, hashAlg); + } else { + EXPECT_EQ(srcHashAlg, hashAlg); + } + } + + ASSERT_NO_FATAL_FAILURE(CheckHashAlg(&pssParams, hashAlg)); + ASSERT_NO_FATAL_FAILURE(CheckMaskAlg(&pssParams, hashAlg)); + ASSERT_NO_FATAL_FAILURE(CheckSaltLength(&pssParams, hashAlg)); + + // The default trailer field (1) must be omitted + EXPECT_EQ(nullptr, pssParams.trailerField.data); +} + +TEST_P(SignParamsTest, CreateRsaPssWithECPrivateKey) { + SECOidTag hashAlg = std::get<0>(GetParam()); + SECOidTag srcHashAlg = std::get<1>(GetParam()); + + SECItem *srcParams; + if (srcHashAlg != SEC_OID_UNKNOWN) { + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, srcHashAlg, srcHashAlg)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + } else { + srcParams = NULL; + } + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg, + srcParams, ecPrivk_.get()); + + EXPECT_EQ(nullptr, params); +} + +TEST_P(SignParamsTest, CreateRsaPssWithInvalidHashAlg) { + SECOidTag srcHashAlg = std::get<1>(GetParam()); + + SECItem *srcParams; + if (srcHashAlg != SEC_OID_UNKNOWN) { + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, srcHashAlg, srcHashAlg)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + } else { + srcParams = NULL; + } + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, SEC_OID_MD5, + srcParams, privk_.get()); + + EXPECT_EQ(nullptr, params); +} + +TEST_P(SignParamsSourceTest, CreateRsaPssWithInvalidHashAlg) { + SECOidTag hashAlg = GetParam(); + + SECItem *srcParams; + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, SEC_OID_MD5, SEC_OID_MD5)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg, + srcParams, privk_.get()); + + EXPECT_EQ(nullptr, params); +} + +TEST_P(SignParamsSourceTest, CreateRsaPssWithInvalidSaltLength) { + SECOidTag hashAlg = GetParam(); + + SECItem *srcParams; + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, SEC_OID_SHA512, SEC_OID_SHA512, 100)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg, + srcParams, privk_.get()); + + EXPECT_EQ(nullptr, params); +} + +TEST_P(SignParamsSourceTest, CreateRsaPssWithHashMismatch) { + SECOidTag hashAlg = GetParam(); + + SECItem *srcParams; + SECKEYRSAPSSParams pssParams; + ASSERT_NO_FATAL_FAILURE( + CreatePssParams(&pssParams, SEC_OID_SHA256, SEC_OID_SHA512)); + srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); + ASSERT_NE(nullptr, srcParams); + + SECItem *params = SEC_CreateSignatureAlgorithmParameters( + arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg, + srcParams, privk_.get()); + + EXPECT_EQ(nullptr, params); +} + +INSTANTIATE_TEST_CASE_P( + SignParamsTestCases, SignParamsTest, + ::testing::Combine(::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1, + SEC_OID_SHA224, SEC_OID_SHA256, + SEC_OID_SHA384, SEC_OID_SHA512), + ::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1, + SEC_OID_SHA224, SEC_OID_SHA256, + SEC_OID_SHA384, SEC_OID_SHA512))); + +INSTANTIATE_TEST_CASE_P(SignParamsSourceTestCases, SignParamsSourceTest, + ::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1, + SEC_OID_SHA224, SEC_OID_SHA256, + SEC_OID_SHA384, SEC_OID_SHA512)); + +} // namespace nss_test diff --git a/gtests/cryptohi_gtest/manifest.mn b/gtests/cryptohi_gtest/manifest.mn new file mode 100644 index 0000000000..644463aa6a --- /dev/null +++ b/gtests/cryptohi_gtest/manifest.mn @@ -0,0 +1,22 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../.. +DEPTH = ../.. +MODULE = nss + +CPPSRCS = \ + cryptohi_unittest.cc \ + $(NULL) + +INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ + -I$(CORE_DEPTH)/gtests/common \ + -I$(CORE_DEPTH)/cpputil + +REQUIRES = nspr gtest + +PROGRAM = cryptohi_gtest + +EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \ + $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) diff --git a/gtests/manifest.mn b/gtests/manifest.mn index a435f8733c..13048f037c 100644 --- a/gtests/manifest.mn +++ b/gtests/manifest.mn @@ -21,6 +21,7 @@ ifneq ($(NSS_BUILD_UTIL_ONLY),1) NSS_SRCDIRS = \ certdb_gtest \ certhigh_gtest \ + cryptohi_gtest \ der_gtest \ pk11_gtest \ softoken_gtest \ diff --git a/gtests/pk11_gtest/manifest.mn b/gtests/pk11_gtest/manifest.mn index fb773ee18e..a3dff9d100 100644 --- a/gtests/pk11_gtest/manifest.mn +++ b/gtests/pk11_gtest/manifest.mn @@ -11,6 +11,7 @@ CPPSRCS = \ pk11_chacha20poly1305_unittest.cc \ pk11_curve25519_unittest.cc \ pk11_ecdsa_unittest.cc \ + pk11_encrypt_derive_unittest.cc \ pk11_export_unittest.cc \ pk11_pbkdf2_unittest.cc \ pk11_prf_unittest.cc \ @@ -23,10 +24,12 @@ INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ -I$(CORE_DEPTH)/gtests/common \ -I$(CORE_DEPTH)/cpputil -REQUIRES = nspr nss libdbm gtest +REQUIRES = nspr nss libdbm gtest cpputil PROGRAM = pk11_gtest -EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \ - $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) +EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \ + $(NULL) diff --git a/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/gtests/pk11_gtest/pk11_ecdsa_unittest.cc index 30ac391c56..fb06598525 100644 --- a/gtests/pk11_gtest/pk11_ecdsa_unittest.cc +++ b/gtests/pk11_gtest/pk11_ecdsa_unittest.cc @@ -15,106 +15,117 @@ namespace nss_test { -class Pkcs11EcdsaTest : public Pk11SignatureTest { +class Pkcs11EcdsaTestBase : public Pk11SignatureTest { protected: - CK_MECHANISM_TYPE mechanism() { return CKM_ECDSA; } - SECItem* parameters() { return nullptr; } + Pkcs11EcdsaTestBase(SECOidTag hash_oid) + : Pk11SignatureTest(CKM_ECDSA, hash_oid) {} }; -class Pkcs11EcdsaSha256Test : public Pkcs11EcdsaTest { - protected: - SECOidTag hashOID() { return SEC_OID_SHA256; } +struct Pkcs11EcdsaTestParams { + SECOidTag hash_oid_; + Pkcs11SignatureTestParams sig_params_; }; -class Pkcs11EcdsaSha384Test : public Pkcs11EcdsaTest { - protected: - SECOidTag hashOID() { return SEC_OID_SHA384; } +class Pkcs11EcdsaTest + : public Pkcs11EcdsaTestBase, + public ::testing::WithParamInterface { + public: + Pkcs11EcdsaTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {} }; -class Pkcs11EcdsaSha512Test : public Pkcs11EcdsaTest { - protected: - SECOidTag hashOID() { return SEC_OID_SHA512; } -}; - -TEST_F(Pkcs11EcdsaSha256Test, VerifyP256) { - SIG_TEST_VECTOR_VERIFY(kP256Spki, kP256Data, kP256Signature); -} - -TEST_F(Pkcs11EcdsaSha256Test, SignAndVerifyP256) { - SIG_TEST_VECTOR_SIGN_VERIFY(kP256Pkcs8, kP256Spki, kP256Data); -} - -TEST_F(Pkcs11EcdsaSha384Test, VerifyP384) { - SIG_TEST_VECTOR_VERIFY(kP384Spki, kP384Data, kP384Signature); -} +TEST_P(Pkcs11EcdsaTest, Verify) { Verify(GetParam().sig_params_); } -TEST_F(Pkcs11EcdsaSha384Test, SignAndVerifyP384) { - SIG_TEST_VECTOR_SIGN_VERIFY(kP384Pkcs8, kP384Spki, kP384Data); +TEST_P(Pkcs11EcdsaTest, SignAndVerify) { + SignAndVerify(GetParam().sig_params_); } -TEST_F(Pkcs11EcdsaSha512Test, VerifyP521) { - SIG_TEST_VECTOR_VERIFY(kP521Spki, kP521Data, kP521Signature); -} - -TEST_F(Pkcs11EcdsaSha512Test, SignAndVerifyP521) { - SIG_TEST_VECTOR_SIGN_VERIFY(kP521Pkcs8, kP521Spki, kP521Data); -} +static const Pkcs11EcdsaTestParams kEcdsaVectors[] = { + {SEC_OID_SHA256, + {DataBuffer(kP256Pkcs8, sizeof(kP256Pkcs8)), + DataBuffer(kP256Spki, sizeof(kP256Spki)), + DataBuffer(kP256Data, sizeof(kP256Data)), + DataBuffer(kP256Signature, sizeof(kP256Signature))}}, + {SEC_OID_SHA384, + {DataBuffer(kP384Pkcs8, sizeof(kP384Pkcs8)), + DataBuffer(kP384Spki, sizeof(kP384Spki)), + DataBuffer(kP384Data, sizeof(kP384Data)), + DataBuffer(kP384Signature, sizeof(kP384Signature))}}, + {SEC_OID_SHA512, + {DataBuffer(kP521Pkcs8, sizeof(kP521Pkcs8)), + DataBuffer(kP521Spki, sizeof(kP521Spki)), + DataBuffer(kP521Data, sizeof(kP521Data)), + DataBuffer(kP521Signature, sizeof(kP521Signature))}}}; + +INSTANTIATE_TEST_CASE_P(EcdsaSignVerify, Pkcs11EcdsaTest, + ::testing::ValuesIn(kEcdsaVectors)); + +class Pkcs11EcdsaSha256Test : public Pkcs11EcdsaTestBase { + public: + Pkcs11EcdsaSha256Test() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {} +}; // Importing a private key in PKCS#8 format must fail when the outer AlgID // struct contains neither id-ecPublicKey nor a namedCurve parameter. TEST_F(Pkcs11EcdsaSha256Test, ImportNoCurveOIDOrAlgorithmParams) { - EXPECT_FALSE(ImportPrivateKey(kP256Pkcs8NoCurveOIDOrAlgorithmParams, - sizeof(kP256Pkcs8NoCurveOIDOrAlgorithmParams))); + DataBuffer k(kP256Pkcs8NoCurveOIDOrAlgorithmParams, + sizeof(kP256Pkcs8NoCurveOIDOrAlgorithmParams)); + EXPECT_FALSE(ImportPrivateKey(k)); }; // Importing a private key in PKCS#8 format must succeed when only the outer // AlgID struct contains the namedCurve parameters. TEST_F(Pkcs11EcdsaSha256Test, ImportOnlyAlgorithmParams) { - EXPECT_TRUE(ImportPrivateKeyAndSignHashedData( - kP256Pkcs8OnlyAlgorithmParams, sizeof(kP256Pkcs8OnlyAlgorithmParams), - kP256Data, sizeof(kP256Data))); + DataBuffer k(kP256Pkcs8OnlyAlgorithmParams, + sizeof(kP256Pkcs8OnlyAlgorithmParams)); + DataBuffer data(kP256Data, sizeof(kP256Data)); + DataBuffer sig; + EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig)); }; // Importing a private key in PKCS#8 format must succeed when the outer AlgID // struct and the inner ECPrivateKey contain the same namedCurve parameters. // The inner curveOID is always ignored, so only the outer one will be used. TEST_F(Pkcs11EcdsaSha256Test, ImportMatchingCurveOIDAndAlgorithmParams) { - EXPECT_TRUE(ImportPrivateKeyAndSignHashedData( - kP256Pkcs8MatchingCurveOIDAndAlgorithmParams, - sizeof(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams), kP256Data, - sizeof(kP256Data))); + DataBuffer k(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams, + sizeof(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams)); + DataBuffer data(kP256Data, sizeof(kP256Data)); + DataBuffer sig; + EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig)); }; // Importing a private key in PKCS#8 format must succeed when the outer AlgID // struct and the inner ECPrivateKey contain dissimilar namedCurve parameters. // The inner curveOID is always ignored, so only the outer one will be used. TEST_F(Pkcs11EcdsaSha256Test, ImportDissimilarCurveOIDAndAlgorithmParams) { - EXPECT_TRUE(ImportPrivateKeyAndSignHashedData( - kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams, - sizeof(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams), kP256Data, - sizeof(kP256Data))); + DataBuffer k(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams, + sizeof(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams)); + DataBuffer data(kP256Data, sizeof(kP256Data)); + DataBuffer sig; + EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig)); }; // Importing a private key in PKCS#8 format must fail when the outer ASN.1 // AlgorithmID struct contains only id-ecPublicKey but no namedCurve parameter. TEST_F(Pkcs11EcdsaSha256Test, ImportNoAlgorithmParams) { - EXPECT_FALSE(ImportPrivateKey(kP256Pkcs8NoAlgorithmParams, - sizeof(kP256Pkcs8NoAlgorithmParams))); + DataBuffer k(kP256Pkcs8NoAlgorithmParams, + sizeof(kP256Pkcs8NoAlgorithmParams)); + EXPECT_FALSE(ImportPrivateKey(k)); }; // Importing a private key in PKCS#8 format must fail when id-ecPublicKey is // given (so we know it's an EC key) but the namedCurve parameter is unknown. TEST_F(Pkcs11EcdsaSha256Test, ImportInvalidAlgorithmParams) { - EXPECT_FALSE(ImportPrivateKey(kP256Pkcs8InvalidAlgorithmParams, - sizeof(kP256Pkcs8InvalidAlgorithmParams))); + DataBuffer k(kP256Pkcs8InvalidAlgorithmParams, + sizeof(kP256Pkcs8InvalidAlgorithmParams)); + EXPECT_FALSE(ImportPrivateKey(k)); }; // Importing a private key in PKCS#8 format with a point not on the curve will // succeed. Using the contained public key however will fail when trying to // import it before using it for any operation. TEST_F(Pkcs11EcdsaSha256Test, ImportPointNotOnCurve) { - ScopedSECKEYPrivateKey privKey(ImportPrivateKey( - kP256Pkcs8PointNotOnCurve, sizeof(kP256Pkcs8PointNotOnCurve))); + DataBuffer k(kP256Pkcs8PointNotOnCurve, sizeof(kP256Pkcs8PointNotOnCurve)); + ScopedSECKEYPrivateKey privKey(ImportPrivateKey(k)); ASSERT_TRUE(privKey); ScopedSECKEYPublicKey pubKey(SECKEY_ConvertToPublicKey(privKey.get())); @@ -130,23 +141,23 @@ TEST_F(Pkcs11EcdsaSha256Test, ImportPointNotOnCurve) { // Importing a private key in PKCS#8 format must fail when no point is given. // PK11 currently offers no APIs to derive raw public keys from private values. TEST_F(Pkcs11EcdsaSha256Test, ImportNoPublicKey) { - EXPECT_FALSE( - ImportPrivateKey(kP256Pkcs8NoPublicKey, sizeof(kP256Pkcs8NoPublicKey))); + DataBuffer k(kP256Pkcs8NoPublicKey, sizeof(kP256Pkcs8NoPublicKey)); + EXPECT_FALSE(ImportPrivateKey(k)); }; // Importing a public key in SPKI format must fail when id-ecPublicKey is // given (so we know it's an EC key) but the namedCurve parameter is missing. TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiNoAlgorithmParams) { - EXPECT_FALSE(ImportPublicKey(kP256SpkiNoAlgorithmParams, - sizeof(kP256SpkiNoAlgorithmParams))); + DataBuffer k(kP256SpkiNoAlgorithmParams, sizeof(kP256SpkiNoAlgorithmParams)); + EXPECT_FALSE(ImportPublicKey(k)); } // Importing a public key in SPKI format with a point not on the curve will // succeed. Using the public key however will fail when trying to import // it before using it for any operation. TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiPointNotOnCurve) { - ScopedSECKEYPublicKey pubKey(ImportPublicKey( - kP256SpkiPointNotOnCurve, sizeof(kP256SpkiPointNotOnCurve))); + DataBuffer k(kP256SpkiPointNotOnCurve, sizeof(kP256SpkiPointNotOnCurve)); + ScopedSECKEYPublicKey pubKey(ImportPublicKey(k)); ASSERT_TRUE(pubKey); ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); diff --git a/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc b/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc new file mode 100644 index 0000000000..aa92756f26 --- /dev/null +++ b/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc @@ -0,0 +1,210 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pk11pub.h" +#include "nssutil.h" +#include +#include "prerror.h" +#include "nss.h" +#include "gtest/gtest.h" +#include "scoped_ptrs.h" +#include "cpputil.h" +#include "databuffer.h" +#include "util.h" + +#define MAX_KEY_SIZE 24 + +namespace nss_test { + +static const uint8_t kIv[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, + 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, + 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; +static const uint8_t kInput[] = { + 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00, 0xff, 0xee, 0xdd, 0xcc, + 0xbb, 0xaa, 0x99, 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00}; + +class EncryptDeriveTest + : public ::testing::Test, + public ::testing::WithParamInterface { + public: + void TestEncryptDerive() { + ScopedPK11SymKey derived_key(PK11_Derive(key_.get(), derive_mech(), + derive_param(), encrypt_mech(), + CKA_DECRYPT, keysize())); + ASSERT_TRUE(derived_key); + + uint8_t derived_key_data[MAX_KEY_SIZE]; + ASSERT_GE(sizeof(derived_key_data), keysize()); + GetKeyData(derived_key, derived_key_data, keysize()); + RemoveChecksum(derived_key_data); + + uint8_t reference_key_data[MAX_KEY_SIZE]; + unsigned int reference_len = 0; + SECStatus rv = PK11_Encrypt(key_.get(), encrypt_mech(), encrypt_param(), + reference_key_data, &reference_len, keysize(), + kInput, keysize()); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(keysize(), static_cast(reference_len)); + RemoveChecksum(reference_key_data); + + EXPECT_EQ(DataBuffer(reference_key_data, keysize()), + DataBuffer(derived_key_data, keysize())); + } + + protected: + unsigned int keysize() const { return 16; } + + private: + CK_MECHANISM_TYPE encrypt_mech() const { return GetParam(); } + + CK_MECHANISM_TYPE derive_mech() const { + switch (encrypt_mech()) { + case CKM_DES3_ECB: + return CKM_DES3_ECB_ENCRYPT_DATA; + case CKM_DES3_CBC: + return CKM_DES3_CBC_ENCRYPT_DATA; + case CKM_AES_ECB: + return CKM_AES_ECB_ENCRYPT_DATA; + case CKM_AES_CBC: + return CKM_AES_CBC_ENCRYPT_DATA; + case CKM_CAMELLIA_ECB: + return CKM_CAMELLIA_ECB_ENCRYPT_DATA; + case CKM_CAMELLIA_CBC: + return CKM_CAMELLIA_CBC_ENCRYPT_DATA; + case CKM_SEED_ECB: + return CKM_SEED_ECB_ENCRYPT_DATA; + case CKM_SEED_CBC: + return CKM_SEED_CBC_ENCRYPT_DATA; + default: + ADD_FAILURE() << "Unknown mechanism"; + break; + } + return CKM_INVALID_MECHANISM; + } + + SECItem* derive_param() const { + static CK_AES_CBC_ENCRYPT_DATA_PARAMS aes_data; + static CK_DES_CBC_ENCRYPT_DATA_PARAMS des_data; + static CK_KEY_DERIVATION_STRING_DATA string_data; + static SECItem param = {siBuffer, NULL, 0}; + + switch (encrypt_mech()) { + case CKM_DES3_ECB: + case CKM_AES_ECB: + case CKM_CAMELLIA_ECB: + case CKM_SEED_ECB: + string_data.pData = toUcharPtr(kInput); + string_data.ulLen = keysize(); + param.data = reinterpret_cast(&string_data); + param.len = sizeof(string_data); + break; + + case CKM_DES3_CBC: + des_data.pData = toUcharPtr(kInput); + des_data.length = keysize(); + PORT_Memcpy(des_data.iv, kIv, 8); + param.data = reinterpret_cast(&des_data); + param.len = sizeof(des_data); + break; + + case CKM_AES_CBC: + case CKM_CAMELLIA_CBC: + case CKM_SEED_CBC: + aes_data.pData = toUcharPtr(kInput); + aes_data.length = keysize(); + PORT_Memcpy(aes_data.iv, kIv, keysize()); + param.data = reinterpret_cast(&aes_data); + param.len = sizeof(aes_data); + break; + + default: + ADD_FAILURE() << "Unknown mechanism"; + break; + } + return ¶m; + } + + SECItem* encrypt_param() const { + static SECItem param = {siBuffer, NULL, 0}; + + switch (encrypt_mech()) { + case CKM_DES3_ECB: + case CKM_AES_ECB: + case CKM_CAMELLIA_ECB: + case CKM_SEED_ECB: + // No parameter needed here. + break; + + case CKM_DES3_CBC: + case CKM_AES_CBC: + case CKM_CAMELLIA_CBC: + case CKM_SEED_CBC: + param.data = toUcharPtr(kIv); + param.len = keysize(); + break; + + default: + ADD_FAILURE() << "Unknown mechanism"; + break; + } + return ¶m; + } + + virtual void SetUp() { + slot_.reset(PK11_GetBestSlot(derive_mech(), NULL)); + ASSERT_TRUE(slot_); + + key_.reset(PK11_TokenKeyGenWithFlags(slot_.get(), encrypt_mech(), NULL, + keysize(), NULL, + CKF_ENCRYPT | CKF_DERIVE, 0, NULL)); + ASSERT_TRUE(key_); + } + + void GetKeyData(ScopedPK11SymKey& key, uint8_t* buf, size_t max_len) const { + ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(key.get())); + SECItem* data = PK11_GetKeyData(key.get()); + ASSERT_TRUE(data); + ASSERT_EQ(max_len, static_cast(data->len)); + PORT_Memcpy(buf, data->data, data->len); + } + + // Remove checksum if the key is a 3DES key. + void RemoveChecksum(uint8_t* key_data) const { + if (encrypt_mech() != CKM_DES3_CBC && encrypt_mech() != CKM_DES3_ECB) { + return; + } + for (size_t i = 0; i < keysize(); ++i) { + key_data[i] &= 0xfe; + } + } + + ScopedPK11SlotInfo slot_; + ScopedPK11SymKey key_; +}; + +TEST_P(EncryptDeriveTest, Test) { TestEncryptDerive(); } + +static const CK_MECHANISM_TYPE kEncryptDeriveMechanisms[] = { + CKM_DES3_ECB, CKM_DES3_CBC, CKM_AES_ECB, CKM_AES_ECB, CKM_AES_CBC, + CKM_CAMELLIA_ECB, CKM_CAMELLIA_CBC, CKM_SEED_ECB, CKM_SEED_CBC}; + +INSTANTIATE_TEST_CASE_P(EncryptDeriveTests, EncryptDeriveTest, + ::testing::ValuesIn(kEncryptDeriveMechanisms)); + +// This class handles the case where 3DES takes a 192-bit key +// where all 24 octets will be used. +class EncryptDerive3Test : public EncryptDeriveTest { + protected: + unsigned int keysize() const { return 24; } +}; + +TEST_P(EncryptDerive3Test, Test) { TestEncryptDerive(); } + +static const CK_MECHANISM_TYPE kDES3EncryptDeriveMechanisms[] = {CKM_DES3_ECB, + CKM_DES3_CBC}; + +INSTANTIATE_TEST_CASE_P(Encrypt3DeriveTests, EncryptDerive3Test, + ::testing::ValuesIn(kDES3EncryptDeriveMechanisms)); + +} // namespace nss_test diff --git a/gtests/pk11_gtest/pk11_gtest.gyp b/gtests/pk11_gtest/pk11_gtest.gyp index c47ff47785..076b4d37ff 100644 --- a/gtests/pk11_gtest/pk11_gtest.gyp +++ b/gtests/pk11_gtest/pk11_gtest.gyp @@ -16,6 +16,7 @@ 'pk11_chacha20poly1305_unittest.cc', 'pk11_curve25519_unittest.cc', 'pk11_ecdsa_unittest.cc', + 'pk11_encrypt_derive_unittest.cc', 'pk11_pbkdf2_unittest.cc', 'pk11_prf_unittest.cc', 'pk11_prng_unittest.cc', @@ -26,6 +27,7 @@ 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', '<(DEPTH)/lib/util/util.gyp:nssutil3', + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', '<(DEPTH)/gtests/google_test/google_test.gyp:gtest', ], 'conditions': [ diff --git a/gtests/pk11_gtest/pk11_rsapss_unittest.cc b/gtests/pk11_gtest/pk11_rsapss_unittest.cc index 012bae0e9e..6c8c5ab4e9 100644 --- a/gtests/pk11_gtest/pk11_rsapss_unittest.cc +++ b/gtests/pk11_gtest/pk11_rsapss_unittest.cc @@ -12,14 +12,14 @@ #include "gtest/gtest.h" #include "scoped_ptrs.h" -#include "pk11_rsapss_vectors.h" #include "pk11_signature_test.h" +#include "pk11_rsapss_vectors.h" namespace nss_test { -class Pkcs11RsaPssVectorTest : public Pk11SignatureTest { +class Pkcs11RsaPssTest : public Pk11SignatureTest { public: - Pkcs11RsaPssVectorTest() { + Pkcs11RsaPssTest() : Pk11SignatureTest(CKM_RSA_PKCS_PSS, SEC_OID_SHA1) { rsaPssParams_.hashAlg = CKM_SHA_1; rsaPssParams_.mgf = CKG_MGF1_SHA1; rsaPssParams_.sLen = HASH_ResultLenByOidTag(SEC_OID_SHA1); @@ -30,16 +30,14 @@ class Pkcs11RsaPssVectorTest : public Pk11SignatureTest { } protected: - CK_MECHANISM_TYPE mechanism() { return CKM_RSA_PKCS_PSS; } - SECItem* parameters() { return ¶ms_; } - SECOidTag hashOID() { return SEC_OID_SHA1; } + const SECItem* parameters() const { return ¶ms_; } private: CK_RSA_PKCS_PSS_PARAMS rsaPssParams_; SECItem params_; }; -TEST_F(Pkcs11RsaPssVectorTest, GenerateAndSignAndVerify) { +TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) { // Sign data with a 1024-bit RSA key, using PSS/SHA-256. SECOidTag hashOid = SEC_OID_SHA256; CK_MECHANISM_TYPE hashMech = CKM_SHA256; @@ -95,105 +93,56 @@ TEST_F(Pkcs11RsaPssVectorTest, GenerateAndSignAndVerify) { EXPECT_EQ(rv, SECFailure); } -// RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature1) { - SIG_TEST_VECTOR_VERIFY(kTestVector1Spki, kTestVector1Data, kTestVector1Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify1) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector1Pkcs8, kTestVector1Spki, - kTestVector1Data); -} +class Pkcs11RsaPssVectorTest + : public Pkcs11RsaPssTest, + public ::testing::WithParamInterface {}; -// RSA-PSS test vectors, pss-vect.txt, Example 2.1: A 1025-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) { - SIG_TEST_VECTOR_VERIFY(kTestVector2Spki, kTestVector2Data, kTestVector2Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify2) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector2Pkcs8, kTestVector2Spki, - kTestVector2Data); -} +TEST_P(Pkcs11RsaPssVectorTest, Verify) { Verify(GetParam()); } -// RSA-PSS test vectors, pss-vect.txt, Example 3.1: A 1026-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature3) { - SIG_TEST_VECTOR_VERIFY(kTestVector3Spki, kTestVector3Data, kTestVector3Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify3) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector3Pkcs8, kTestVector3Spki, - kTestVector3Data); -} +TEST_P(Pkcs11RsaPssVectorTest, SignAndVerify) { SignAndVerify(GetParam()); } -// RSA-PSS test vectors, pss-vect.txt, Example 4.1: A 1027-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature4) { - SIG_TEST_VECTOR_VERIFY(kTestVector4Spki, kTestVector4Data, kTestVector4Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify4) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector4Pkcs8, kTestVector4Spki, - kTestVector4Data); -} - -// RSA-PSS test vectors, pss-vect.txt, Example 5.1: A 1028-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature5) { - SIG_TEST_VECTOR_VERIFY(kTestVector5Spki, kTestVector5Data, kTestVector5Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify5) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector5Pkcs8, kTestVector5Spki, - kTestVector5Data); -} - -// RSA-PSS test vectors, pss-vect.txt, Example 6.1: A 1029-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature6) { - SIG_TEST_VECTOR_VERIFY(kTestVector6Spki, kTestVector6Data, kTestVector6Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify6) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector6Pkcs8, kTestVector6Spki, - kTestVector6Data); -} - -// RSA-PSS test vectors, pss-vect.txt, Example 7.1: A 1030-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature7) { - SIG_TEST_VECTOR_VERIFY(kTestVector7Spki, kTestVector7Data, kTestVector7Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify7) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector7Pkcs8, kTestVector7Spki, - kTestVector7Data); -} - -// RSA-PSS test vectors, pss-vect.txt, Example 8.1: A 1031-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature8) { - SIG_TEST_VECTOR_VERIFY(kTestVector8Spki, kTestVector8Data, kTestVector8Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify8) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector8Pkcs8, kTestVector8Spki, - kTestVector8Data); -} - -// RSA-PSS test vectors, pss-vect.txt, Example 9.1: A 1536-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature9) { - SIG_TEST_VECTOR_VERIFY(kTestVector9Spki, kTestVector9Data, kTestVector9Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify9) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector9Pkcs8, kTestVector9Spki, - kTestVector9Data); -} - -// RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair -// -TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature10) { - SIG_TEST_VECTOR_VERIFY(kTestVector10Spki, kTestVector10Data, - kTestVector10Sig); -} -TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify10) { - SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector10Pkcs8, kTestVector10Spki, - kTestVector10Data); -} +#define VECTOR(pkcs8, spki, data, sig) \ + { \ + DataBuffer(pkcs8, sizeof(pkcs8)), DataBuffer(spki, sizeof(spki)), \ + DataBuffer(data, sizeof(data)), DataBuffer(sig, sizeof(sig)) \ + } +#define VECTOR_N(n) \ + VECTOR(kTestVector##n##Pkcs8, kTestVector##n##Spki, kTestVector##n##Data, \ + kTestVector##n##Sig) + +static const Pkcs11SignatureTestParams kRsaPssVectors[] = { + // RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair + // + VECTOR_N(1), + // RSA-PSS test vectors, pss-vect.txt, Example 2.1: A 1025-bit RSA Key Pair + // + VECTOR_N(2), + // RSA-PSS test vectors, pss-vect.txt, Example 3.1: A 1026-bit RSA Key Pair + // + VECTOR_N(3), + // RSA-PSS test vectors, pss-vect.txt, Example 4.1: A 1027-bit RSA Key Pair + // + VECTOR_N(4), + // RSA-PSS test vectors, pss-vect.txt, Example 5.1: A 1028-bit RSA Key Pair + // + VECTOR_N(5), + // RSA-PSS test vectors, pss-vect.txt, Example 6.1: A 1029-bit RSA Key Pair + // + VECTOR_N(6), + // RSA-PSS test vectors, pss-vect.txt, Example 7.1: A 1030-bit RSA Key Pair + // + VECTOR_N(7), + // RSA-PSS test vectors, pss-vect.txt, Example 8.1: A 1031-bit RSA Key Pair + // + VECTOR_N(8), + // RSA-PSS test vectors, pss-vect.txt, Example 9.1: A 1536-bit RSA Key Pair + // + VECTOR_N(9), + // RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair + // + VECTOR_N(10)}; + +INSTANTIATE_TEST_CASE_P(RsaPssSignVerify, Pkcs11RsaPssVectorTest, + ::testing::ValuesIn(kRsaPssVectors)); } // namespace nss_test diff --git a/gtests/pk11_gtest/pk11_signature_test.h b/gtests/pk11_gtest/pk11_signature_test.h index f09bc4fa35..b141043716 100644 --- a/gtests/pk11_gtest/pk11_signature_test.h +++ b/gtests/pk11_gtest/pk11_signature_test.h @@ -9,26 +9,37 @@ #include "cpputil.h" #include "scoped_ptrs.h" +#include "databuffer.h" #include "gtest/gtest.h" namespace nss_test { +// For test vectors. +struct Pkcs11SignatureTestParams { + const DataBuffer pkcs8_; + const DataBuffer spki_; + const DataBuffer data_; + const DataBuffer signature_; +}; + class Pk11SignatureTest : public ::testing::Test { protected: - virtual CK_MECHANISM_TYPE mechanism() = 0; - virtual SECItem* parameters() = 0; - virtual SECOidTag hashOID() = 0; + Pk11SignatureTest(CK_MECHANISM_TYPE mechanism, SECOidTag hash_oid) + : mechanism_(mechanism), hash_oid_(hash_oid) {} - ScopedSECKEYPrivateKey ImportPrivateKey(const uint8_t* pkcs8, - size_t pkcs8_len) { + virtual const SECItem* parameters() const { return nullptr; } + CK_MECHANISM_TYPE mechanism() const { return mechanism_; } + + ScopedSECKEYPrivateKey ImportPrivateKey(const DataBuffer& pkcs8) { ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); if (!slot) { + ADD_FAILURE() << "No slot"; return nullptr; } - SECItem pkcs8Item = {siBuffer, toUcharPtr(pkcs8), - static_cast(pkcs8_len)}; + SECItem pkcs8Item = {siBuffer, toUcharPtr(pkcs8.data()), + static_cast(pkcs8.len())}; SECKEYPrivateKey* key = nullptr; SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( @@ -42,9 +53,9 @@ class Pk11SignatureTest : public ::testing::Test { return ScopedSECKEYPrivateKey(key); } - ScopedSECKEYPublicKey ImportPublicKey(const uint8_t* spki, size_t spki_len) { - SECItem spkiItem = {siBuffer, toUcharPtr(spki), - static_cast(spki_len)}; + ScopedSECKEYPublicKey ImportPublicKey(const DataBuffer& spki) { + SECItem spkiItem = {siBuffer, toUcharPtr(spki.data()), + static_cast(spki.len())}; ScopedCERTSubjectPublicKeyInfo certSpki( SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem)); @@ -52,87 +63,74 @@ class Pk11SignatureTest : public ::testing::Test { return ScopedSECKEYPublicKey(SECKEY_ExtractPublicKey(certSpki.get())); } - ScopedSECItem ComputeHash(const uint8_t* data, size_t len) { - unsigned int hLen = HASH_ResultLenByOidTag(hashOID()); - ScopedSECItem hash(SECITEM_AllocItem(nullptr, nullptr, hLen)); - if (!hash) { - return nullptr; - } - - SECStatus rv = PK11_HashBuf(hashOID(), hash->data, data, len); - if (rv != SECSuccess) { - return nullptr; - } - - return hash; + bool ComputeHash(const DataBuffer& data, DataBuffer* hash) { + hash->Allocate(static_cast(HASH_ResultLenByOidTag(hash_oid_))); + SECStatus rv = + PK11_HashBuf(hash_oid_, hash->data(), data.data(), data.len()); + return rv == SECSuccess; } - ScopedSECItem SignHashedData(ScopedSECKEYPrivateKey& privKey, - ScopedSECItem& hash) { - unsigned int sLen = PK11_SignatureLen(privKey.get()); - ScopedSECItem sig(SECITEM_AllocItem(nullptr, nullptr, sLen)); - if (!sig) { - return nullptr; - } - - SECStatus rv = PK11_SignWithMechanism(privKey.get(), mechanism(), - parameters(), sig.get(), hash.get()); - if (rv != SECSuccess) { - return nullptr; - } - - return sig; + bool SignHashedData(ScopedSECKEYPrivateKey& privKey, const DataBuffer& hash, + DataBuffer* sig) { + SECItem hashItem = {siBuffer, toUcharPtr(hash.data()), + static_cast(hash.len())}; + int sigLen = PK11_SignatureLen(privKey.get()); + EXPECT_LT(0, sigLen); + sig->Allocate(static_cast(sigLen)); + SECItem sigItem = {siBuffer, toUcharPtr(sig->data()), + static_cast(sig->len())}; + SECStatus rv = PK11_SignWithMechanism(privKey.get(), mechanism_, + parameters(), &sigItem, &hashItem); + return rv == SECSuccess; } - ScopedSECItem ImportPrivateKeyAndSignHashedData(const uint8_t* pkcs8, - size_t pkcs8_len, - const uint8_t* data, - size_t data_len) { - ScopedSECKEYPrivateKey privKey(ImportPrivateKey(pkcs8, pkcs8_len)); + bool ImportPrivateKeyAndSignHashedData(const DataBuffer& pkcs8, + const DataBuffer& data, + DataBuffer* sig) { + ScopedSECKEYPrivateKey privKey(ImportPrivateKey(pkcs8)); if (!privKey) { - return nullptr; + return false; } - ScopedSECItem hash(ComputeHash(data, data_len)); - if (!hash) { - return nullptr; + DataBuffer hash; + if (!ComputeHash(data, &hash)) { + ADD_FAILURE() << "Failed to compute hash"; + return false; } - - return ScopedSECItem(SignHashedData(privKey, hash)); + return SignHashedData(privKey, hash, sig); } - void Verify(const uint8_t* spki, size_t spki_len, const uint8_t* data, - size_t data_len, const uint8_t* sig, size_t sig_len) { - ScopedSECKEYPublicKey pubKey(ImportPublicKey(spki, spki_len)); + void Verify(const Pkcs11SignatureTestParams& params, const DataBuffer& sig) { + ScopedSECKEYPublicKey pubKey(ImportPublicKey(params.spki_)); ASSERT_TRUE(pubKey); - ScopedSECItem hash(ComputeHash(data, data_len)); - ASSERT_TRUE(hash); - - SECItem sigItem = {siBuffer, toUcharPtr(sig), - static_cast(sig_len)}; + DataBuffer hash; + ASSERT_TRUE(ComputeHash(params.data_, &hash)); // Verify. + SECItem hashItem = {siBuffer, toUcharPtr(hash.data()), + static_cast(hash.len())}; + SECItem sigItem = {siBuffer, toUcharPtr(sig.data()), + static_cast(sig.len())}; SECStatus rv = PK11_VerifyWithMechanism( - pubKey.get(), mechanism(), parameters(), &sigItem, hash.get(), nullptr); + pubKey.get(), mechanism_, parameters(), &sigItem, &hashItem, nullptr); EXPECT_EQ(rv, SECSuccess); } - void SignAndVerify(const uint8_t* pkcs8, size_t pkcs8_len, - const uint8_t* spki, size_t spki_len, const uint8_t* data, - size_t data_len) { - ScopedSECItem sig( - ImportPrivateKeyAndSignHashedData(pkcs8, pkcs8_len, data, data_len)); - ASSERT_TRUE(sig); - - Verify(spki, spki_len, data, data_len, sig->data, sig->len); + void Verify(const Pkcs11SignatureTestParams& params) { + Verify(params, params.signature_); } -}; -#define SIG_TEST_VECTOR_VERIFY(spki, data, sig) \ - Verify(spki, sizeof(spki), data, sizeof(data), sig, sizeof(sig)) + void SignAndVerify(const Pkcs11SignatureTestParams& params) { + DataBuffer sig; + ASSERT_TRUE( + ImportPrivateKeyAndSignHashedData(params.pkcs8_, params.data_, &sig)); + Verify(params, sig); + } -#define SIG_TEST_VECTOR_SIGN_VERIFY(pkcs8, spki, data) \ - SignAndVerify(pkcs8, sizeof(pkcs8), spki, sizeof(spki), data, sizeof(data)) + private: + CK_MECHANISM_TYPE mechanism_; + SECOidTag hash_oid_; +}; } // namespace nss_test diff --git a/gtests/softoken_gtest/softoken_gtest.cc b/gtests/softoken_gtest/softoken_gtest.cc index 23def67201..9b9927a741 100644 --- a/gtests/softoken_gtest/softoken_gtest.cc +++ b/gtests/softoken_gtest/softoken_gtest.cc @@ -1,5 +1,7 @@ #include +#include "cert.h" +#include "certdb.h" #include "nspr.h" #include "nss.h" #include "pk11pub.h" @@ -200,6 +202,110 @@ TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) { EXPECT_NE(nullptr, obj); } +// This is just any X509 certificate. Its contents don't matter. +static unsigned char certDER[] = { + 0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x49, 0xC4, 0xC4, 0x4A, 0xB6, 0x86, 0x07, 0xA3, 0x06, + 0xDC, 0x4D, 0xC8, 0xC3, 0xFE, 0xC7, 0x21, 0x3A, 0x2D, 0xE4, 0xDA, 0x30, + 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, + 0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, + 0x35, 0x31, 0x31, 0x32, 0x38, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, + 0x18, 0x0F, 0x32, 0x30, 0x31, 0x38, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0C, 0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, + 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBA, 0x88, 0x51, 0xA8, 0x44, + 0x8E, 0x16, 0xD6, 0x41, 0xFD, 0x6E, 0xB6, 0x88, 0x06, 0x36, 0x10, 0x3D, + 0x3C, 0x13, 0xD9, 0xEA, 0xE4, 0x35, 0x4A, 0xB4, 0xEC, 0xF5, 0x68, 0x57, + 0x6C, 0x24, 0x7B, 0xC1, 0xC7, 0x25, 0xA8, 0xE0, 0xD8, 0x1F, 0xBD, 0xB1, + 0x9C, 0x06, 0x9B, 0x6E, 0x1A, 0x86, 0xF2, 0x6B, 0xE2, 0xAF, 0x5A, 0x75, + 0x6B, 0x6A, 0x64, 0x71, 0x08, 0x7A, 0xA5, 0x5A, 0xA7, 0x45, 0x87, 0xF7, + 0x1C, 0xD5, 0x24, 0x9C, 0x02, 0x7E, 0xCD, 0x43, 0xFC, 0x1E, 0x69, 0xD0, + 0x38, 0x20, 0x29, 0x93, 0xAB, 0x20, 0xC3, 0x49, 0xE4, 0xDB, 0xB9, 0x4C, + 0xC2, 0x6B, 0x6C, 0x0E, 0xED, 0x15, 0x82, 0x0F, 0xF1, 0x7E, 0xAD, 0x69, + 0x1A, 0xB1, 0xD3, 0x02, 0x3A, 0x8B, 0x2A, 0x41, 0xEE, 0xA7, 0x70, 0xE0, + 0x0F, 0x0D, 0x8D, 0xFD, 0x66, 0x0B, 0x2B, 0xB0, 0x24, 0x92, 0xA4, 0x7D, + 0xB9, 0x88, 0x61, 0x79, 0x90, 0xB1, 0x57, 0x90, 0x3D, 0xD2, 0x3B, 0xC5, + 0xE0, 0xB8, 0x48, 0x1F, 0xA8, 0x37, 0xD3, 0x88, 0x43, 0xEF, 0x27, 0x16, + 0xD8, 0x55, 0xB7, 0x66, 0x5A, 0xAA, 0x7E, 0x02, 0x90, 0x2F, 0x3A, 0x7B, + 0x10, 0x80, 0x06, 0x24, 0xCC, 0x1C, 0x6C, 0x97, 0xAD, 0x96, 0x61, 0x5B, + 0xB7, 0xE2, 0x96, 0x12, 0xC0, 0x75, 0x31, 0xA3, 0x0C, 0x91, 0xDD, 0xB4, + 0xCA, 0xF7, 0xFC, 0xAD, 0x1D, 0x25, 0xD3, 0x09, 0xEF, 0xB9, 0x17, 0x0E, + 0xA7, 0x68, 0xE1, 0xB3, 0x7B, 0x2F, 0x22, 0x6F, 0x69, 0xE3, 0xB4, 0x8A, + 0x95, 0x61, 0x1D, 0xEE, 0x26, 0xD6, 0x25, 0x9D, 0xAB, 0x91, 0x08, 0x4E, + 0x36, 0xCB, 0x1C, 0x24, 0x04, 0x2C, 0xBF, 0x16, 0x8B, 0x2F, 0xE5, 0xF1, + 0x8F, 0x99, 0x17, 0x31, 0xB8, 0xB3, 0xFE, 0x49, 0x23, 0xFA, 0x72, 0x51, + 0xC4, 0x31, 0xD5, 0x03, 0xAC, 0xDA, 0x18, 0x0A, 0x35, 0xED, 0x8D, 0x02, + 0x03, 0x01, 0x00, 0x01, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, + 0x5C, 0x75, 0x51, 0x9F, 0x13, 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, + 0xA3, 0xBC, 0x06, 0x30, 0x91, 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, + 0xEC, 0xFD, 0xCB, 0x42, 0x80, 0x0A, 0x70, 0xE6, 0x02, 0x21, 0x00, 0x82, + 0x12, 0xF7, 0xE5, 0xEA, 0x40, 0x27, 0xFD, 0xF7, 0xC0, 0x0E, 0x25, 0xF3, + 0x3E, 0x34, 0x95, 0x80, 0xB9, 0xA3, 0x38, 0xE0, 0x56, 0x68, 0xDA, 0xE5, + 0xC1, 0xF5, 0x37, 0xC7, 0xB5, 0xCE, 0x0D}; + +struct PasswordPair { + const char *mInitialPassword; + const char *mSecondPassword; +}; + +class SoftokenPasswordChangeTest + : public SoftokenTest, + public ::testing::WithParamInterface {}; + +TEST_P(SoftokenPasswordChangeTest, KeepTrustAfterPasswordChange) { + const PasswordPair &passwords = GetParam(); + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + // Set a password. + EXPECT_EQ(SECSuccess, + PK11_InitPin(slot.get(), nullptr, passwords.mInitialPassword)); + SECItem certDERItem = {siBuffer, certDER, sizeof(certDER)}; + // Import a certificate. + ScopedCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certDERItem, nullptr, true, true)); + EXPECT_TRUE(cert); + SECStatus result = + PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, "test", false); + EXPECT_EQ(SECSuccess, result); + // Set a trust value. + CERTCertTrust trust = {CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA | + CERTDB_TRUSTED_CA | CERTDB_VALID_CA, + 0, 0}; + result = CERT_ChangeCertTrust(nullptr, cert.get(), &trust); + EXPECT_EQ(SECSuccess, result); + // Release the certificate to ensure we get it from the DB rather than an + // in-memory cache, below. + cert = nullptr; + // Change the password. + result = PK11_ChangePW(slot.get(), passwords.mInitialPassword, + passwords.mSecondPassword); + EXPECT_EQ(SECSuccess, result); + // Look up the certificate again. + ScopedCERTCertificate newCert( + PK11_FindCertFromDERCertItem(slot.get(), &certDERItem, nullptr)); + EXPECT_TRUE(newCert.get()); + // The trust should be the same as before. + CERTCertTrust newTrust = {0, 0, 0}; + result = CERT_GetCertTrust(newCert.get(), &newTrust); + EXPECT_EQ(SECSuccess, result); + EXPECT_EQ(trust.sslFlags, newTrust.sslFlags); + EXPECT_EQ(trust.emailFlags, newTrust.emailFlags); + EXPECT_EQ(trust.objectSigningFlags, newTrust.objectSigningFlags); +} + +static const PasswordPair PASSWORD_CHANGE_TESTS[] = { + {"password", ""}, // non-empty to empty password + {"", "password"}, // empty to non-empty password + {"password", "password2"}, // non-empty to non-empty password +}; + +INSTANTIATE_TEST_CASE_P(SoftokenPasswordChangeTests, SoftokenPasswordChangeTest, + ::testing::ValuesIn(PASSWORD_CHANGE_TESTS)); + class SoftokenNoDBTest : public ::testing::Test {}; TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) { diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc index f724e027f7..34892f9e7b 100644 --- a/gtests/ssl_gtest/ssl_auth_unittest.cc +++ b/gtests/ssl_gtest/ssl_auth_unittest.cc @@ -29,7 +29,25 @@ TEST_P(TlsConnectGeneric, ServerAuthBigRsa) { } TEST_P(TlsConnectGeneric, ServerAuthRsaChain) { - Reset(TlsAgent::kServerRsaChain); + Reset("rsa_chain"); + Connect(); + CheckKeys(); + size_t chain_length; + EXPECT_TRUE(client_->GetPeerChainLength(&chain_length)); + EXPECT_EQ(2UL, chain_length); +} + +TEST_P(TlsConnectGeneric, ServerAuthRsaPssChain) { + Reset("rsa_pss_chain"); + Connect(); + CheckKeys(); + size_t chain_length; + EXPECT_TRUE(client_->GetPeerChainLength(&chain_length)); + EXPECT_EQ(2UL, chain_length); +} + +TEST_P(TlsConnectGeneric, ServerAuthRsaCARsaPssChain) { + Reset("rsa_ca_rsa_pss_chain"); Connect(); CheckKeys(); size_t chain_length; diff --git a/gtests/ssl_gtest/ssl_gtest.cc b/gtests/ssl_gtest/ssl_gtest.cc index cd10076b8d..2fff9d7cbb 100644 --- a/gtests/ssl_gtest/ssl_gtest.cc +++ b/gtests/ssl_gtest/ssl_gtest.cc @@ -6,6 +6,7 @@ #include #include "test_io.h" +#include "databuffer.h" #define GTEST_HAS_RTTI 0 #include "gtest/gtest.h" @@ -28,6 +29,7 @@ int main(int argc, char** argv) { ++i; } else if (!strcmp(argv[i], "-v")) { g_ssl_gtest_verbose = true; + nss_test::DataBuffer::SetLogLimit(16384); } } diff --git a/gtests/ssl_gtest/tls_agent.cc b/gtests/ssl_gtest/tls_agent.cc index 94350fe967..de19b16837 100644 --- a/gtests/ssl_gtest/tls_agent.cc +++ b/gtests/ssl_gtest/tls_agent.cc @@ -36,7 +36,6 @@ const std::string TlsAgent::kServerRsa = "rsa"; // both sign and encrypt const std::string TlsAgent::kServerRsaSign = "rsa_sign"; const std::string TlsAgent::kServerRsaPss = "rsa_pss"; const std::string TlsAgent::kServerRsaDecrypt = "rsa_decrypt"; -const std::string TlsAgent::kServerRsaChain = "rsa_chain"; const std::string TlsAgent::kServerEcdsa256 = "ecdsa256"; const std::string TlsAgent::kServerEcdsa384 = "ecdsa384"; const std::string TlsAgent::kServerEcdsa521 = "ecdsa521"; diff --git a/gtests/ssl_gtest/tls_agent.h b/gtests/ssl_gtest/tls_agent.h index 80191d4c7f..dbe2f7f67e 100644 --- a/gtests/ssl_gtest/tls_agent.h +++ b/gtests/ssl_gtest/tls_agent.h @@ -66,7 +66,6 @@ class TlsAgent : public PollTarget { static const std::string kServerRsaSign; static const std::string kServerRsaPss; static const std::string kServerRsaDecrypt; - static const std::string kServerRsaChain; // A cert that requires a chain. static const std::string kServerEcdsa256; static const std::string kServerEcdsa384; static const std::string kServerEcdsa521; diff --git a/gtests/ssl_gtest/tls_filter.h b/gtests/ssl_gtest/tls_filter.h index 93e00e869d..251c0798b4 100644 --- a/gtests/ssl_gtest/tls_filter.h +++ b/gtests/ssl_gtest/tls_filter.h @@ -292,10 +292,10 @@ class TlsHeaderRecorder : public TlsRecordFilter { std::vector headers_; }; -// Runs multiple packet filters in series. typedef std::initializer_list> ChainedPacketFilterInit; +// Runs multiple packet filters in series. class ChainedPacketFilter : public PacketFilter { public: ChainedPacketFilter() {} diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c index 7864edc08e..1a676a7207 100644 --- a/lib/certdb/certdb.c +++ b/lib/certdb/certdb.c @@ -1192,6 +1192,7 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage) case rsaKey: requiredUsage |= KU_KEY_ENCIPHERMENT; break; + case rsaPssKey: case dsaKey: requiredUsage |= KU_DIGITAL_SIGNATURE; break; diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt index 45b659b7aa..d7e6da6aa1 100644 --- a/lib/ckfw/builtins/certdata.txt +++ b/lib/ckfw/builtins/certdata.txt @@ -2312,125 +2312,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "Certum Root CA" -# -# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL -# Serial Number: 65568 (0x10020) -# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL -# Not Valid Before: Tue Jun 11 10:46:39 2002 -# Not Valid After : Fri Jun 11 10:46:39 2027 -# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9 -# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum Root CA" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061 -\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164 -\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020 -\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061 -\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164 -\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020 -\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\003\001\000\040 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\014\060\202\001\364\240\003\002\001\002\002\003\001 -\000\040\060\015\006\011\052\206\110\206\367\015\001\001\005\005 -\000\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114 -\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145 -\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060 -\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103 -\101\060\036\027\015\060\062\060\066\061\061\061\060\064\066\063 -\071\132\027\015\062\067\060\066\061\061\061\060\064\066\063\071 -\132\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114 -\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145 -\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060 -\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103 -\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001 -\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001 -\001\000\316\261\301\056\323\117\174\315\045\316\030\076\117\304 -\214\157\200\152\163\310\133\121\370\233\322\334\273\000\134\261 -\240\374\165\003\356\201\360\210\356\043\122\351\346\025\063\215 -\254\055\011\305\166\371\053\071\200\211\344\227\113\220\245\250 -\170\370\163\103\173\244\141\260\330\130\314\341\154\146\176\234 -\363\011\136\125\143\204\325\250\357\363\261\056\060\150\263\304 -\074\330\254\156\215\231\132\220\116\064\334\066\232\217\201\210 -\120\267\155\226\102\011\363\327\225\203\015\101\113\260\152\153 -\370\374\017\176\142\237\147\304\355\046\137\020\046\017\010\117 -\360\244\127\050\316\217\270\355\105\366\156\356\045\135\252\156 -\071\276\344\223\057\331\107\240\162\353\372\246\133\257\312\123 -\077\342\016\306\226\126\021\156\367\351\146\251\046\330\177\225 -\123\355\012\205\210\272\117\051\245\102\214\136\266\374\205\040 -\000\252\150\013\241\032\205\001\234\304\106\143\202\210\266\042 -\261\356\376\252\106\131\176\317\065\054\325\266\332\135\367\110 -\063\024\124\266\353\331\157\316\315\210\326\253\033\332\226\073 -\035\131\002\003\001\000\001\243\023\060\021\060\017\006\003\125 -\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011 -\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000 -\270\215\316\357\347\024\272\317\356\260\104\222\154\264\071\076 -\242\204\156\255\270\041\167\322\324\167\202\207\346\040\101\201 -\356\342\370\021\267\143\321\027\067\276\031\166\044\034\004\032 -\114\353\075\252\147\157\055\324\315\376\145\061\160\305\033\246 -\002\012\272\140\173\155\130\302\232\111\376\143\062\013\153\343 -\072\300\254\253\073\260\350\323\011\121\214\020\203\306\064\340 -\305\053\340\032\266\140\024\047\154\062\167\214\274\262\162\230 -\317\315\314\077\271\310\044\102\024\326\127\374\346\046\103\251 -\035\345\200\220\316\003\124\050\076\367\077\323\370\115\355\152 -\012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171 -\345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323 -\362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161 -\073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122 -\256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151 -\355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054 -\350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "Certum Root CA" -# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL -# Serial Number: 65568 (0x10020) -# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL -# Not Valid Before: Tue Jun 11 10:46:39 2002 -# Not Valid After : Fri Jun 11 10:46:39 2027 -# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9 -# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum Root CA" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102 -\121\261\201\030 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\054\217\237\146\035\030\220\261\107\046\235\216\206\202\214\251 -END -CKA_ISSUER MULTILINE_OCTAL -\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061 -\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164 -\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020 -\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\003\001\000\040 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Comodo AAA Services root" # @@ -4292,213 +4173,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "StartCom Certification Authority" -# -# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Serial Number: 1 (0x1) -# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Not Valid Before: Sun Sep 17 19:46:36 2006 -# Not Valid After : Wed Sep 17 19:46:36 2036 -# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 -# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "StartCom Certification Authority" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013 -\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154 -\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147 -\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123 -\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143 -\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013 -\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154 -\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147 -\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123 -\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143 -\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\007\311\060\202\005\261\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026 -\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157 -\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023 -\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040 -\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156 -\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164 -\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141 -\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036 -\027\015\060\066\060\071\061\067\061\071\064\066\063\066\132\027 -\015\063\066\060\071\061\067\061\071\064\066\063\066\132\060\175 -\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026\060 -\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157\155 -\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023\042 -\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040\103 -\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156\151 -\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164\141 -\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\060\202\002 -\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 -\003\202\002\017\000\060\202\002\012\002\202\002\001\000\301\210 -\333\011\274\154\106\174\170\237\225\173\265\063\220\362\162\142 -\326\301\066\040\042\044\136\316\351\167\362\103\012\242\006\144 -\244\314\216\066\370\070\346\043\360\156\155\261\074\335\162\243 -\205\034\241\323\075\264\063\053\323\057\257\376\352\260\101\131 -\147\266\304\006\175\012\236\164\205\326\171\114\200\067\172\337 -\071\005\122\131\367\364\033\106\103\244\322\205\205\322\303\161 -\363\165\142\064\272\054\212\177\036\217\356\355\064\320\021\307 -\226\315\122\075\272\063\326\335\115\336\013\073\112\113\237\302 -\046\057\372\265\026\034\162\065\167\312\074\135\346\312\341\046 -\213\032\066\166\134\001\333\164\024\045\376\355\265\240\210\017 -\335\170\312\055\037\007\227\060\001\055\162\171\372\106\326\023 -\052\250\271\246\253\203\111\035\345\362\357\335\344\001\216\030 -\012\217\143\123\026\205\142\251\016\031\072\314\265\146\246\302 -\153\164\007\344\053\341\166\076\264\155\330\366\104\341\163\142 -\037\073\304\276\240\123\126\045\154\121\011\367\252\253\312\277 -\166\375\155\233\363\235\333\277\075\146\274\014\126\252\257\230 -\110\225\072\113\337\247\130\120\331\070\165\251\133\352\103\014 -\002\377\231\353\350\154\115\160\133\051\145\234\335\252\135\314 -\257\001\061\354\014\353\322\215\350\352\234\173\346\156\367\047 -\146\014\032\110\327\156\102\343\077\336\041\076\173\341\015\160 -\373\143\252\250\154\032\124\264\134\045\172\311\242\311\213\026 -\246\273\054\176\027\136\005\115\130\156\022\035\001\356\022\020 -\015\306\062\177\030\377\374\364\372\315\156\221\350\066\111\276 -\032\110\151\213\302\226\115\032\022\262\151\027\301\012\220\326 -\372\171\042\110\277\272\173\151\370\160\307\372\172\067\330\330 -\015\322\166\117\127\377\220\267\343\221\322\335\357\302\140\267 -\147\072\335\376\252\234\360\324\213\177\162\042\316\306\237\227 -\266\370\257\212\240\020\250\331\373\030\306\266\265\134\122\074 -\211\266\031\052\163\001\012\017\003\263\022\140\362\172\057\201 -\333\243\156\377\046\060\227\365\213\335\211\127\266\255\075\263 -\257\053\305\267\166\002\360\245\326\053\232\206\024\052\162\366 -\343\063\214\135\011\113\023\337\273\214\164\023\122\113\002\003 -\001\000\001\243\202\002\122\060\202\002\116\060\014\006\003\125 -\035\023\004\005\060\003\001\001\377\060\013\006\003\125\035\017 -\004\004\003\002\001\256\060\035\006\003\125\035\016\004\026\004 -\024\116\013\357\032\244\100\133\245\027\151\207\060\312\064\150 -\103\320\101\256\362\060\144\006\003\125\035\037\004\135\060\133 -\060\054\240\052\240\050\206\046\150\164\164\160\072\057\057\143 -\145\162\164\056\163\164\141\162\164\143\157\155\056\157\162\147 -\057\163\146\163\143\141\055\143\162\154\056\143\162\154\060\053 -\240\051\240\047\206\045\150\164\164\160\072\057\057\143\162\154 -\056\163\164\141\162\164\143\157\155\056\157\162\147\057\163\146 -\163\143\141\055\143\162\154\056\143\162\154\060\202\001\135\006 -\003\125\035\040\004\202\001\124\060\202\001\120\060\202\001\114 -\006\013\053\006\001\004\001\201\265\067\001\001\001\060\202\001 -\073\060\057\006\010\053\006\001\005\005\007\002\001\026\043\150 -\164\164\160\072\057\057\143\145\162\164\056\163\164\141\162\164 -\143\157\155\056\157\162\147\057\160\157\154\151\143\171\056\160 -\144\146\060\065\006\010\053\006\001\005\005\007\002\001\026\051 -\150\164\164\160\072\057\057\143\145\162\164\056\163\164\141\162 -\164\143\157\155\056\157\162\147\057\151\156\164\145\162\155\145 -\144\151\141\164\145\056\160\144\146\060\201\320\006\010\053\006 -\001\005\005\007\002\002\060\201\303\060\047\026\040\123\164\141 -\162\164\040\103\157\155\155\145\162\143\151\141\154\040\050\123 -\164\141\162\164\103\157\155\051\040\114\164\144\056\060\003\002 -\001\001\032\201\227\114\151\155\151\164\145\144\040\114\151\141 -\142\151\154\151\164\171\054\040\162\145\141\144\040\164\150\145 -\040\163\145\143\164\151\157\156\040\052\114\145\147\141\154\040 -\114\151\155\151\164\141\164\151\157\156\163\052\040\157\146\040 -\164\150\145\040\123\164\141\162\164\103\157\155\040\103\145\162 -\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157 -\162\151\164\171\040\120\157\154\151\143\171\040\141\166\141\151 -\154\141\142\154\145\040\141\164\040\150\164\164\160\072\057\057 -\143\145\162\164\056\163\164\141\162\164\143\157\155\056\157\162 -\147\057\160\157\154\151\143\171\056\160\144\146\060\021\006\011 -\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060 -\070\006\011\140\206\110\001\206\370\102\001\015\004\053\026\051 -\123\164\141\162\164\103\157\155\040\106\162\145\145\040\123\123 -\114\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040 -\101\165\164\150\157\162\151\164\171\060\015\006\011\052\206\110 -\206\367\015\001\001\005\005\000\003\202\002\001\000\026\154\231 -\364\146\014\064\365\320\205\136\175\012\354\332\020\116\070\034 -\136\337\246\045\005\113\221\062\301\350\073\361\075\335\104\011 -\133\007\111\212\051\313\146\002\267\261\232\367\045\230\011\074 -\216\033\341\335\066\207\053\113\273\150\323\071\146\075\240\046 -\307\362\071\221\035\121\253\202\173\176\325\316\132\344\342\003 -\127\160\151\227\010\371\136\130\246\012\337\214\006\232\105\026 -\026\070\012\136\127\366\142\307\172\002\005\346\274\036\265\362 -\236\364\251\051\203\370\262\024\343\156\050\207\104\303\220\032 -\336\070\251\074\254\103\115\144\105\316\335\050\251\134\362\163 -\173\004\370\027\350\253\261\363\056\134\144\156\163\061\072\022 -\270\274\263\021\344\175\217\201\121\232\073\215\211\364\115\223 -\146\173\074\003\355\323\232\035\232\363\145\120\365\240\320\165 -\237\057\257\360\352\202\103\230\370\151\234\211\171\304\103\216 -\106\162\343\144\066\022\257\367\045\036\070\211\220\167\176\303 -\153\152\271\303\313\104\113\254\170\220\213\347\307\054\036\113 -\021\104\310\064\122\047\315\012\135\237\205\301\211\325\032\170 -\362\225\020\123\062\335\200\204\146\165\331\265\150\050\373\141 -\056\276\204\250\070\300\231\022\206\245\036\147\144\255\006\056 -\057\251\160\205\307\226\017\174\211\145\365\216\103\124\016\253 -\335\245\200\071\224\140\300\064\311\226\160\054\243\022\365\037 -\110\173\275\034\176\153\267\235\220\364\042\073\256\370\374\052 -\312\372\202\122\240\357\257\113\125\223\353\301\265\360\042\213 -\254\064\116\046\042\004\241\207\054\165\112\267\345\175\023\327 -\270\014\144\300\066\322\311\057\206\022\214\043\011\301\033\202 -\073\163\111\243\152\127\207\224\345\326\170\305\231\103\143\343 -\115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001 -\126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225 -\272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354 -\165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204 -\103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241 -\064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060 -\152\263\364\210\034\200\015\374\162\212\350\203\136 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "StartCom Certification Authority" -# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Serial Number: 1 (0x1) -# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Not Valid Before: Sun Sep 17 19:46:36 2006 -# Not Valid After : Wed Sep 17 19:46:36 2036 -# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 -# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "StartCom Certification Authority" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\076\053\367\362\003\033\226\363\214\346\304\330\250\135\076\055 -\130\107\152\017 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\042\115\217\212\374\367\065\302\273\127\064\220\173\213\042\026 -END -CKA_ISSUER MULTILINE_OCTAL -\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013 -\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154 -\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147 -\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123 -\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143 -\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Taiwan GRCA" # @@ -8650,203 +8324,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" -# -# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR -# Serial Number: 17 (0x11) -# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR -# Not Valid Before: Fri Aug 24 11:37:07 2007 -# Not Valid After : Mon Aug 21 11:37:07 2017 -# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26 -# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "T\xc3\x9c\x42\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1 - S\xC3\xBCr\xC3\xBCm 3" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124 -\122\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172 -\145\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006 -\003\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102 -\151\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157 -\154\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155 -\141\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304 -\260\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125 -\154\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153 -\040\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101 -\162\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151 -\164\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043 -\060\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145 -\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -\145\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303 -\234\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303 -\266\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172 -\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261 -\163\304\261\040\055\040\123\303\274\162\303\274\155\040\063 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124 -\122\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172 -\145\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006 -\003\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102 -\151\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157 -\154\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155 -\141\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304 -\260\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125 -\154\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153 -\040\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101 -\162\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151 -\164\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043 -\060\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145 -\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -\145\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303 -\234\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303 -\266\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172 -\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261 -\163\304\261\040\055\040\123\303\274\162\303\274\155\040\063 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\021 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\027\060\202\003\377\240\003\002\001\002\002\001\021 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124\122 -\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172\145 -\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006\003 -\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102\151 -\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154 -\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155\141 -\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304\260 -\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125\154 -\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153\040 -\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101\162 -\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151\164 -\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043\060 -\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145\162 -\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145 -\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303\234 -\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303\266 -\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155 -\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163 -\304\261\040\055\040\123\303\274\162\303\274\155\040\063\060\036 -\027\015\060\067\060\070\062\064\061\061\063\067\060\067\132\027 -\015\061\067\060\070\062\061\061\061\063\067\060\067\132\060\202 -\001\053\061\013\060\011\006\003\125\004\006\023\002\124\122\061 -\030\060\026\006\003\125\004\007\014\017\107\145\142\172\145\040 -\055\040\113\157\143\141\145\154\151\061\107\060\105\006\003\125 -\004\012\014\076\124\303\274\162\153\151\171\145\040\102\151\154 -\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157 -\152\151\153\040\101\162\141\305\237\164\304\261\162\155\141\040 -\113\165\162\165\155\165\040\055\040\124\303\234\102\304\260\124 -\101\113\061\110\060\106\006\003\125\004\013\014\077\125\154\165 -\163\141\154\040\105\154\145\153\164\162\157\156\151\153\040\166 -\145\040\113\162\151\160\164\157\154\157\152\151\040\101\162\141 -\305\237\164\304\261\162\155\141\040\105\156\163\164\151\164\303 -\274\163\303\274\040\055\040\125\105\113\101\105\061\043\060\041 -\006\003\125\004\013\014\032\113\141\155\165\040\123\145\162\164 -\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145\172 -\151\061\112\060\110\006\003\125\004\003\014\101\124\303\234\102 -\304\260\124\101\113\040\125\105\113\101\105\040\113\303\266\153 -\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145 -\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304 -\261\040\055\040\123\303\274\162\303\274\155\040\063\060\202\001 -\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 -\003\202\001\017\000\060\202\001\012\002\202\001\001\000\212\155 -\113\377\020\210\072\303\366\176\224\350\352\040\144\160\256\041 -\201\276\072\173\074\333\361\035\122\177\131\372\363\042\114\225 -\240\220\274\110\116\021\253\373\267\265\215\172\203\050\214\046 -\106\330\116\225\100\207\141\237\305\236\155\201\207\127\154\212 -\073\264\146\352\314\100\374\343\252\154\262\313\001\333\062\277 -\322\353\205\317\241\015\125\303\133\070\127\160\270\165\306\171 -\321\024\060\355\033\130\133\153\357\065\362\241\041\116\305\316 -\174\231\137\154\271\270\042\223\120\247\315\114\160\152\276\152 -\005\177\023\234\053\036\352\376\107\316\004\245\157\254\223\056 -\174\053\237\236\171\023\221\350\352\236\312\070\165\216\142\260 -\225\223\052\345\337\351\136\227\156\040\137\137\204\172\104\071 -\031\100\034\272\125\053\373\060\262\201\357\204\343\334\354\230 -\070\071\003\205\010\251\124\003\005\051\360\311\217\213\352\013 -\206\145\031\021\323\351\011\043\336\150\223\003\311\066\034\041 -\156\316\214\146\361\231\060\330\327\263\303\035\370\201\056\250 -\275\202\013\146\376\202\313\341\340\032\202\303\100\201\002\003 -\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026 -\004\024\275\210\207\311\217\366\244\012\013\252\353\305\376\221 -\043\235\253\112\212\062\060\016\006\003\125\035\017\001\001\377 -\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377 -\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367 -\015\001\001\005\005\000\003\202\001\001\000\035\174\372\111\217 -\064\351\267\046\222\026\232\005\164\347\113\320\155\071\154\303 -\046\366\316\270\061\274\304\337\274\052\370\067\221\030\334\004 -\310\144\231\053\030\155\200\003\131\311\256\370\130\320\076\355 -\303\043\237\151\074\206\070\034\236\357\332\047\170\321\204\067 -\161\212\074\113\071\317\176\105\006\326\055\330\212\115\170\022 -\326\255\302\323\313\322\320\101\363\046\066\112\233\225\154\014 -\356\345\321\103\047\146\301\210\367\172\263\040\154\352\260\151 -\053\307\040\350\014\003\304\101\005\231\342\077\344\153\370\240 -\206\201\307\204\306\037\325\113\201\022\262\026\041\054\023\241 -\200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112 -\057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307 -\060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147 -\240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154 -\301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204 -\202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054 -\311\234\220\332\354\251\102\074\255\266\002 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" -# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR -# Serial Number: 17 (0x11) -# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR -# Not Valid Before: Fri Aug 24 11:37:07 2007 -# Not Valid After : Mon Aug 21 11:37:07 2017 -# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26 -# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "T\xc3\x9c\x42\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1 - S\xC3\xBCr\xC3\xBCm 3" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\033\113\071\141\046\047\153\144\221\242\150\155\327\002\103\041 -\055\037\035\226 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\355\101\365\214\120\305\053\234\163\346\356\154\353\302\250\046 -END -CKA_ISSUER MULTILINE_OCTAL -\060\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124 -\122\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172 -\145\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006 -\003\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102 -\151\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157 -\154\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155 -\141\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304 -\260\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125 -\154\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153 -\040\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101 -\162\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151 -\164\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043 -\060\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145 -\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153 -\145\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303 -\234\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303 -\266\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172 -\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261 -\163\304\261\040\055\040\123\303\274\162\303\274\155\040\063 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\021 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "certSIGN ROOT CA" # @@ -10460,172 +9937,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "ACEDICOM Root" -# -# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root -# Serial Number:61:8d:c7:86:3b:01:82:05 -# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root -# Not Valid Before: Fri Apr 18 16:24:22 2008 -# Not Valid After : Thu Apr 13 16:24:22 2028 -# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6 -# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACEDICOM Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105 -\104\111\103\117\115\040\122\157\157\164\061\014\060\012\006\003 -\125\004\013\014\003\120\113\111\061\017\060\015\006\003\125\004 -\012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125 -\004\006\023\002\105\123 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105 -\104\111\103\117\115\040\122\157\157\164\061\014\060\012\006\003 -\125\004\013\014\003\120\113\111\061\017\060\015\006\003\125\004 -\012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125 -\004\006\023\002\105\123 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\010\141\215\307\206\073\001\202\005 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\265\060\202\003\235\240\003\002\001\002\002\010\141 -\215\307\206\073\001\202\005\060\015\006\011\052\206\110\206\367 -\015\001\001\005\005\000\060\104\061\026\060\024\006\003\125\004 -\003\014\015\101\103\105\104\111\103\117\115\040\122\157\157\164 -\061\014\060\012\006\003\125\004\013\014\003\120\113\111\061\017 -\060\015\006\003\125\004\012\014\006\105\104\111\103\117\115\061 -\013\060\011\006\003\125\004\006\023\002\105\123\060\036\027\015 -\060\070\060\064\061\070\061\066\062\064\062\062\132\027\015\062 -\070\060\064\061\063\061\066\062\064\062\062\132\060\104\061\026 -\060\024\006\003\125\004\003\014\015\101\103\105\104\111\103\117 -\115\040\122\157\157\164\061\014\060\012\006\003\125\004\013\014 -\003\120\113\111\061\017\060\015\006\003\125\004\012\014\006\105 -\104\111\103\117\115\061\013\060\011\006\003\125\004\006\023\002 -\105\123\060\202\002\042\060\015\006\011\052\206\110\206\367\015 -\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 -\002\001\000\377\222\225\341\150\006\166\264\054\310\130\110\312 -\375\200\124\051\125\143\044\377\220\145\233\020\165\173\303\152 -\333\142\002\001\362\030\206\265\174\132\070\261\344\130\271\373 -\323\330\055\237\275\062\067\277\054\025\155\276\265\364\041\322 -\023\221\331\007\255\001\005\326\363\275\167\316\137\102\201\012 -\371\152\343\203\000\250\053\056\125\023\143\201\312\107\034\173 -\134\026\127\172\033\203\140\004\072\076\145\303\315\001\336\336 -\244\326\014\272\216\336\331\004\356\027\126\042\233\217\143\375 -\115\026\013\267\173\167\214\371\045\265\321\155\231\022\056\117 -\032\270\346\352\004\222\256\075\021\271\121\102\075\207\260\061 -\205\257\171\132\234\376\347\116\136\222\117\103\374\253\072\255 -\245\022\046\146\271\342\014\327\230\316\324\130\245\225\100\012 -\267\104\235\023\164\053\302\245\353\042\025\230\020\330\213\305 -\004\237\035\217\140\345\006\033\233\317\271\171\240\075\242\043 -\077\102\077\153\372\034\003\173\060\215\316\154\300\277\346\033 -\137\277\147\270\204\031\325\025\357\173\313\220\066\061\142\311 -\274\002\253\106\137\233\376\032\150\224\064\075\220\216\255\366 -\344\035\011\177\112\210\070\077\276\147\375\064\226\365\035\274 -\060\164\313\070\356\325\154\253\324\374\364\000\267\000\133\205 -\062\026\166\063\351\330\243\231\235\005\000\252\026\346\363\201 -\175\157\175\252\206\155\255\025\164\323\304\242\161\252\364\024 -\175\347\062\270\037\274\325\361\116\275\157\027\002\071\327\016 -\225\102\072\307\000\076\351\046\143\021\352\013\321\112\377\030 -\235\262\327\173\057\072\331\226\373\350\036\222\256\023\125\310 -\331\047\366\334\110\033\260\044\301\205\343\167\235\232\244\363 -\014\021\035\015\310\264\024\356\265\202\127\011\277\040\130\177 -\057\042\043\330\160\313\171\154\311\113\362\251\052\310\374\207 -\053\327\032\120\370\047\350\057\103\343\072\275\330\127\161\375 -\316\246\122\133\371\335\115\355\345\366\157\211\355\273\223\234 -\166\041\165\360\222\114\051\367\057\234\001\056\376\120\106\236 -\144\014\024\263\007\133\305\302\163\154\361\007\134\105\044\024 -\065\256\203\361\152\115\211\172\372\263\330\055\146\360\066\207 -\365\053\123\002\003\001\000\001\243\201\252\060\201\247\060\017 -\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 -\037\006\003\125\035\043\004\030\060\026\200\024\246\263\341\053 -\053\111\266\327\163\241\252\224\365\001\347\163\145\114\254\120 -\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206 -\060\035\006\003\125\035\016\004\026\004\024\246\263\341\053\053 -\111\266\327\163\241\252\224\365\001\347\163\145\114\254\120\060 -\104\006\003\125\035\040\004\075\060\073\060\071\006\004\125\035 -\040\000\060\061\060\057\006\010\053\006\001\005\005\007\002\001 -\026\043\150\164\164\160\072\057\057\141\143\145\144\151\143\157 -\155\056\145\144\151\143\157\155\147\162\157\165\160\056\143\157 -\155\057\144\157\143\060\015\006\011\052\206\110\206\367\015\001 -\001\005\005\000\003\202\002\001\000\316\054\013\122\121\142\046 -\175\014\047\203\217\305\366\332\240\150\173\117\222\136\352\244 -\163\062\021\123\104\262\104\313\235\354\017\171\102\263\020\246 -\307\015\235\313\266\372\077\072\174\352\277\210\123\033\074\367 -\202\372\005\065\063\341\065\250\127\300\347\375\215\117\077\223 -\062\117\170\146\003\167\007\130\351\225\310\176\076\320\171\000 -\214\362\033\121\063\233\274\224\351\072\173\156\122\055\062\236 -\043\244\105\373\266\056\023\260\213\030\261\335\316\325\035\247 -\102\177\125\276\373\133\273\107\324\374\044\315\004\256\226\005 -\025\326\254\316\060\363\312\013\305\272\342\042\340\246\255\042 -\344\002\356\164\021\177\114\377\170\035\065\332\346\002\064\353 -\030\022\141\167\006\011\026\143\352\030\255\242\207\037\362\307 -\200\011\011\165\116\020\250\217\075\206\270\165\021\300\044\142 -\212\226\173\112\105\351\354\131\305\276\153\203\346\341\350\254 -\265\060\036\376\005\007\200\371\341\043\015\120\217\005\230\377 -\054\137\350\073\266\255\317\201\265\041\207\312\010\052\043\047 -\060\040\053\317\355\224\133\254\262\172\322\307\050\241\212\013 -\233\115\112\054\155\205\077\011\162\074\147\342\331\334\007\272 -\353\145\173\132\001\143\326\220\133\117\027\146\075\177\013\031 -\243\223\143\020\122\052\237\024\026\130\342\334\245\364\241\026 -\213\016\221\213\201\312\233\131\372\330\153\221\007\145\125\137 -\122\037\257\072\373\220\335\151\245\133\234\155\016\054\266\372 -\316\254\245\174\062\112\147\100\334\060\064\043\335\327\004\043 -\146\360\374\125\200\247\373\146\031\202\065\147\142\160\071\136 -\157\307\352\220\100\104\010\036\270\262\326\333\356\131\247\015 -\030\171\064\274\124\030\136\123\312\064\121\355\105\012\346\216 -\307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125 -\207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255 -\257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351 -\032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235 -\350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112 -\147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176 -\113\076\053\070\007\125\230\136\244 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "ACEDICOM Root" -# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root -# Serial Number:61:8d:c7:86:3b:01:82:05 -# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root -# Not Valid Before: Fri Apr 18 16:24:22 2008 -# Not Valid After : Thu Apr 13 16:24:22 2028 -# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6 -# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACEDICOM Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\340\264\062\056\262\366\245\150\266\124\123\204\110\030\112\120 -\066\207\103\204 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\102\201\240\342\034\343\125\020\336\125\211\102\145\226\042\346 -END -CKA_ISSUER MULTILINE_OCTAL -\060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105 -\104\111\103\117\115\040\122\157\157\164\061\014\060\012\006\003 -\125\004\013\014\003\120\113\111\061\017\060\015\006\003\125\004 -\012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125 -\004\006\023\002\105\123 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\010\141\215\307\206\073\001\202\005 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # # Certificate "Microsec e-Szigno Root CA 2009" # @@ -14492,175 +13803,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "Certinomis - Autorité Racine" -# -# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR -# Serial Number: 1 (0x1) -# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR -# Not Valid Before: Wed Sep 17 08:28:59 2008 -# Not Valid After : Sun Sep 17 08:28:59 2028 -# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A -# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certinomis - Autorité Racine" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061 -\023\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156 -\157\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060 -\060\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060 -\044\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155 -\151\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122 -\141\143\151\156\145 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061 -\023\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156 -\157\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060 -\060\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060 -\044\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155 -\151\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122 -\141\143\151\156\145 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\234\060\202\003\204\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061\023 -\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156\157 -\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060\060 -\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060\044 -\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155\151 -\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122\141 -\143\151\156\145\060\036\027\015\060\070\060\071\061\067\060\070 -\062\070\065\071\132\027\015\062\070\060\071\061\067\060\070\062 -\070\065\071\132\060\143\061\013\060\011\006\003\125\004\006\023 -\002\106\122\061\023\060\021\006\003\125\004\012\023\012\103\145 -\162\164\151\156\157\155\151\163\061\027\060\025\006\003\125\004 -\013\023\016\060\060\060\062\040\064\063\063\071\071\070\071\060 -\063\061\046\060\044\006\003\125\004\003\014\035\103\145\162\164 -\151\156\157\155\151\163\040\055\040\101\165\164\157\162\151\164 -\303\251\040\122\141\143\151\156\145\060\202\002\042\060\015\006 -\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017 -\000\060\202\002\012\002\202\002\001\000\235\205\237\206\323\343 -\257\307\262\153\156\063\340\236\267\102\064\125\235\371\201\276 -\143\330\043\166\016\227\124\315\231\114\032\361\071\307\210\330 -\027\120\014\236\141\332\300\116\125\336\347\132\270\172\116\167 -\207\015\345\270\353\372\236\136\173\036\304\317\050\164\307\223 -\365\024\306\042\050\004\371\221\303\253\047\163\152\016\056\115 -\363\056\050\037\160\337\125\057\116\355\307\161\157\011\162\056 -\355\325\062\227\320\361\130\167\321\140\274\116\136\333\232\204 -\366\107\141\105\053\366\120\246\177\152\161\047\110\204\065\236 -\254\376\151\251\236\172\136\065\045\372\264\247\111\065\167\226 -\247\066\133\341\315\337\043\160\330\135\114\245\010\203\361\246 -\044\070\023\250\354\057\250\241\147\307\246\055\206\107\356\212 -\374\354\233\016\164\364\053\111\002\173\220\165\214\374\231\071 -\001\071\326\112\211\345\236\166\253\076\226\050\070\046\213\335 -\215\214\300\366\001\036\157\245\061\022\070\175\225\302\161\356 -\355\164\256\344\066\242\103\165\325\361\000\233\342\344\327\314 -\102\003\113\170\172\345\175\273\270\256\056\040\223\323\344\141 -\337\161\341\166\147\227\077\266\337\152\163\132\144\042\345\102 -\333\317\201\003\223\330\364\343\020\340\162\366\000\160\254\360 -\301\172\017\005\177\317\064\151\105\265\223\344\031\333\122\026 -\043\005\211\016\215\110\344\045\157\263\170\277\142\365\007\372 -\225\044\302\226\262\350\243\043\302\135\003\374\303\323\345\174 -\311\165\043\327\364\365\274\336\344\337\315\200\277\221\210\175 -\247\023\264\071\272\054\272\275\321\153\314\363\245\050\355\104 -\236\175\122\243\157\226\056\031\176\034\363\133\307\026\216\273 -\140\175\167\146\107\124\202\000\021\140\154\062\301\250\070\033 -\353\156\230\023\326\356\070\365\360\237\016\357\376\061\201\301 -\322\044\225\057\123\172\151\242\360\017\206\105\216\130\202\053 -\114\042\324\136\240\347\175\046\047\110\337\045\106\215\112\050 -\174\206\236\371\233\032\131\271\145\277\005\335\266\102\135\075 -\346\000\110\202\136\040\367\021\202\336\312\330\237\346\067\107 -\046\036\353\170\367\141\303\101\144\130\002\101\371\332\340\321 -\370\371\350\375\122\070\266\365\211\337\002\003\001\000\001\243 -\133\060\131\060\017\006\003\125\035\023\001\001\377\004\005\060 -\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004 -\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\015 -\214\266\141\332\104\270\321\024\175\303\276\175\136\110\360\316 -\312\152\260\060\027\006\003\125\035\040\004\020\060\016\060\014 -\006\012\052\201\172\001\126\002\002\000\001\001\060\015\006\011 -\052\206\110\206\367\015\001\001\005\005\000\003\202\002\001\000 -\044\076\140\006\176\035\357\072\076\333\352\257\034\232\054\001 -\013\364\305\265\331\111\061\364\135\101\215\211\014\116\377\154 -\242\375\377\342\006\310\071\237\361\132\251\335\042\130\025\250 -\212\323\261\346\062\011\202\003\154\327\077\010\307\370\271\272 -\000\155\271\326\374\122\062\135\244\177\244\061\224\273\266\114 -\070\177\050\060\065\377\237\043\123\267\266\356\024\160\000\100 -\053\332\107\253\064\176\136\247\126\060\141\053\213\103\254\375 -\266\210\050\365\153\266\076\140\112\272\102\220\064\147\215\352 -\353\137\105\124\073\027\254\213\344\306\145\017\356\320\214\135 -\146\071\316\062\247\330\020\227\300\176\064\234\237\224\363\366 -\206\037\317\033\163\255\224\171\207\150\160\303\063\245\160\347 -\330\325\070\224\157\143\171\353\277\012\016\010\347\305\057\017 -\102\240\053\024\100\377\041\340\005\305\047\341\204\021\023\272 -\326\206\035\101\013\023\043\211\323\311\013\350\212\272\172\243 -\243\163\067\065\200\175\022\270\063\167\100\070\300\372\136\060 -\322\362\266\243\261\326\242\225\227\201\233\122\355\151\114\377 -\200\344\123\333\124\133\003\155\124\137\261\270\357\044\275\157 -\237\021\303\307\144\302\017\050\142\205\146\136\032\173\262\267 -\357\256\065\311\031\063\250\270\047\333\063\125\277\150\341\165 -\110\104\126\373\315\323\110\273\107\211\072\254\151\365\200\306 -\344\104\120\057\124\304\252\103\305\061\061\130\275\226\305\352 -\165\154\232\165\261\115\370\367\227\377\226\026\362\227\115\350 -\366\363\021\371\072\175\212\070\156\004\313\341\323\105\025\252 -\245\321\035\235\135\143\350\044\346\066\024\342\207\255\033\131 -\365\104\233\373\327\167\174\037\001\160\142\241\040\032\242\305 -\032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133 -\166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333 -\240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027 -\366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164 -\004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126 -\331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143 -\377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "Certinomis - Autorité Racine" -# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR -# Serial Number: 1 (0x1) -# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR -# Not Valid Before: Wed Sep 17 08:28:59 2008 -# Not Valid After : Sun Sep 17 08:28:59 2028 -# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A -# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certinomis - Autorité Racine" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\056\024\332\354\050\360\372\036\216\070\232\116\253\353\046\300 -\012\323\203\303 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\177\060\170\214\003\343\312\311\012\342\311\352\036\252\125\032 -END -CKA_ISSUER MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061 -\023\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156 -\157\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060 -\060\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060 -\044\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155 -\151\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122 -\141\143\151\156\145 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "TWCA Root Certification Authority" # @@ -16900,407 +16042,41 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "StartCom Certification Authority" +# Certificate "Buypass Class 2 Root CA" # -# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Serial Number: 45 (0x2d) -# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Not Valid Before: Sun Sep 17 19:46:37 2006 -# Not Valid After : Wed Sep 17 19:46:36 2036 -# Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16 -# Fingerprint (SHA1): A3:F1:33:3F:E2:42:BF:CF:C5:D1:4E:8F:39:42:98:40:68:10:D1:A0 +# Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO +# Serial Number: 2 (0x2) +# Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO +# Not Valid Before: Tue Oct 26 08:38:03 2010 +# Not Valid After : Fri Oct 26 08:38:03 2040 +# Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29 +# Fingerprint (SHA1): 49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "StartCom Certification Authority" +CKA_LABEL UTF8 "Buypass Class 2 Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL -\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013 -\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154 -\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147 -\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123 -\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143 -\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\060\116\061\013\060\011\006\003\125\004\006\023\002\116\117\061 +\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163 +\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\040 +\060\036\006\003\125\004\003\014\027\102\165\171\160\141\163\163 +\040\103\154\141\163\163\040\062\040\122\157\157\164\040\103\101 END CKA_ID UTF8 "0" CKA_ISSUER MULTILINE_OCTAL -\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013 -\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154 -\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147 -\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123 -\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143 -\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\060\116\061\013\060\011\006\003\125\004\006\023\002\116\117\061 +\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163 +\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\040 +\060\036\006\003\125\004\003\014\027\102\165\171\160\141\163\163 +\040\103\154\141\163\163\040\062\040\122\157\157\164\040\103\101 END CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\055 +\002\001\002 END CKA_VALUE MULTILINE_OCTAL -\060\202\007\207\060\202\005\157\240\003\002\001\002\002\001\055 -\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 -\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026 -\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157 -\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023 -\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040 -\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156 -\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164 -\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141 -\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036 -\027\015\060\066\060\071\061\067\061\071\064\066\063\067\132\027 -\015\063\066\060\071\061\067\061\071\064\066\063\066\132\060\175 -\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026\060 -\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157\155 -\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023\042 -\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040\103 -\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156\151 -\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164\141 -\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\060\202\002 -\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 -\003\202\002\017\000\060\202\002\012\002\202\002\001\000\301\210 -\333\011\274\154\106\174\170\237\225\173\265\063\220\362\162\142 -\326\301\066\040\042\044\136\316\351\167\362\103\012\242\006\144 -\244\314\216\066\370\070\346\043\360\156\155\261\074\335\162\243 -\205\034\241\323\075\264\063\053\323\057\257\376\352\260\101\131 -\147\266\304\006\175\012\236\164\205\326\171\114\200\067\172\337 -\071\005\122\131\367\364\033\106\103\244\322\205\205\322\303\161 -\363\165\142\064\272\054\212\177\036\217\356\355\064\320\021\307 -\226\315\122\075\272\063\326\335\115\336\013\073\112\113\237\302 -\046\057\372\265\026\034\162\065\167\312\074\135\346\312\341\046 -\213\032\066\166\134\001\333\164\024\045\376\355\265\240\210\017 -\335\170\312\055\037\007\227\060\001\055\162\171\372\106\326\023 -\052\250\271\246\253\203\111\035\345\362\357\335\344\001\216\030 -\012\217\143\123\026\205\142\251\016\031\072\314\265\146\246\302 -\153\164\007\344\053\341\166\076\264\155\330\366\104\341\163\142 -\037\073\304\276\240\123\126\045\154\121\011\367\252\253\312\277 -\166\375\155\233\363\235\333\277\075\146\274\014\126\252\257\230 -\110\225\072\113\337\247\130\120\331\070\165\251\133\352\103\014 -\002\377\231\353\350\154\115\160\133\051\145\234\335\252\135\314 -\257\001\061\354\014\353\322\215\350\352\234\173\346\156\367\047 -\146\014\032\110\327\156\102\343\077\336\041\076\173\341\015\160 -\373\143\252\250\154\032\124\264\134\045\172\311\242\311\213\026 -\246\273\054\176\027\136\005\115\130\156\022\035\001\356\022\020 -\015\306\062\177\030\377\374\364\372\315\156\221\350\066\111\276 -\032\110\151\213\302\226\115\032\022\262\151\027\301\012\220\326 -\372\171\042\110\277\272\173\151\370\160\307\372\172\067\330\330 -\015\322\166\117\127\377\220\267\343\221\322\335\357\302\140\267 -\147\072\335\376\252\234\360\324\213\177\162\042\316\306\237\227 -\266\370\257\212\240\020\250\331\373\030\306\266\265\134\122\074 -\211\266\031\052\163\001\012\017\003\263\022\140\362\172\057\201 -\333\243\156\377\046\060\227\365\213\335\211\127\266\255\075\263 -\257\053\305\267\166\002\360\245\326\053\232\206\024\052\162\366 -\343\063\214\135\011\113\023\337\273\214\164\023\122\113\002\003 -\001\000\001\243\202\002\020\060\202\002\014\060\017\006\003\125 -\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003 -\125\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003 -\125\035\016\004\026\004\024\116\013\357\032\244\100\133\245\027 -\151\207\060\312\064\150\103\320\101\256\362\060\037\006\003\125 -\035\043\004\030\060\026\200\024\116\013\357\032\244\100\133\245 -\027\151\207\060\312\064\150\103\320\101\256\362\060\202\001\132 -\006\003\125\035\040\004\202\001\121\060\202\001\115\060\202\001 -\111\006\013\053\006\001\004\001\201\265\067\001\001\001\060\202 -\001\070\060\056\006\010\053\006\001\005\005\007\002\001\026\042 -\150\164\164\160\072\057\057\167\167\167\056\163\164\141\162\164 -\163\163\154\056\143\157\155\057\160\157\154\151\143\171\056\160 -\144\146\060\064\006\010\053\006\001\005\005\007\002\001\026\050 -\150\164\164\160\072\057\057\167\167\167\056\163\164\141\162\164 -\163\163\154\056\143\157\155\057\151\156\164\145\162\155\145\144 -\151\141\164\145\056\160\144\146\060\201\317\006\010\053\006\001 -\005\005\007\002\002\060\201\302\060\047\026\040\123\164\141\162 -\164\040\103\157\155\155\145\162\143\151\141\154\040\050\123\164 -\141\162\164\103\157\155\051\040\114\164\144\056\060\003\002\001 -\001\032\201\226\114\151\155\151\164\145\144\040\114\151\141\142 -\151\154\151\164\171\054\040\162\145\141\144\040\164\150\145\040 -\163\145\143\164\151\157\156\040\052\114\145\147\141\154\040\114 -\151\155\151\164\141\164\151\157\156\163\052\040\157\146\040\164 -\150\145\040\123\164\141\162\164\103\157\155\040\103\145\162\164 -\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162 -\151\164\171\040\120\157\154\151\143\171\040\141\166\141\151\154 -\141\142\154\145\040\141\164\040\150\164\164\160\072\057\057\167 -\167\167\056\163\164\141\162\164\163\163\154\056\143\157\155\057 -\160\157\154\151\143\171\056\160\144\146\060\021\006\011\140\206 -\110\001\206\370\102\001\001\004\004\003\002\000\007\060\070\006 -\011\140\206\110\001\206\370\102\001\015\004\053\026\051\123\164 -\141\162\164\103\157\155\040\106\162\145\145\040\123\123\114\040 -\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165 -\164\150\157\162\151\164\171\060\015\006\011\052\206\110\206\367 -\015\001\001\013\005\000\003\202\002\001\000\216\217\347\334\224 -\171\174\361\205\177\237\111\157\153\312\135\373\214\376\004\305 -\301\142\321\175\102\212\274\123\267\224\003\146\060\077\261\347 -\012\247\120\040\125\045\177\166\172\024\015\353\004\016\100\346 -\076\330\210\253\007\047\203\251\165\246\067\163\307\375\113\322 -\115\255\027\100\310\106\276\073\177\121\374\303\266\005\061\334 -\315\205\042\116\161\267\362\161\136\260\032\306\272\223\213\170 -\222\112\205\370\170\017\203\376\057\255\054\367\344\244\273\055 -\320\347\015\072\270\076\316\366\170\366\256\107\044\312\243\065 -\066\316\307\306\207\230\332\354\373\351\262\316\047\233\210\303 -\004\241\366\013\131\150\257\311\333\020\017\115\366\144\143\134 -\245\022\157\222\262\223\224\307\210\027\016\223\266\176\142\213 -\220\177\253\116\237\374\343\165\024\117\052\062\337\133\015\340 -\365\173\223\015\253\241\317\207\341\245\004\105\350\074\022\245 -\011\305\260\321\267\123\363\140\024\272\205\151\152\041\174\037 -\165\141\027\040\027\173\154\073\101\051\134\341\254\132\321\315 -\214\233\353\140\035\031\354\367\345\260\332\371\171\030\245\105 -\077\111\103\127\322\335\044\325\054\243\375\221\215\047\265\345 -\353\024\006\232\114\173\041\273\072\255\060\006\030\300\330\301 -\153\054\177\131\134\135\221\261\160\042\127\353\212\153\110\112 -\325\017\051\354\306\100\300\057\210\114\150\001\027\167\364\044 -\031\117\275\372\341\262\040\041\113\335\032\330\051\175\252\270 -\336\124\354\041\125\200\154\036\365\060\310\243\020\345\262\346 -\052\024\061\303\205\055\214\230\261\206\132\117\211\131\055\271 -\307\367\034\310\212\177\300\235\005\112\346\102\117\142\243\155 -\051\244\037\205\253\333\345\201\310\255\052\075\114\135\133\204 -\046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340 -\124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135 -\016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331 -\361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212 -\362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217 -\266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346 -\177\045\245\362\110\000\300\244\001\332\077 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "StartCom Certification Authority" -# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Serial Number: 45 (0x2d) -# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL -# Not Valid Before: Sun Sep 17 19:46:37 2006 -# Not Valid After : Wed Sep 17 19:46:36 2036 -# Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16 -# Fingerprint (SHA1): A3:F1:33:3F:E2:42:BF:CF:C5:D1:4E:8F:39:42:98:40:68:10:D1:A0 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "StartCom Certification Authority" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\243\361\063\077\342\102\277\317\305\321\116\217\071\102\230\100 -\150\020\321\240 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\311\073\015\204\101\374\244\166\171\043\010\127\336\020\031\026 -END -CKA_ISSUER MULTILINE_OCTAL -\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013 -\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154 -\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147 -\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123 -\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143 -\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\055 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "StartCom Certification Authority G2" -# -# Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL -# Serial Number: 59 (0x3b) -# Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL -# Not Valid Before: Fri Jan 01 01:00:01 2010 -# Not Valid After : Sat Dec 31 23:59:01 2039 -# Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64 -# Fingerprint (SHA1): 31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "StartCom Certification Authority G2" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003 -\023\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151 -\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151 -\164\171\040\107\062 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003 -\023\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151 -\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151 -\164\171\040\107\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\073 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\143\060\202\003\113\240\003\002\001\002\002\001\073 -\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 -\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026 -\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157 -\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003\023 -\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151\146 -\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164 -\171\040\107\062\060\036\027\015\061\060\060\061\060\061\060\061 -\060\060\060\061\132\027\015\063\071\061\062\063\061\062\063\065 -\071\060\061\132\060\123\061\013\060\011\006\003\125\004\006\023 -\002\111\114\061\026\060\024\006\003\125\004\012\023\015\123\164 -\141\162\164\103\157\155\040\114\164\144\056\061\054\060\052\006 -\003\125\004\003\023\043\123\164\141\162\164\103\157\155\040\103 -\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164 -\150\157\162\151\164\171\040\107\062\060\202\002\042\060\015\006 -\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017 -\000\060\202\002\012\002\202\002\001\000\266\211\066\133\007\267 -\040\066\275\202\273\341\026\040\003\225\172\257\016\243\125\311 -\045\231\112\305\320\126\101\207\220\115\041\140\244\024\207\073 -\315\375\262\076\264\147\003\152\355\341\017\113\300\221\205\160 -\105\340\102\236\336\051\043\324\001\015\240\020\171\270\333\003 -\275\363\251\057\321\306\340\017\313\236\212\024\012\270\275\366 -\126\142\361\305\162\266\062\045\331\262\363\275\145\305\015\054 -\156\325\222\157\030\213\000\101\024\202\157\100\040\046\172\050 -\017\365\036\177\047\367\224\261\067\075\267\307\221\367\342\001 -\354\375\224\211\341\314\156\323\066\326\012\031\171\256\327\064 -\202\145\377\174\102\273\266\335\013\246\064\257\113\140\376\177 -\103\111\006\213\214\103\270\126\362\331\177\041\103\027\352\247 -\110\225\001\165\165\352\053\245\103\225\352\025\204\235\010\215 -\046\156\125\233\253\334\322\071\322\061\035\140\342\254\314\126 -\105\044\365\034\124\253\356\206\335\226\062\205\370\114\117\350 -\225\166\266\005\335\066\043\147\274\377\025\342\312\073\346\246 -\354\073\354\046\021\064\110\215\366\200\053\032\043\002\353\212 -\034\072\166\052\173\126\026\034\162\052\263\252\343\140\245\000 -\237\004\233\342\157\036\024\130\133\245\154\213\130\074\303\272 -\116\072\134\367\341\226\053\076\357\007\274\244\345\135\314\115 -\237\015\341\334\252\273\341\156\032\354\217\341\266\114\115\171 -\162\135\027\065\013\035\327\301\107\332\226\044\340\320\162\250 -\132\137\146\055\020\334\057\052\023\256\046\376\012\034\031\314 -\320\076\013\234\310\011\056\371\133\226\172\107\234\351\172\363 -\005\120\164\225\163\236\060\011\363\227\202\136\346\217\071\010 -\036\131\345\065\024\102\023\377\000\234\367\276\252\120\317\342 -\121\110\327\270\157\257\370\116\176\063\230\222\024\142\072\165 -\143\317\173\372\336\202\073\251\273\071\342\304\275\054\000\016 -\310\027\254\023\357\115\045\216\330\263\220\057\251\332\051\175 -\035\257\164\072\262\047\300\301\036\076\165\243\026\251\257\172 -\042\135\237\023\032\317\247\240\353\343\206\012\323\375\346\226 -\225\327\043\310\067\335\304\174\252\066\254\230\032\022\261\340 -\116\350\261\073\365\326\157\361\060\327\002\003\001\000\001\243 -\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060 -\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004 -\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\113 -\305\264\100\153\255\034\263\245\034\145\156\106\066\211\207\005 -\014\016\266\060\015\006\011\052\206\110\206\367\015\001\001\013 -\005\000\003\202\002\001\000\163\127\077\054\325\225\062\176\067 -\333\226\222\353\031\136\176\123\347\101\354\021\266\107\357\265 -\336\355\164\134\305\361\216\111\340\374\156\231\023\315\237\212 -\332\315\072\012\330\072\132\011\077\137\064\320\057\003\322\146 -\035\032\275\234\220\067\310\014\216\007\132\224\105\106\052\346 -\276\172\332\241\251\244\151\022\222\260\175\066\324\104\207\327 -\121\361\051\143\326\165\315\026\344\047\211\035\370\302\062\110 -\375\333\231\320\217\137\124\164\314\254\147\064\021\142\331\014 -\012\067\207\321\243\027\110\216\322\027\035\366\327\375\333\145 -\353\375\250\324\365\326\117\244\133\165\350\305\322\140\262\333 -\011\176\045\213\173\272\122\222\236\076\350\305\167\241\074\340 -\112\163\153\141\317\206\334\103\377\377\041\376\043\135\044\112 -\365\323\155\017\142\004\005\127\202\332\156\244\063\045\171\113 -\056\124\031\213\314\054\075\060\351\321\006\377\350\062\106\276 -\265\063\166\167\250\001\135\226\301\301\325\276\256\045\300\311 -\036\012\011\040\210\241\016\311\363\157\115\202\124\000\040\247 -\322\217\344\071\124\027\056\215\036\270\033\273\033\275\232\116 -\073\020\064\334\234\210\123\357\242\061\133\130\117\221\142\310 -\302\232\232\315\025\135\070\251\326\276\370\023\265\237\022\151 -\362\120\142\254\373\027\067\364\356\270\165\147\140\020\373\203 -\120\371\104\265\165\234\100\027\262\376\375\171\135\156\130\130 -\137\060\374\000\256\257\063\301\016\116\154\272\247\246\241\177 -\062\333\070\340\261\162\027\012\053\221\354\152\143\046\355\211 -\324\170\314\164\036\005\370\153\376\214\152\166\071\051\256\145 -\043\022\225\010\042\034\227\316\133\006\356\014\342\273\274\037 -\104\223\366\330\070\105\005\041\355\344\255\253\022\266\003\244 -\102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050 -\205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355 -\173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311 -\062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153 -\262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303 -\301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123 -\127\055\366\320\341\327\110 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "StartCom Certification Authority G2" -# Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL -# Serial Number: 59 (0x3b) -# Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL -# Not Valid Before: Fri Jan 01 01:00:01 2010 -# Not Valid After : Sat Dec 31 23:59:01 2039 -# Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64 -# Fingerprint (SHA1): 31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "StartCom Certification Authority G2" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\061\361\375\150\042\143\040\356\306\073\077\235\352\112\076\123 -\174\174\071\027 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\170\113\373\236\144\202\012\323\270\114\142\363\144\362\220\144 -END -CKA_ISSUER MULTILINE_OCTAL -\060\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061 -\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103 -\157\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003 -\023\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151 -\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151 -\164\171\040\107\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\073 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "Buypass Class 2 Root CA" -# -# Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO -# Serial Number: 2 (0x2) -# Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO -# Not Valid Before: Tue Oct 26 08:38:03 2010 -# Not Valid After : Fri Oct 26 08:38:03 2040 -# Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29 -# Fingerprint (SHA1): 49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Buypass Class 2 Root CA" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\116\061\013\060\011\006\003\125\004\006\023\002\116\117\061 -\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163 -\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\040 -\060\036\006\003\125\004\003\014\027\102\165\171\160\141\163\163 -\040\103\154\141\163\163\040\062\040\122\157\157\164\040\103\101 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\116\061\013\060\011\006\003\125\004\006\023\002\116\117\061 -\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163 -\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\040 -\060\036\006\003\125\004\003\014\027\102\165\171\160\141\163\163 -\040\103\154\141\163\163\040\062\040\122\157\157\164\040\103\101 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\002 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\131\060\202\003\101\240\003\002\001\002\002\001\002 +\060\202\005\131\060\202\003\101\240\003\002\001\002\002\001\002 \060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 \116\061\013\060\011\006\003\125\004\006\023\002\116\117\061\035 \060\033\006\003\125\004\012\014\024\102\165\171\160\141\163\163 @@ -17946,172 +16722,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "TURKTRUST Certificate Services Provider Root 2007" -# -# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. -# Serial Number: 1 (0x1) -# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. -# Not Valid Before: Tue Dec 25 18:37:19 2007 -# Not Valid After : Fri Dec 22 18:37:19 2017 -# Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72 -# Fingerprint (SHA1): F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TURKTRUST Certificate Services Provider Root 2007" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303 -\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 -\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151 -\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304 -\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124 -\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141 -\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234 -\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260 -\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151 -\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151 -\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236 -\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060 -\060\067 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303 -\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 -\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151 -\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304 -\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124 -\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141 -\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234 -\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260 -\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151 -\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151 -\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236 -\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060 -\060\067 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\075\060\202\003\045\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303\234 -\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157\156 -\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172 -\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261 -\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124\122 -\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162 -\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234\122 -\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154 -\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305 -\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040 -\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056 -\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060\060 -\067\060\036\027\015\060\067\061\062\062\065\061\070\063\067\061 -\071\132\027\015\061\067\061\062\062\062\061\070\063\067\061\071 -\132\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124 -\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162 -\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110 -\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143 -\304\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002 -\124\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153 -\141\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303 -\234\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304 -\260\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154 -\151\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237 -\151\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305 -\236\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062 -\060\060\067\060\202\001\042\060\015\006\011\052\206\110\206\367 -\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002 -\202\001\001\000\253\267\076\012\214\310\245\130\025\346\212\357 -\047\075\112\264\350\045\323\315\063\302\040\334\031\356\210\077 -\115\142\360\335\023\167\217\141\251\052\265\324\362\271\061\130 -\051\073\057\077\152\234\157\163\166\045\356\064\040\200\356\352 -\267\360\304\012\315\053\206\224\311\343\140\261\104\122\262\132 -\051\264\221\227\203\330\267\246\024\057\051\111\242\363\005\006 -\373\264\117\332\241\154\232\146\237\360\103\011\312\352\162\217 -\353\000\327\065\071\327\126\027\107\027\060\364\276\277\077\302 -\150\257\066\100\301\251\364\251\247\350\020\153\010\212\367\206 -\036\334\232\052\025\006\366\243\360\364\340\307\024\324\121\177 -\317\264\333\155\257\107\226\027\233\167\161\330\247\161\235\044 -\014\366\224\077\205\061\022\117\272\356\116\202\270\271\076\217 -\043\067\136\314\242\252\165\367\030\157\011\323\256\247\124\050 -\064\373\341\340\073\140\175\240\276\171\211\206\310\237\055\371 -\012\113\304\120\242\347\375\171\026\307\172\013\030\317\316\114 -\357\175\326\007\157\230\361\257\261\301\172\327\201\065\270\252 -\027\264\340\313\002\003\001\000\001\243\102\060\100\060\035\006 -\003\125\035\016\004\026\004\024\051\305\220\253\045\257\021\344 -\141\277\243\377\210\141\221\346\016\376\234\201\060\016\006\003 -\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003 -\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006 -\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001 -\000\020\015\332\370\072\354\050\321\024\225\202\261\022\054\121 -\172\101\045\066\114\237\354\077\037\204\235\145\124\134\250\026 -\002\100\372\156\032\067\204\357\162\235\206\012\125\235\126\050 -\254\146\054\320\072\126\223\064\007\045\255\010\260\217\310\017 -\011\131\312\235\230\034\345\124\370\271\105\177\152\227\157\210 -\150\115\112\006\046\067\210\002\016\266\306\326\162\231\316\153 -\167\332\142\061\244\126\037\256\137\215\167\332\135\366\210\374 -\032\331\236\265\201\360\062\270\343\210\320\234\363\152\240\271 -\233\024\131\065\066\117\317\363\216\136\135\027\255\025\225\330 -\335\262\325\025\156\000\116\263\113\317\146\224\344\340\315\265 -\005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032 -\135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325 -\242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277 -\354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031 -\253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146 -\062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071 -\175 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "TURKTRUST Certificate Services Provider Root 2007" -# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. -# Serial Number: 1 (0x1) -# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. -# Not Valid Before: Tue Dec 25 18:37:19 2007 -# Not Valid After : Fri Dec 22 18:37:19 2017 -# Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72 -# Fingerprint (SHA1): F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TURKTRUST Certificate Services Provider Root 2007" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\361\177\157\266\061\334\231\343\243\310\177\376\034\361\201\020 -\210\331\140\063 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\053\160\040\126\206\202\240\030\310\007\123\022\050\160\041\162 -END -CKA_ISSUER MULTILINE_OCTAL -\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303 -\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 -\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151 -\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304 -\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124 -\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141 -\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234 -\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260 -\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151 -\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151 -\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236 -\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060 -\060\067 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "D-TRUST Root Class 3 CA 2 2009" # @@ -18398,269 +17008,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "PSCProcert" -# -# Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano -# Serial Number: 11 (0xb) -# Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve -# Not Valid Before: Tue Dec 28 16:51:00 2010 -# Not Valid After : Fri Dec 25 23:59:59 2020 -# Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC -# Fingerprint (SHA1): 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PSCProcert" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\321\061\046\060\044\006\011\052\206\110\206\367\015\001 -\011\001\026\027\143\157\156\164\141\143\164\157\100\160\162\157 -\143\145\162\164\056\156\145\164\056\166\145\061\017\060\015\006 -\003\125\004\007\023\006\103\150\141\143\141\157\061\020\060\016 -\006\003\125\004\010\023\007\115\151\162\141\156\144\141\061\052 -\060\050\006\003\125\004\013\023\041\120\162\157\166\145\145\144 -\157\162\040\144\145\040\103\145\162\164\151\146\151\143\141\144 -\157\163\040\120\122\117\103\105\122\124\061\066\060\064\006\003 -\125\004\012\023\055\123\151\163\164\145\155\141\040\116\141\143 -\151\157\156\141\154\040\144\145\040\103\145\162\164\151\146\151 -\143\141\143\151\157\156\040\105\154\145\143\164\162\157\156\151 -\143\141\061\013\060\011\006\003\125\004\006\023\002\126\105\061 -\023\060\021\006\003\125\004\003\023\012\120\123\103\120\162\157 -\143\145\162\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101 -\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164 -\151\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144 -\145\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157 -\154\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126 -\105\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141 -\143\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151 -\163\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066 -\060\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141 -\040\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162 -\164\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164 -\162\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023 -\072\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151 -\141\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144 -\145\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040 -\105\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006 -\011\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141 -\151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056 -\166\145 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\013 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\011\206\060\202\007\156\240\003\002\001\002\002\001\013 -\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 -\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101\165 -\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151 -\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144\145 -\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157\154 -\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126\105 -\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141\143 -\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151\163 -\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066\060 -\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141\040 -\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162\164 -\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164\162 -\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023\072 -\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151\141 -\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144\145 -\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040\105 -\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006\011 -\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141\151 -\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056\166 -\145\060\036\027\015\061\060\061\062\062\070\061\066\065\061\060 -\060\132\027\015\062\060\061\062\062\065\062\063\065\071\065\071 -\132\060\201\321\061\046\060\044\006\011\052\206\110\206\367\015 -\001\011\001\026\027\143\157\156\164\141\143\164\157\100\160\162 -\157\143\145\162\164\056\156\145\164\056\166\145\061\017\060\015 -\006\003\125\004\007\023\006\103\150\141\143\141\157\061\020\060 -\016\006\003\125\004\010\023\007\115\151\162\141\156\144\141\061 -\052\060\050\006\003\125\004\013\023\041\120\162\157\166\145\145 -\144\157\162\040\144\145\040\103\145\162\164\151\146\151\143\141 -\144\157\163\040\120\122\117\103\105\122\124\061\066\060\064\006 -\003\125\004\012\023\055\123\151\163\164\145\155\141\040\116\141 -\143\151\157\156\141\154\040\144\145\040\103\145\162\164\151\146 -\151\143\141\143\151\157\156\040\105\154\145\143\164\162\157\156 -\151\143\141\061\013\060\011\006\003\125\004\006\023\002\126\105 -\061\023\060\021\006\003\125\004\003\023\012\120\123\103\120\162 -\157\143\145\162\164\060\202\002\042\060\015\006\011\052\206\110 -\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002 -\012\002\202\002\001\000\325\267\364\243\224\063\241\106\251\125 -\141\111\015\250\207\163\136\221\055\160\301\006\032\224\332\075 -\354\025\102\301\365\214\256\152\027\361\212\255\374\200\225\352 -\203\104\242\133\172\125\316\117\247\245\325\272\270\037\240\047 -\300\120\123\076\215\271\300\016\270\025\334\326\154\370\236\370 -\004\045\337\200\217\020\205\335\175\057\173\200\335\127\000\144 -\043\370\156\311\276\225\117\341\165\354\340\176\136\225\315\261 -\357\276\172\102\330\311\054\323\353\032\032\042\213\267\177\006 -\211\345\074\365\022\300\273\323\013\231\137\220\174\216\055\057 -\167\063\222\112\041\106\250\251\010\254\361\366\021\002\331\225 -\026\236\215\057\226\346\002\335\165\302\024\052\132\326\311\175 -\045\302\301\374\252\147\205\342\354\276\321\174\074\372\257\325 -\156\377\123\101\324\365\062\070\261\342\137\304\371\216\020\357 -\006\251\002\211\377\343\014\156\227\340\337\235\333\041\320\364 -\076\010\151\154\330\324\344\066\370\203\266\262\066\217\234\357 -\072\067\026\175\277\242\151\327\073\133\162\320\257\252\077\134 -\146\223\254\012\042\141\266\322\240\231\310\124\223\135\250\266 -\321\275\135\012\136\167\224\242\055\300\202\216\274\312\003\052 -\064\256\163\361\324\265\014\275\276\147\233\124\353\341\372\240 -\132\354\070\176\076\301\314\242\307\104\061\165\352\077\345\007 -\322\253\241\045\226\366\346\344\240\135\067\030\071\141\000\063 -\135\106\324\000\304\264\312\074\361\242\243\076\363\072\377\151 -\060\056\100\335\366\237\234\046\311\226\067\255\347\071\242\277 -\352\151\333\125\042\225\123\052\224\265\337\255\026\070\201\165 -\146\343\307\054\033\223\234\252\214\243\312\331\154\074\027\155 -\234\334\174\123\340\040\047\103\066\371\022\341\074\134\275\146 -\277\242\151\043\070\270\231\140\231\016\126\123\072\234\176\024 -\214\260\006\157\361\206\166\220\257\375\257\376\220\306\217\237 -\177\213\222\043\234\347\025\166\217\325\213\224\023\162\151\373 -\053\141\143\210\357\346\244\136\346\243\027\152\130\107\313\161 -\117\024\013\136\310\002\010\046\242\313\351\257\153\212\031\307 -\313\024\126\365\341\332\265\331\374\277\163\070\332\371\347\257 -\156\244\067\342\007\047\002\003\001\000\001\243\202\003\027\060 -\202\003\023\060\022\006\003\125\035\023\001\001\377\004\010\060 -\006\001\001\377\002\001\001\060\067\006\003\125\035\022\004\060 -\060\056\202\017\163\165\163\143\145\162\164\145\056\147\157\142 -\056\166\145\240\033\006\005\140\206\136\002\002\240\022\014\020 -\122\111\106\055\107\055\062\060\060\060\064\060\063\066\055\060 -\060\035\006\003\125\035\016\004\026\004\024\101\017\031\070\252 -\231\177\102\013\244\327\047\230\124\242\027\114\055\121\124\060 -\202\001\120\006\003\125\035\043\004\202\001\107\060\202\001\103 -\200\024\255\273\042\035\306\340\322\001\250\375\166\120\122\223 -\355\230\301\115\256\323\241\202\001\046\244\202\001\042\060\202 -\001\036\061\076\060\074\006\003\125\004\003\023\065\101\165\164 -\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151\146 -\151\143\141\143\151\157\156\040\122\141\151\172\040\144\145\154 -\040\105\163\164\141\144\157\040\126\145\156\145\172\157\154\141 -\156\157\061\013\060\011\006\003\125\004\006\023\002\126\105\061 -\020\060\016\006\003\125\004\007\023\007\103\141\162\141\143\141 -\163\061\031\060\027\006\003\125\004\010\023\020\104\151\163\164 -\162\151\164\157\040\103\141\160\151\164\141\154\061\066\060\064 -\006\003\125\004\012\023\055\123\151\163\164\145\155\141\040\116 -\141\143\151\157\156\141\154\040\144\145\040\103\145\162\164\151 -\146\151\143\141\143\151\157\156\040\105\154\145\143\164\162\157 -\156\151\143\141\061\103\060\101\006\003\125\004\013\023\072\123 -\165\160\145\162\151\156\164\145\156\144\145\156\143\151\141\040 -\144\145\040\123\145\162\166\151\143\151\157\163\040\144\145\040 -\103\145\162\164\151\146\151\143\141\143\151\157\156\040\105\154 -\145\143\164\162\157\156\151\143\141\061\045\060\043\006\011\052 -\206\110\206\367\015\001\011\001\026\026\141\143\162\141\151\172 -\100\163\165\163\143\145\162\164\145\056\147\157\142\056\166\145 -\202\001\012\060\016\006\003\125\035\017\001\001\377\004\004\003 -\002\001\006\060\115\006\003\125\035\021\004\106\060\104\202\016 -\160\162\157\143\145\162\164\056\156\145\164\056\166\145\240\025 -\006\005\140\206\136\002\001\240\014\014\012\120\123\103\055\060 -\060\060\060\060\062\240\033\006\005\140\206\136\002\002\240\022 -\014\020\122\111\106\055\112\055\063\061\066\063\065\063\067\063 -\055\067\060\166\006\003\125\035\037\004\157\060\155\060\106\240 -\104\240\102\206\100\150\164\164\160\072\057\057\167\167\167\056 -\163\165\163\143\145\162\164\145\056\147\157\142\056\166\145\057 -\154\143\162\057\103\105\122\124\111\106\111\103\101\104\117\055 -\122\101\111\132\055\123\110\101\063\070\064\103\122\114\104\105 -\122\056\143\162\154\060\043\240\041\240\037\206\035\154\144\141 -\160\072\057\057\141\143\162\141\151\172\056\163\165\163\143\145 -\162\164\145\056\147\157\142\056\166\145\060\067\006\010\053\006 -\001\005\005\007\001\001\004\053\060\051\060\047\006\010\053\006 -\001\005\005\007\060\001\206\033\150\164\164\160\072\057\057\157 -\143\163\160\056\163\165\163\143\145\162\164\145\056\147\157\142 -\056\166\145\060\101\006\003\125\035\040\004\072\060\070\060\066 -\006\006\140\206\136\003\001\002\060\054\060\052\006\010\053\006 -\001\005\005\007\002\001\026\036\150\164\164\160\072\057\057\167 -\167\167\056\163\165\163\143\145\162\164\145\056\147\157\142\056 -\166\145\057\144\160\143\060\015\006\011\052\206\110\206\367\015 -\001\001\013\005\000\003\202\002\001\000\053\131\353\042\231\273 -\204\252\117\336\220\306\321\206\161\043\236\113\003\221\107\160 -\273\300\222\140\354\340\324\347\155\306\323\355\147\203\167\122 -\325\362\345\167\247\066\262\343\124\276\331\273\012\233\021\357 -\141\364\306\231\063\231\365\257\000\071\215\203\277\246\275\065 -\176\054\134\061\064\157\154\333\363\144\001\230\252\224\054\101 -\335\025\206\312\153\051\116\026\300\111\374\327\203\110\023\007 -\121\204\061\122\210\273\206\027\307\153\057\212\040\255\305\013 -\217\160\076\052\273\033\161\217\271\244\240\375\330\225\331\257 -\131\277\045\053\230\351\143\223\057\140\036\304\252\370\167\365 -\213\154\057\355\176\056\265\117\100\015\356\274\127\167\347\331 -\266\324\077\225\047\072\040\325\345\256\253\154\065\237\301\241 -\035\131\334\204\201\356\115\007\342\110\266\236\113\225\055\101 -\261\341\350\336\176\057\005\036\150\356\277\273\220\145\072\310 -\356\352\261\030\067\034\142\223\244\240\061\354\161\154\221\346 -\244\171\211\132\024\247\024\120\005\114\244\000\127\060\054\301 -\265\141\226\334\076\036\204\257\071\102\317\345\320\054\261\044 -\274\337\100\303\355\177\143\112\275\341\117\022\144\206\225\363 -\260\347\310\267\341\123\275\222\346\363\014\226\271\353\350\346 -\222\355\247\201\011\024\013\374\225\172\317\217\326\064\117\066 -\022\334\136\321\064\165\306\106\200\057\225\004\214\307\206\304 -\250\046\211\250\077\031\233\201\273\121\244\112\206\253\013\021 -\017\261\256\143\123\155\050\352\335\063\126\070\034\262\255\200 -\323\327\162\275\232\154\231\143\350\000\273\101\166\005\267\133 -\231\030\212\303\270\022\134\126\317\126\014\175\350\342\317\355 -\274\164\107\373\356\323\027\116\042\117\126\377\120\363\056\346 -\071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375 -\242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141 -\154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253 -\261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307 -\142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063 -\316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335 -\376\206\364\274\340\032\161\263\142\246 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "PSCProcert" -# Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano -# Serial Number: 11 (0xb) -# Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve -# Not Valid Before: Tue Dec 28 16:51:00 2010 -# Not Valid After : Fri Dec 25 23:59:59 2020 -# Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC -# Fingerprint (SHA1): 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PSCProcert" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\160\301\215\164\264\050\201\012\344\375\245\165\327\001\237\231 -\260\075\120\164 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\346\044\351\022\001\256\014\336\216\205\304\316\243\022\335\354 -END -CKA_ISSUER MULTILINE_OCTAL -\060\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101 -\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164 -\151\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144 -\145\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157 -\154\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126 -\105\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141 -\143\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151 -\163\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066 -\060\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141 -\040\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162 -\164\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164 -\162\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023 -\072\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151 -\141\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144 -\145\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040 -\105\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006 -\011\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141 -\151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056 -\166\145 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\013 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Swisscom Root CA 2" # @@ -21316,333 +19663,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "WoSign" -# -# Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN -# Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91 -# Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Aug 08 01:00:01 2009 -# Not Valid After : Mon Aug 08 01:00:01 2039 -# Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 -# Fingerprint (SHA1): B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "WoSign" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\125\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\052\060\050\006 -\003\125\004\003\023\041\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146 -\040\127\157\123\151\147\156 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\125\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\052\060\050\006 -\003\125\004\003\023\041\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146 -\040\127\157\123\151\147\156 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\136\150\326\021\161\224\143\120\126\000\150\363\076\311 -\305\221 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\166\060\202\003\136\240\003\002\001\002\002\020\136 -\150\326\021\161\224\143\120\126\000\150\363\076\311\305\221\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\125 -\061\013\060\011\006\003\125\004\006\023\002\103\116\061\032\060 -\030\006\003\125\004\012\023\021\127\157\123\151\147\156\040\103 -\101\040\114\151\155\151\164\145\144\061\052\060\050\006\003\125 -\004\003\023\041\103\145\162\164\151\146\151\143\141\164\151\157 -\156\040\101\165\164\150\157\162\151\164\171\040\157\146\040\127 -\157\123\151\147\156\060\036\027\015\060\071\060\070\060\070\060 -\061\060\060\060\061\132\027\015\063\071\060\070\060\070\060\061 -\060\060\060\061\132\060\125\061\013\060\011\006\003\125\004\006 -\023\002\103\116\061\032\060\030\006\003\125\004\012\023\021\127 -\157\123\151\147\156\040\103\101\040\114\151\155\151\164\145\144 -\061\052\060\050\006\003\125\004\003\023\041\103\145\162\164\151 -\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151 -\164\171\040\157\146\040\127\157\123\151\147\156\060\202\002\042 -\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 -\202\002\017\000\060\202\002\012\002\202\002\001\000\275\312\215 -\254\270\221\025\126\227\173\153\134\172\302\336\153\331\241\260 -\303\020\043\372\247\241\262\314\061\372\076\331\246\051\157\026 -\075\340\153\370\270\100\137\333\071\250\000\172\213\240\115\124 -\175\302\042\170\374\216\011\270\250\205\327\314\225\227\113\164 -\330\236\176\360\000\344\016\211\256\111\050\104\032\020\231\062 -\017\045\210\123\244\015\263\017\022\010\026\013\003\161\047\034 -\177\341\333\322\375\147\150\304\005\135\012\016\135\160\327\330 -\227\240\274\123\101\232\221\215\364\236\066\146\172\176\126\301 -\220\137\346\261\150\040\066\244\214\044\054\054\107\013\131\166 -\146\060\265\276\336\355\217\370\235\323\273\001\060\346\362\363 -\016\340\054\222\200\363\205\371\050\212\264\124\056\232\355\367 -\166\374\025\150\026\353\112\154\353\056\022\217\324\317\376\014 -\307\134\035\013\176\005\062\276\136\260\011\052\102\325\311\116 -\220\263\131\015\273\172\176\315\325\010\132\264\177\330\034\151 -\021\371\047\017\173\006\257\124\203\030\173\341\335\124\172\121 -\150\156\167\374\306\277\122\112\146\106\241\262\147\032\273\243 -\117\167\240\276\135\377\374\126\013\103\162\167\220\312\236\371 -\362\071\365\015\251\364\352\327\347\263\020\057\060\102\067\041 -\314\060\160\311\206\230\017\314\130\115\203\273\175\345\032\245 -\067\215\266\254\062\227\000\072\143\161\044\036\236\067\304\377 -\164\324\067\300\342\376\210\106\140\021\335\010\077\120\066\253 -\270\172\244\225\142\152\156\260\312\152\041\132\151\363\363\373 -\035\160\071\225\363\247\156\246\201\211\241\210\305\073\161\312 -\243\122\356\203\273\375\240\167\364\344\157\347\102\333\155\112 -\231\212\064\110\274\027\334\344\200\010\042\266\362\061\300\077 -\004\076\353\237\040\171\326\270\006\144\144\002\061\327\251\315 -\122\373\204\105\151\011\000\052\334\125\213\304\006\106\113\300 -\112\035\011\133\071\050\375\251\253\316\000\371\056\110\113\046 -\346\060\114\245\130\312\264\104\202\117\347\221\036\063\303\260 -\223\377\021\374\201\322\312\037\161\051\335\166\117\222\045\257 -\035\201\267\017\057\214\303\006\314\057\047\243\112\344\016\231 -\272\174\036\105\037\177\252\031\105\226\375\374\075\002\003\001 -\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377 -\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377 -\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 -\004\024\341\146\317\016\321\361\263\113\267\006\040\024\376\207 -\022\325\366\376\373\076\060\015\006\011\052\206\110\206\367\015 -\001\001\005\005\000\003\202\002\001\000\250\313\162\100\262\166 -\301\176\173\374\255\144\343\062\173\314\074\266\135\106\323\365 -\054\342\160\135\310\056\330\006\175\230\321\013\041\240\211\131 -\044\001\235\371\257\011\175\012\043\202\064\325\374\174\162\231 -\271\243\327\124\364\352\122\160\016\305\365\326\073\341\072\011 -\062\346\041\071\223\275\263\025\352\117\152\364\365\213\077\057 -\174\215\130\056\305\341\071\240\076\307\075\112\163\236\100\172 -\300\053\141\251\147\311\363\044\271\263\155\125\054\132\035\236 -\045\162\316\013\255\252\307\125\142\013\276\373\143\263\141\104 -\043\243\313\341\032\016\367\232\006\115\336\324\043\116\041\226 -\133\071\133\127\035\057\135\010\136\011\171\377\174\227\265\115 -\203\256\015\326\346\243\171\340\063\320\231\226\002\060\247\076 -\377\322\243\103\077\005\132\006\352\104\002\332\174\370\110\320 -\063\251\371\007\307\225\341\365\076\365\135\161\272\362\225\251 -\164\210\141\131\343\277\312\132\023\272\162\264\214\135\066\207 -\351\246\305\074\023\277\336\320\104\046\356\267\354\056\160\372 -\327\235\267\254\345\305\100\132\346\327\154\173\054\303\126\233 -\107\315\013\316\372\033\264\041\327\267\146\270\364\045\060\213 -\134\015\271\352\147\262\364\155\256\325\241\236\117\330\237\351 -\047\002\260\035\006\326\217\343\373\110\022\237\177\021\241\020 -\076\114\121\072\226\260\321\023\361\307\330\046\256\072\312\221 -\304\151\235\337\001\051\144\121\157\150\332\024\354\010\101\227 -\220\215\320\262\200\362\317\302\075\277\221\150\305\200\147\036 -\304\140\023\125\325\141\231\127\174\272\225\017\141\111\072\312 -\165\274\311\012\223\077\147\016\022\362\050\342\061\033\300\127 -\026\337\010\174\031\301\176\017\037\205\036\012\066\174\133\176 -\047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221 -\103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244 -\063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045 -\072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110 -\246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246 -\376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223 -\171\356\104\206\276\327\036\344\036\373 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "WoSign" -# Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN -# Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91 -# Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Aug 08 01:00:01 2009 -# Not Valid After : Mon Aug 08 01:00:01 2039 -# Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 -# Fingerprint (SHA1): B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "WoSign" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\271\102\224\277\221\352\217\266\113\346\020\227\307\373\000\023 -\131\266\166\313 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\241\362\371\265\322\310\172\164\270\363\005\361\327\341\204\215 -END -CKA_ISSUER MULTILINE_OCTAL -\060\125\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\052\060\050\006 -\003\125\004\003\023\041\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146 -\040\127\157\123\151\147\156 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\136\150\326\021\161\224\143\120\126\000\150\363\076\311 -\305\221 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "WoSign China" -# -# Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN -# Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d -# Subject: CN=CA ...............,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Aug 08 01:00:01 2009 -# Not Valid After : Mon Aug 08 01:00:01 2039 -# Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 -# Fingerprint (SHA1): 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "WoSign China" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006 -\003\125\004\003\014\022\103\101\040\346\262\203\351\200\232\346 -\240\271\350\257\201\344\271\246 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006 -\003\125\004\003\014\022\103\101\040\346\262\203\351\200\232\346 -\240\271\350\257\201\344\271\246 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021 -\110\215 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\130\060\202\003\100\240\003\002\001\002\002\020\120 -\160\153\315\330\023\374\033\116\073\063\162\322\021\110\215\060 -\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\106 -\061\013\060\011\006\003\125\004\006\023\002\103\116\061\032\060 -\030\006\003\125\004\012\023\021\127\157\123\151\147\156\040\103 -\101\040\114\151\155\151\164\145\144\061\033\060\031\006\003\125 -\004\003\014\022\103\101\040\346\262\203\351\200\232\346\240\271 -\350\257\201\344\271\246\060\036\027\015\060\071\060\070\060\070 -\060\061\060\060\060\061\132\027\015\063\071\060\070\060\070\060 -\061\060\060\060\061\132\060\106\061\013\060\011\006\003\125\004 -\006\023\002\103\116\061\032\060\030\006\003\125\004\012\023\021 -\127\157\123\151\147\156\040\103\101\040\114\151\155\151\164\145 -\144\061\033\060\031\006\003\125\004\003\014\022\103\101\040\346 -\262\203\351\200\232\346\240\271\350\257\201\344\271\246\060\202 -\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005 -\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\320 -\111\041\036\045\374\207\301\052\302\254\333\166\206\006\116\347 -\320\164\064\334\355\145\065\374\120\326\210\077\244\360\177\353 -\017\137\171\057\211\261\375\274\143\130\067\223\233\070\370\267 -\133\251\372\330\161\307\264\274\200\227\215\154\113\361\120\325 -\052\051\252\250\031\172\226\346\225\216\164\355\227\012\127\165 -\364\005\333\155\013\071\271\001\177\252\366\326\332\154\346\005 -\340\244\115\122\374\333\320\164\267\021\214\173\215\117\377\207 -\203\256\377\005\003\023\127\120\067\376\214\226\122\020\114\137 -\277\224\161\151\331\226\076\014\103\117\276\060\300\237\071\164 -\117\006\105\135\243\326\126\071\150\007\314\207\117\120\167\223 -\161\331\104\010\261\212\064\351\211\254\333\233\116\341\331\344 -\122\105\214\056\024\037\221\153\031\035\150\051\054\126\304\342 -\036\023\127\144\360\141\343\271\021\337\260\341\127\240\033\255 -\327\137\321\257\333\053\055\077\320\150\216\017\352\237\017\213 -\065\130\033\023\034\364\336\065\241\012\135\326\352\337\022\157 -\300\373\151\007\106\162\334\201\366\004\043\027\340\115\165\341 -\162\157\260\050\353\233\341\341\203\241\237\112\135\257\314\233 -\372\002\040\266\030\142\167\221\073\243\325\145\255\334\174\220 -\167\034\104\101\244\112\213\353\225\162\351\366\011\144\334\250 -\055\237\164\170\350\301\242\011\143\234\357\240\333\117\235\225 -\253\040\117\267\260\367\207\134\246\240\344\067\070\307\134\343 -\065\017\054\255\243\200\242\354\056\135\300\317\355\213\005\302 -\346\163\156\366\211\325\365\322\106\216\352\155\143\033\036\212 -\311\175\246\370\234\353\345\325\143\205\115\163\146\151\021\376 -\310\016\364\301\307\146\111\123\176\344\031\153\361\351\172\131 -\243\155\176\305\027\346\047\306\357\033\333\157\374\015\115\006 -\001\264\016\134\060\106\125\140\257\070\145\072\312\107\272\254 -\054\314\106\037\262\106\226\077\363\355\046\005\356\167\241\152 -\153\176\055\155\130\134\112\324\216\147\270\361\332\325\106\212 -\047\371\021\362\311\102\376\116\336\337\037\134\304\244\206\207 -\026\063\241\247\027\030\245\015\344\005\345\053\302\053\013\242 -\225\220\271\375\140\074\116\211\076\347\234\356\037\273\001\002 -\003\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001 -\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001 -\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016 -\004\026\004\024\340\115\277\334\233\101\135\023\350\144\360\247 -\351\025\244\341\201\301\272\061\060\015\006\011\052\206\110\206 -\367\015\001\001\013\005\000\003\202\002\001\000\152\212\160\070 -\131\266\332\213\030\310\276\052\323\266\031\325\146\051\172\135 -\315\133\057\163\034\046\116\243\175\157\253\267\051\115\246\351 -\245\021\203\247\071\163\257\020\104\222\346\045\135\117\141\372 -\310\006\276\116\113\357\376\363\061\376\306\174\160\012\101\130 -\332\350\231\113\226\311\170\274\230\174\002\051\355\011\200\346 -\012\072\202\002\052\342\311\057\310\126\031\046\356\170\034\043 -\375\367\223\145\116\347\363\230\230\257\315\335\331\236\100\210 -\061\050\072\253\056\013\260\254\014\044\372\172\046\230\363\022 -\141\020\364\135\027\367\176\342\170\227\124\342\214\350\051\272 -\214\020\062\275\335\063\153\070\206\176\071\075\016\003\162\247 -\135\171\217\105\212\131\256\133\041\156\061\106\325\131\215\317 -\025\137\335\061\045\317\333\140\326\201\104\162\051\002\127\366 -\226\324\326\377\352\051\333\071\305\270\054\212\032\215\316\313 -\347\102\061\206\005\150\016\236\024\335\000\220\272\151\105\010 -\333\156\220\201\206\247\052\005\077\346\204\071\370\267\371\127 -\137\114\244\171\132\020\014\136\325\153\377\065\137\005\121\036 -\154\243\165\251\317\120\203\323\174\364\146\367\202\215\075\014 -\175\350\337\173\250\016\033\054\234\256\100\160\207\332\355\247 -\026\202\132\276\065\154\040\116\042\141\331\274\121\172\315\172 -\141\334\113\021\371\376\147\064\317\056\004\146\141\134\127\227 -\043\214\363\206\033\110\337\052\257\247\301\377\330\216\076\003 -\273\330\052\260\372\024\045\262\121\153\206\103\205\056\007\043 -\026\200\215\114\373\264\143\073\314\303\164\355\033\243\036\376 -\065\017\137\174\035\026\206\365\016\303\225\361\057\257\135\045 -\073\121\346\327\166\101\070\321\113\003\071\050\245\036\221\162 -\324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215 -\034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336 -\211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117 -\302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010 -\364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165 -\330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327 -\234\313\051\213\070\112\013\016\220\215\272\241 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "WoSign China" -# Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN -# Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d -# Subject: CN=CA ...............,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Aug 08 01:00:01 2009 -# Not Valid After : Mon Aug 08 01:00:01 2039 -# Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 -# Fingerprint (SHA1): 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "WoSign China" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\026\062\107\215\211\371\041\072\222\000\205\143\365\244\247\323 -\022\100\212\326 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\170\203\133\122\026\166\304\044\073\203\170\350\254\332\232\223 -END -CKA_ISSUER MULTILINE_OCTAL -\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006 -\003\125\004\003\014\022\103\101\040\346\262\203\351\200\232\346 -\240\271\350\257\201\344\271\246 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021 -\110\215 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "COMODO RSA Certification Authority" # @@ -24429,249 +22449,7 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certification Authority of WoSign G2" -# -# Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN -# Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44 -# Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Nov 08 00:58:58 2014 -# Not Valid After : Tue Nov 08 00:58:58 2044 -# Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 -# Fingerprint (SHA1): FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certification Authority of WoSign G2" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\130\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\055\060\053\006 -\003\125\004\003\023\044\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146 -\040\127\157\123\151\147\156\040\107\062 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\130\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\055\060\053\006 -\003\125\004\003\023\044\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146 -\040\127\157\123\151\147\156\040\107\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\153\045\332\212\210\235\174\274\017\005\263\261\172\141 -\105\104 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\174\060\202\002\144\240\003\002\001\002\002\020\153 -\045\332\212\210\235\174\274\017\005\263\261\172\141\105\104\060 -\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\130 -\061\013\060\011\006\003\125\004\006\023\002\103\116\061\032\060 -\030\006\003\125\004\012\023\021\127\157\123\151\147\156\040\103 -\101\040\114\151\155\151\164\145\144\061\055\060\053\006\003\125 -\004\003\023\044\103\145\162\164\151\146\151\143\141\164\151\157 -\156\040\101\165\164\150\157\162\151\164\171\040\157\146\040\127 -\157\123\151\147\156\040\107\062\060\036\027\015\061\064\061\061 -\060\070\060\060\065\070\065\070\132\027\015\064\064\061\061\060 -\070\060\060\065\070\065\070\132\060\130\061\013\060\011\006\003 -\125\004\006\023\002\103\116\061\032\060\030\006\003\125\004\012 -\023\021\127\157\123\151\147\156\040\103\101\040\114\151\155\151 -\164\145\144\061\055\060\053\006\003\125\004\003\023\044\103\145 -\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150 -\157\162\151\164\171\040\157\146\040\127\157\123\151\147\156\040 -\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367\015 -\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202 -\001\001\000\276\305\304\240\042\200\111\117\277\331\207\021\306 -\123\341\273\017\275\140\177\257\366\202\016\037\334\260\216\075 -\227\340\120\074\217\072\357\146\073\105\007\233\040\370\343\327 -\045\206\065\220\026\242\135\157\060\031\010\207\013\177\006\262 -\235\142\217\336\257\222\245\140\324\053\200\232\122\077\365\232 -\203\351\064\132\313\331\325\142\134\346\016\340\337\006\230\016 -\200\174\312\264\035\023\210\153\016\250\044\167\003\320\356\133 -\363\312\151\221\065\071\126\305\155\343\367\075\117\136\223\070 -\044\312\030\351\044\313\222\003\335\314\034\075\011\160\344\040 -\344\361\256\254\273\163\151\243\143\072\017\105\017\241\112\232 -\302\321\143\254\313\020\370\075\346\116\050\267\353\304\225\261 -\254\375\136\253\372\101\313\135\235\113\334\364\174\166\357\147 -\177\000\172\215\322\240\032\134\115\042\341\265\332\335\166\263 -\324\166\337\136\270\213\230\310\024\124\314\153\027\222\267\340 -\112\277\111\224\141\013\070\220\217\135\044\154\045\173\073\171 -\331\342\176\235\255\237\230\241\006\374\170\024\140\127\370\356 -\200\167\261\002\003\001\000\001\243\102\060\100\060\016\006\003 -\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003 -\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006 -\003\125\035\016\004\026\004\024\372\140\251\353\145\305\335\026 -\024\010\116\014\017\215\233\340\367\144\257\147\060\015\006\011 -\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001\000 -\127\303\172\066\202\234\215\230\342\253\100\252\107\217\307\247 -\133\355\174\347\075\146\132\073\061\273\337\363\026\063\221\374 -\174\173\245\302\246\146\343\252\260\267\047\230\077\111\327\140 -\147\147\077\066\117\112\313\361\024\372\132\207\050\034\355\217 -\101\062\306\225\371\175\332\275\173\133\302\260\041\343\217\106 -\334\041\070\103\164\114\373\060\370\027\162\301\062\374\310\221 -\027\304\314\130\067\116\013\314\132\367\041\065\050\203\154\140 -\055\104\353\122\214\120\075\265\154\022\327\372\011\273\154\262 -\112\261\305\211\344\374\323\122\330\141\027\376\172\224\204\217 -\171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310 -\237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340 -\054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060 -\132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102 -\111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273 -\135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340 -\217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "Certification Authority of WoSign G2" -# Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN -# Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44 -# Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Nov 08 00:58:58 2014 -# Not Valid After : Tue Nov 08 00:58:58 2044 -# Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 -# Fingerprint (SHA1): FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certification Authority of WoSign G2" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\373\355\334\220\145\267\047\040\067\274\125\014\234\126\336\273 -\362\170\224\341 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\310\034\175\031\252\313\161\223\362\120\370\122\250\036\272\140 -END -CKA_ISSUER MULTILINE_OCTAL -\060\130\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\055\060\053\006 -\003\125\004\003\023\044\103\145\162\164\151\146\151\143\141\164 -\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146 -\040\127\157\123\151\147\156\040\107\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\153\045\332\212\210\235\174\274\017\005\263\261\172\141 -\105\104 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "CA WoSign ECC Root" -# -# Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN -# Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90 -# Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Nov 08 00:58:58 2014 -# Not Valid After : Tue Nov 08 00:58:58 2044 -# Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 -# Fingerprint (SHA1): D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CA WoSign ECC Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006 -\003\125\004\003\023\022\103\101\040\127\157\123\151\147\156\040 -\105\103\103\040\122\157\157\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006 -\003\125\004\003\023\022\103\101\040\127\157\123\151\147\156\040 -\105\103\103\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\150\112\130\160\200\153\360\217\002\372\366\336\350\260 -\220\220 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\002\011\060\202\001\217\240\003\002\001\002\002\020\150 -\112\130\160\200\153\360\217\002\372\366\336\350\260\220\220\060 -\012\006\010\052\206\110\316\075\004\003\003\060\106\061\013\060 -\011\006\003\125\004\006\023\002\103\116\061\032\060\030\006\003 -\125\004\012\023\021\127\157\123\151\147\156\040\103\101\040\114 -\151\155\151\164\145\144\061\033\060\031\006\003\125\004\003\023 -\022\103\101\040\127\157\123\151\147\156\040\105\103\103\040\122 -\157\157\164\060\036\027\015\061\064\061\061\060\070\060\060\065 -\070\065\070\132\027\015\064\064\061\061\060\070\060\060\065\070 -\065\070\132\060\106\061\013\060\011\006\003\125\004\006\023\002 -\103\116\061\032\060\030\006\003\125\004\012\023\021\127\157\123 -\151\147\156\040\103\101\040\114\151\155\151\164\145\144\061\033 -\060\031\006\003\125\004\003\023\022\103\101\040\127\157\123\151 -\147\156\040\105\103\103\040\122\157\157\164\060\166\060\020\006 -\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003 -\142\000\004\341\375\216\270\103\044\253\226\173\205\302\272\013 -\255\215\340\072\343\044\271\322\261\276\210\072\312\277\112\270 -\371\357\054\057\257\121\120\074\107\165\154\370\224\267\233\374 -\050\036\305\124\314\143\235\026\113\123\301\347\040\253\315\254 -\045\322\177\217\302\301\132\202\136\060\213\172\124\316\003\265 -\221\177\252\224\320\321\212\110\314\202\005\046\241\325\121\022 -\326\173\066\243\102\060\100\060\016\006\003\125\035\017\001\001 -\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001 -\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004 -\026\004\024\252\375\325\132\243\366\207\213\062\205\375\321\062 -\133\200\105\223\363\003\270\060\012\006\010\052\206\110\316\075 -\004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201 -\325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153 -\371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312 -\205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367 -\151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073 -\177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046 -\056\153\361\221\262\220\145\364\232\346\220\356\112 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "CA WoSign ECC Root" -# Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN -# Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90 -# Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN -# Not Valid Before: Sat Nov 08 00:58:58 2014 -# Not Valid After : Tue Nov 08 00:58:58 2044 -# Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 -# Fingerprint (SHA1): D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CA WoSign ECC Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\322\172\322\276\355\224\300\241\074\307\045\041\352\135\161\276 -\201\031\363\053 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\200\306\123\356\141\202\050\162\360\377\041\271\027\312\262\040 -END -CKA_ISSUER MULTILINE_OCTAL -\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156 -\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006 -\003\125\004\003\023\022\103\101\040\127\157\123\151\147\156\040 -\105\103\103\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\150\112\130\160\200\153\360\217\002\372\366\336\350\260 -\220\220 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "SZAFIR ROOT CA2" +# Certificate "SZAFIR ROOT CA2" # # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 @@ -27873,3 +25651,1284 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "GDCA TrustAUTH R5 ROOT" +# +# Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN +# Serial Number:7d:09:97:fe:f0:47:ea:7a +# Subject: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN +# Not Valid Before: Wed Nov 26 05:13:15 2014 +# Not Valid After : Mon Dec 31 15:59:59 2040 +# Fingerprint (SHA-256): BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 +# Fingerprint (SHA1): 0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GDCA TrustAUTH R5 ROOT" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061 +\062\060\060\006\003\125\004\012\014\051\107\125\101\116\107\040 +\104\117\116\107\040\103\105\122\124\111\106\111\103\101\124\105 +\040\101\125\124\110\117\122\111\124\131\040\103\117\056\054\114 +\124\104\056\061\037\060\035\006\003\125\004\003\014\026\107\104 +\103\101\040\124\162\165\163\164\101\125\124\110\040\122\065\040 +\122\117\117\124 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061 +\062\060\060\006\003\125\004\012\014\051\107\125\101\116\107\040 +\104\117\116\107\040\103\105\122\124\111\106\111\103\101\124\105 +\040\101\125\124\110\117\122\111\124\131\040\103\117\056\054\114 +\124\104\056\061\037\060\035\006\003\125\004\003\014\026\107\104 +\103\101\040\124\162\165\163\164\101\125\124\110\040\122\065\040 +\122\117\117\124 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\175\011\227\376\360\107\352\172 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\210\060\202\003\160\240\003\002\001\002\002\010\175 +\011\227\376\360\107\352\172\060\015\006\011\052\206\110\206\367 +\015\001\001\013\005\000\060\142\061\013\060\011\006\003\125\004 +\006\023\002\103\116\061\062\060\060\006\003\125\004\012\014\051 +\107\125\101\116\107\040\104\117\116\107\040\103\105\122\124\111 +\106\111\103\101\124\105\040\101\125\124\110\117\122\111\124\131 +\040\103\117\056\054\114\124\104\056\061\037\060\035\006\003\125 +\004\003\014\026\107\104\103\101\040\124\162\165\163\164\101\125 +\124\110\040\122\065\040\122\117\117\124\060\036\027\015\061\064 +\061\061\062\066\060\065\061\063\061\065\132\027\015\064\060\061 +\062\063\061\061\065\065\071\065\071\132\060\142\061\013\060\011 +\006\003\125\004\006\023\002\103\116\061\062\060\060\006\003\125 +\004\012\014\051\107\125\101\116\107\040\104\117\116\107\040\103 +\105\122\124\111\106\111\103\101\124\105\040\101\125\124\110\117 +\122\111\124\131\040\103\117\056\054\114\124\104\056\061\037\060 +\035\006\003\125\004\003\014\026\107\104\103\101\040\124\162\165 +\163\164\101\125\124\110\040\122\065\040\122\117\117\124\060\202 +\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005 +\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\331 +\243\026\360\310\164\164\167\233\357\063\015\073\006\176\125\374 +\265\140\217\166\206\022\102\175\126\146\076\210\202\355\162\143 +\016\236\213\335\064\054\002\121\121\303\031\375\131\124\204\311 +\361\153\263\114\260\351\350\106\135\070\306\242\247\056\021\127 +\272\202\025\242\234\217\155\260\231\112\012\362\353\211\160\143 +\116\171\304\267\133\275\242\135\261\362\101\002\053\255\251\072 +\243\354\171\012\354\137\072\343\375\357\200\074\255\064\233\032 +\253\210\046\173\126\242\202\206\037\353\065\211\203\177\137\256 +\051\116\075\266\156\354\256\301\360\047\233\256\343\364\354\357 +\256\177\367\206\075\162\172\353\245\373\131\116\247\353\225\214 +\042\071\171\341\055\010\217\314\274\221\270\101\367\024\301\043 +\251\303\255\232\105\104\263\262\327\054\315\306\051\342\120\020 +\256\134\313\202\216\027\030\066\175\227\346\210\232\260\115\064 +\011\364\054\271\132\146\052\260\027\233\236\036\166\235\112\146 +\061\101\337\077\373\305\006\357\033\266\176\032\106\066\367\144 +\143\073\343\071\030\043\347\147\165\024\325\165\127\222\067\275 +\276\152\033\046\120\362\066\046\006\220\305\160\001\144\155\166 +\146\341\221\333\156\007\300\141\200\056\262\056\057\214\160\247 +\321\073\074\263\221\344\156\266\304\073\160\362\154\222\227\011 +\315\107\175\030\300\363\273\236\017\326\213\256\007\266\132\017 +\316\013\014\107\247\345\076\270\275\175\307\233\065\240\141\227 +\072\101\165\027\314\053\226\167\052\222\041\036\331\225\166\040 +\147\150\317\015\275\337\326\037\011\152\232\342\314\163\161\244 +\057\175\022\200\267\123\060\106\136\113\124\231\017\147\311\245 +\310\362\040\301\202\354\235\021\337\302\002\373\032\073\321\355 +\040\232\357\145\144\222\020\015\052\342\336\160\361\030\147\202 +\214\141\336\270\274\321\057\234\373\017\320\053\355\033\166\271 +\344\071\125\370\370\241\035\270\252\200\000\114\202\347\262\177 +\011\270\274\060\240\057\015\365\122\236\216\367\222\263\012\000 +\035\000\124\227\006\340\261\007\331\307\017\134\145\175\074\155 +\131\127\344\355\245\215\351\100\123\237\025\113\240\161\366\032 +\041\343\332\160\006\041\130\024\207\205\167\171\252\202\171\002 +\003\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004 +\026\004\024\342\311\100\237\115\316\350\232\241\174\317\016\077 +\145\305\051\210\152\031\121\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001 +\001\377\004\004\003\002\001\206\060\015\006\011\052\206\110\206 +\367\015\001\001\013\005\000\003\202\002\001\000\321\111\127\340 +\247\314\150\130\272\001\017\053\031\315\215\260\141\105\254\021 +\355\143\120\151\370\037\177\276\026\217\375\235\353\013\252\062 +\107\166\322\147\044\355\275\174\063\062\227\052\307\005\206\146 +\015\027\175\024\025\033\324\353\375\037\232\366\136\227\151\267 +\032\045\244\012\263\221\077\137\066\254\213\354\127\250\076\347 +\201\212\030\127\071\205\164\032\102\307\351\133\023\137\217\371 +\010\351\222\164\215\365\107\322\253\073\326\373\170\146\116\066 +\175\371\351\222\351\004\336\375\111\143\374\155\373\024\161\223 +\147\057\107\112\267\271\377\036\052\163\160\106\060\277\132\362 +\057\171\245\341\215\014\331\371\262\143\067\214\067\145\205\160 +\152\134\133\011\162\271\255\143\074\261\335\370\374\062\277\067 +\206\344\273\216\230\047\176\272\037\026\341\160\021\362\003\337 +\045\142\062\047\046\030\062\204\237\377\000\072\023\272\232\115 +\364\117\270\024\160\042\261\312\053\220\316\051\301\160\364\057 +\235\177\362\220\036\326\132\337\267\106\374\346\206\372\313\340 +\040\166\172\272\246\313\365\174\336\142\245\261\213\356\336\202 +\146\212\116\072\060\037\077\200\313\255\047\272\014\136\327\320 +\261\126\312\167\161\262\265\165\241\120\251\100\103\027\302\050 +\331\317\122\213\133\310\143\324\102\076\240\063\172\106\056\367 +\012\040\106\124\176\152\117\061\361\201\176\102\164\070\145\163 +\047\356\306\174\270\216\327\245\072\327\230\241\234\214\020\125 +\323\333\113\354\100\220\362\315\156\127\322\142\016\174\127\223 +\261\247\155\315\235\203\273\052\347\345\266\073\161\130\255\375 +\321\105\274\132\221\356\123\025\157\323\105\011\165\156\272\220 +\135\036\004\317\067\337\036\250\146\261\214\346\040\152\357\374 +\110\116\164\230\102\257\051\157\056\152\307\373\175\321\146\061 +\042\314\206\000\176\146\203\014\102\364\275\064\222\303\032\352 +\117\312\176\162\115\013\160\214\246\110\273\246\241\024\366\373 +\130\104\231\024\256\252\013\223\151\240\051\045\112\245\313\053 +\335\212\146\007\026\170\025\127\161\033\354\365\107\204\363\236 +\061\067\172\325\177\044\255\344\274\375\375\314\156\203\350\014 +\250\267\101\154\007\335\275\074\206\227\057\322 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "GDCA TrustAUTH R5 ROOT" +# Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN +# Serial Number:7d:09:97:fe:f0:47:ea:7a +# Subject: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN +# Not Valid Before: Wed Nov 26 05:13:15 2014 +# Not Valid After : Mon Dec 31 15:59:59 2040 +# Fingerprint (SHA-256): BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 +# Fingerprint (SHA1): 0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GDCA TrustAUTH R5 ROOT" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\017\066\070\133\201\032\045\303\233\061\116\203\312\351\064\146 +\160\314\164\264 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\143\314\331\075\064\065\134\157\123\243\342\010\160\110\037\264 +END +CKA_ISSUER MULTILINE_OCTAL +\060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061 +\062\060\060\006\003\125\004\012\014\051\107\125\101\116\107\040 +\104\117\116\107\040\103\105\122\124\111\106\111\103\101\124\105 +\040\101\125\124\110\117\122\111\124\131\040\103\117\056\054\114 +\124\104\056\061\037\060\035\006\003\125\004\003\014\026\107\104 +\103\101\040\124\162\165\163\164\101\125\124\110\040\122\065\040 +\122\117\117\124 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\175\011\227\376\360\107\352\172 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "TrustCor RootCert CA-1" +# +# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Serial Number:00:da:9b:ec:71:f3:03:b0:19 +# Subject: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Not Valid Before: Thu Feb 04 12:32:16 2016 +# Not Valid After : Mon Dec 31 17:23:16 2029 +# Fingerprint (SHA-256): D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C +# Fingerprint (SHA1): FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TrustCor RootCert CA-1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014 +\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145 +\162\164\040\103\101\055\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014 +\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145 +\162\164\040\103\101\055\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\011\000\332\233\354\161\363\003\260\031 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\004\060\060\202\003\030\240\003\002\001\002\002\011\000 +\332\233\354\161\363\003\260\031\060\015\006\011\052\206\110\206 +\367\015\001\001\013\005\000\060\201\244\061\013\060\011\006\003 +\125\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010 +\014\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004 +\007\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044 +\060\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157 +\162\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040 +\122\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124 +\162\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143 +\141\164\145\040\101\165\164\150\157\162\151\164\171\061\037\060 +\035\006\003\125\004\003\014\026\124\162\165\163\164\103\157\162 +\040\122\157\157\164\103\145\162\164\040\103\101\055\061\060\036 +\027\015\061\066\060\062\060\064\061\062\063\062\061\066\132\027 +\015\062\071\061\062\063\061\061\067\062\063\061\066\132\060\201 +\244\061\013\060\011\006\003\125\004\006\023\002\120\101\061\017 +\060\015\006\003\125\004\010\014\006\120\141\156\141\155\141\061 +\024\060\022\006\003\125\004\007\014\013\120\141\156\141\155\141 +\040\103\151\164\171\061\044\060\042\006\003\125\004\012\014\033 +\124\162\165\163\164\103\157\162\040\123\171\163\164\145\155\163 +\040\123\056\040\144\145\040\122\056\114\056\061\047\060\045\006 +\003\125\004\013\014\036\124\162\165\163\164\103\157\162\040\103 +\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157 +\162\151\164\171\061\037\060\035\006\003\125\004\003\014\026\124 +\162\165\163\164\103\157\162\040\122\157\157\164\103\145\162\164 +\040\103\101\055\061\060\202\001\042\060\015\006\011\052\206\110 +\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001 +\012\002\202\001\001\000\277\216\267\225\342\302\046\022\153\063 +\031\307\100\130\012\253\131\252\215\000\243\374\200\307\120\173 +\216\324\040\046\272\062\022\330\043\124\111\045\020\042\230\235 +\106\322\301\311\236\116\033\056\054\016\070\363\032\045\150\034 +\246\132\005\346\036\213\110\277\230\226\164\076\151\312\351\265 +\170\245\006\274\325\000\136\011\012\362\047\172\122\374\055\325 +\261\352\264\211\141\044\363\032\023\333\251\317\122\355\014\044 +\272\271\236\354\176\000\164\372\223\255\154\051\222\256\121\264 +\273\323\127\277\263\363\250\215\234\364\044\113\052\326\231\236 +\364\236\376\300\176\102\072\347\013\225\123\332\267\150\016\220 +\114\373\160\077\217\112\054\224\363\046\335\143\151\251\224\330 +\020\116\305\107\010\220\231\033\027\115\271\154\156\357\140\225 +\021\216\041\200\265\275\240\163\330\320\262\167\304\105\352\132 +\046\373\146\166\166\370\006\037\141\155\017\125\305\203\267\020 +\126\162\006\007\245\363\261\032\003\005\144\016\235\132\212\326 +\206\160\033\044\336\376\050\212\053\320\152\260\374\172\242\334 +\262\171\016\213\145\017\002\003\001\000\001\243\143\060\141\060 +\035\006\003\125\035\016\004\026\004\024\356\153\111\074\172\077 +\015\343\261\011\267\212\310\253\031\237\163\063\120\347\060\037 +\006\003\125\035\043\004\030\060\026\200\024\356\153\111\074\172 +\077\015\343\261\011\267\212\310\253\031\237\163\063\120\347\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206 +\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003 +\202\001\001\000\045\030\324\221\217\023\356\217\036\035\021\123 +\332\055\104\051\031\240\036\153\061\236\115\016\236\255\075\134 +\101\157\225\053\044\241\171\230\072\070\066\373\273\146\236\110 +\377\220\220\357\075\324\270\233\264\207\165\077\040\233\316\162 +\317\241\125\301\115\144\242\031\006\241\007\063\014\013\051\345 +\361\352\253\243\354\265\012\164\220\307\175\162\362\327\134\237 +\221\357\221\213\267\334\355\146\242\317\216\146\073\274\237\072 +\002\340\047\335\026\230\300\225\324\012\244\344\201\232\165\224 +\065\234\220\137\210\067\006\255\131\225\012\260\321\147\323\031 +\312\211\347\062\132\066\034\076\202\250\132\223\276\306\320\144 +\221\266\317\331\266\030\317\333\176\322\145\243\246\304\216\027 +\061\301\373\176\166\333\323\205\343\130\262\167\172\166\073\154 +\057\120\034\347\333\366\147\171\037\365\202\225\232\007\247\024 +\257\217\334\050\041\147\011\322\326\115\132\034\031\034\216\167 +\134\303\224\044\075\062\153\113\176\324\170\224\203\276\067\115 +\316\137\307\036\116\074\340\211\063\225\013\017\245\062\326\074 +\132\171\054\031 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "TrustCor RootCert CA-1" +# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Serial Number:00:da:9b:ec:71:f3:03:b0:19 +# Subject: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Not Valid Before: Thu Feb 04 12:32:16 2016 +# Not Valid After : Mon Dec 31 17:23:16 2029 +# Fingerprint (SHA-256): D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C +# Fingerprint (SHA1): FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TrustCor RootCert CA-1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\377\275\315\347\202\310\103\136\074\157\046\206\134\312\250\072 +\105\133\303\012 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\156\205\361\334\032\000\323\042\325\262\262\254\153\067\005\105 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014 +\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145 +\162\164\040\103\101\055\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\011\000\332\233\354\161\363\003\260\031 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "TrustCor RootCert CA-2" +# +# Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Serial Number:25:a1:df:ca:33:cb:59:02 +# Subject: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Not Valid Before: Thu Feb 04 12:32:23 2016 +# Not Valid After : Sun Dec 31 17:26:39 2034 +# Fingerprint (SHA-256): 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 +# Fingerprint (SHA1): B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TrustCor RootCert CA-2" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014 +\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145 +\162\164\040\103\101\055\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014 +\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145 +\162\164\040\103\101\055\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\045\241\337\312\063\313\131\002 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\006\057\060\202\004\027\240\003\002\001\002\002\010\045 +\241\337\312\063\313\131\002\060\015\006\011\052\206\110\206\367 +\015\001\001\013\005\000\060\201\244\061\013\060\011\006\003\125 +\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010\014 +\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004\007 +\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044\060 +\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157\162 +\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040\122 +\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124\162 +\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143\141 +\164\145\040\101\165\164\150\157\162\151\164\171\061\037\060\035 +\006\003\125\004\003\014\026\124\162\165\163\164\103\157\162\040 +\122\157\157\164\103\145\162\164\040\103\101\055\062\060\036\027 +\015\061\066\060\062\060\064\061\062\063\062\062\063\132\027\015 +\063\064\061\062\063\061\061\067\062\066\063\071\132\060\201\244 +\061\013\060\011\006\003\125\004\006\023\002\120\101\061\017\060 +\015\006\003\125\004\010\014\006\120\141\156\141\155\141\061\024 +\060\022\006\003\125\004\007\014\013\120\141\156\141\155\141\040 +\103\151\164\171\061\044\060\042\006\003\125\004\012\014\033\124 +\162\165\163\164\103\157\162\040\123\171\163\164\145\155\163\040 +\123\056\040\144\145\040\122\056\114\056\061\047\060\045\006\003 +\125\004\013\014\036\124\162\165\163\164\103\157\162\040\103\145 +\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162 +\151\164\171\061\037\060\035\006\003\125\004\003\014\026\124\162 +\165\163\164\103\157\162\040\122\157\157\164\103\145\162\164\040 +\103\101\055\062\060\202\002\042\060\015\006\011\052\206\110\206 +\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012 +\002\202\002\001\000\247\040\156\302\052\242\142\044\225\220\166 +\310\070\176\200\322\253\301\233\145\005\224\364\301\012\020\325 +\002\254\355\237\223\307\207\310\260\047\053\102\014\075\012\076 +\101\132\236\165\335\215\312\340\233\354\150\062\244\151\222\150 +\214\013\201\016\126\240\076\032\335\054\045\024\202\057\227\323 +\144\106\364\124\251\334\072\124\055\061\053\231\202\362\331\052 +\327\357\161\000\270\061\244\276\172\044\007\303\102\040\362\212 +\324\222\004\033\145\126\114\154\324\373\266\141\132\107\043\264 +\330\151\264\267\072\320\164\074\014\165\241\214\116\166\241\351 +\333\052\245\073\372\316\260\377\176\152\050\375\047\034\310\261 +\351\051\361\127\156\144\264\320\301\025\155\016\276\056\016\106 +\310\136\364\121\376\357\016\143\072\073\161\272\317\157\131\312 +\014\343\233\135\111\270\114\342\127\261\230\212\102\127\234\166 +\357\357\275\321\150\250\322\364\011\273\167\065\276\045\202\010 +\304\026\054\104\040\126\251\104\021\167\357\135\264\035\252\136 +\153\076\213\062\366\007\057\127\004\222\312\365\376\235\302\351 +\350\263\216\114\113\002\061\331\344\074\110\202\047\367\030\202 +\166\110\072\161\261\023\241\071\325\056\305\064\302\035\142\205 +\337\003\376\115\364\257\075\337\134\133\215\372\160\341\245\176 +\047\307\206\056\152\217\022\306\204\136\103\121\120\234\031\233 +\170\346\374\366\355\107\176\173\075\146\357\023\023\210\137\074 +\241\143\373\371\254\207\065\237\363\202\236\244\077\012\234\061 +\151\213\231\244\210\112\216\156\146\115\357\026\304\017\171\050 +\041\140\015\205\026\175\327\124\070\361\222\126\375\265\063\114 +\203\334\327\020\237\113\375\306\370\102\275\272\174\163\002\340 +\377\175\315\133\341\324\254\141\173\127\325\112\173\133\324\205 +\130\047\135\277\370\053\140\254\240\046\256\024\041\047\306\167 +\232\063\200\074\136\106\077\367\303\261\243\206\063\306\350\136 +\015\271\065\054\252\106\301\205\002\165\200\240\353\044\373\025 +\252\344\147\177\156\167\077\364\004\212\057\174\173\343\027\141 +\360\335\011\251\040\310\276\011\244\320\176\104\303\262\060\112 +\070\252\251\354\030\232\007\202\053\333\270\234\030\255\332\340 +\106\027\254\317\135\002\003\001\000\001\243\143\060\141\060\035 +\006\003\125\035\016\004\026\004\024\331\376\041\100\156\224\236 +\274\233\075\234\175\230\040\031\345\214\060\142\262\060\037\006 +\003\125\035\043\004\030\060\026\200\024\331\376\041\100\156\224 +\236\274\233\075\234\175\230\040\031\345\214\060\142\262\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060 +\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202 +\002\001\000\236\105\236\014\073\266\357\341\072\310\174\321\000 +\075\317\342\352\006\265\262\072\273\006\113\150\172\320\043\227 +\164\247\054\360\010\330\171\132\327\132\204\212\330\022\232\033 +\331\175\134\115\160\305\245\371\253\345\243\211\211\335\001\372 +\354\335\371\351\222\227\333\260\106\102\363\323\142\252\225\376 +\061\147\024\151\130\220\012\252\013\356\067\043\307\120\121\264 +\365\176\236\343\173\367\344\314\102\062\055\111\014\313\377\111 +\014\233\036\064\375\156\156\226\212\171\003\266\157\333\011\313 +\375\137\145\024\067\341\070\365\363\141\026\130\344\265\155\015 +\013\004\033\077\120\055\177\263\307\172\032\026\200\140\370\212 +\037\351\033\052\306\371\272\001\032\151\277\322\130\307\124\127 +\010\217\341\071\140\167\113\254\131\204\032\210\361\335\313\117 +\170\327\347\341\063\055\374\356\101\372\040\260\276\313\367\070 +\224\300\341\320\205\017\273\355\054\163\253\355\376\222\166\032 +\144\177\133\015\063\011\007\063\173\006\077\021\244\134\160\074 +\205\300\317\343\220\250\203\167\372\333\346\305\214\150\147\020 +\147\245\122\055\360\304\231\217\177\277\321\153\342\265\107\326 +\331\320\205\231\115\224\233\017\113\215\356\000\132\107\035\021 +\003\254\101\030\257\207\267\157\014\072\217\312\317\334\003\301 +\242\011\310\345\375\200\136\310\140\102\001\033\032\123\132\273 +\067\246\267\274\272\204\351\036\154\032\324\144\332\324\103\376 +\223\213\113\362\054\171\026\020\324\223\013\210\217\241\330\206 +\024\106\221\107\233\050\044\357\127\122\116\134\102\234\252\367 +\111\354\047\350\100\036\263\246\211\042\162\234\365\015\063\264 +\130\243\060\073\335\324\152\124\223\276\032\115\363\223\224\367 +\374\204\013\077\204\040\134\064\003\104\305\332\255\274\012\301 +\002\317\036\345\224\331\363\216\133\330\114\360\235\354\141\027 +\273\024\062\124\014\002\051\223\036\222\206\366\177\357\347\222 +\005\016\131\335\231\010\056\056\372\234\000\122\323\305\146\051 +\344\247\227\104\244\016\050\201\023\065\305\366\157\144\346\101 +\304\325\057\314\064\105\045\317\101\000\226\075\112\056\302\226 +\230\117\116\112\234\227\267\333\037\222\062\310\377\017\121\156 +\326\354\011 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "TrustCor RootCert CA-2" +# Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Serial Number:25:a1:df:ca:33:cb:59:02 +# Subject: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Not Valid Before: Thu Feb 04 12:32:23 2016 +# Not Valid After : Sun Dec 31 17:26:39 2034 +# Fingerprint (SHA-256): 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 +# Fingerprint (SHA1): B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TrustCor RootCert CA-2" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\270\276\155\313\126\361\125\271\143\324\022\312\116\006\064\307 +\224\262\034\300 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\242\341\370\030\013\272\105\325\307\101\052\273\067\122\105\144 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014 +\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145 +\162\164\040\103\101\055\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\045\241\337\312\063\313\131\002 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "TrustCor ECA-1" +# +# Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Serial Number:00:84:82:2c:5f:1c:62:d0:40 +# Subject: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Not Valid Before: Thu Feb 04 12:32:33 2016 +# Not Valid After : Mon Dec 31 17:28:07 2029 +# Fingerprint (SHA-256): 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C +# Fingerprint (SHA1): 58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TrustCor ECA-1" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\027\060\025\006\003\125\004\003\014 +\016\124\162\165\163\164\103\157\162\040\105\103\101\055\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\027\060\025\006\003\125\004\003\014 +\016\124\162\165\163\164\103\157\162\040\105\103\101\055\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\011\000\204\202\054\137\034\142\320\100 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\004\040\060\202\003\010\240\003\002\001\002\002\011\000 +\204\202\054\137\034\142\320\100\060\015\006\011\052\206\110\206 +\367\015\001\001\013\005\000\060\201\234\061\013\060\011\006\003 +\125\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010 +\014\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004 +\007\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044 +\060\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157 +\162\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040 +\122\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124 +\162\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143 +\141\164\145\040\101\165\164\150\157\162\151\164\171\061\027\060 +\025\006\003\125\004\003\014\016\124\162\165\163\164\103\157\162 +\040\105\103\101\055\061\060\036\027\015\061\066\060\062\060\064 +\061\062\063\062\063\063\132\027\015\062\071\061\062\063\061\061 +\067\062\070\060\067\132\060\201\234\061\013\060\011\006\003\125 +\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010\014 +\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004\007 +\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044\060 +\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157\162 +\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040\122 +\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124\162 +\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143\141 +\164\145\040\101\165\164\150\157\162\151\164\171\061\027\060\025 +\006\003\125\004\003\014\016\124\162\165\163\164\103\157\162\040 +\105\103\101\055\061\060\202\001\042\060\015\006\011\052\206\110 +\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001 +\012\002\202\001\001\000\317\217\340\021\265\237\250\166\166\333 +\337\017\124\357\163\143\051\202\255\107\306\243\153\355\376\137 +\063\370\103\121\351\032\063\221\061\027\240\164\304\324\247\001 +\346\262\222\076\152\235\355\016\371\164\230\100\323\077\003\200 +\006\202\100\350\261\342\247\121\247\035\203\046\153\253\336\372 +\027\221\053\330\306\254\036\261\236\031\001\325\227\246\352\015 +\267\304\125\037\047\174\322\010\325\166\037\051\025\207\100\071 +\335\070\105\021\165\320\232\247\064\340\277\315\310\122\035\271 +\107\176\015\270\273\306\014\366\163\127\026\132\176\103\221\037 +\125\072\306\155\104\004\252\234\251\234\247\114\211\027\203\256 +\243\004\136\122\200\213\036\022\045\021\031\327\014\175\175\061 +\104\101\352\333\257\260\034\357\201\320\054\305\232\041\233\075 +\355\102\073\120\046\362\354\316\161\141\006\142\041\124\116\177 +\301\235\076\177\040\214\200\313\052\330\227\142\310\203\063\221 +\175\260\242\132\017\127\350\073\314\362\045\262\324\174\057\354 +\115\306\241\072\025\172\347\266\135\065\365\366\110\112\066\105 +\146\324\272\230\130\301\002\003\001\000\001\243\143\060\141\060 +\035\006\003\125\035\016\004\026\004\024\104\236\110\365\314\155 +\110\324\240\113\177\376\131\044\057\203\227\231\232\206\060\037 +\006\003\125\035\043\004\030\060\026\200\024\104\236\110\365\314 +\155\110\324\240\113\177\376\131\044\057\203\227\231\232\206\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206 +\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003 +\202\001\001\000\005\076\065\134\025\160\233\311\307\163\141\157 +\162\053\324\302\217\362\103\135\002\316\304\224\271\224\021\203 +\147\135\342\147\154\165\166\277\273\014\252\066\306\255\107\223 +\143\334\036\176\326\336\056\376\351\031\062\070\003\177\024\366 +\000\163\054\131\261\041\006\341\373\254\030\225\014\243\377\231 +\226\367\053\047\233\325\044\314\035\335\301\072\340\230\104\260 +\304\344\076\167\261\163\251\144\054\366\034\001\174\077\135\105 +\205\300\205\347\045\217\225\334\027\363\074\237\032\156\260\312 +\343\035\052\351\114\143\372\044\141\142\326\332\176\266\034\154 +\365\002\035\324\052\335\125\220\353\052\021\107\074\056\136\164 +\262\202\042\245\175\123\037\105\354\047\221\175\347\042\026\350 +\300\150\066\330\306\361\117\200\104\062\371\341\321\321\035\252 +\336\250\253\234\004\257\255\040\016\144\230\115\245\153\300\110 +\130\226\151\115\334\007\214\121\223\242\337\237\017\075\213\140 +\264\202\215\252\010\116\142\105\340\371\013\322\340\340\074\133 +\336\134\161\047\045\302\346\003\201\213\020\123\343\307\125\242 +\264\237\327\346 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "TrustCor ECA-1" +# Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Serial Number:00:84:82:2c:5f:1c:62:d0:40 +# Subject: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA +# Not Valid Before: Thu Feb 04 12:32:33 2016 +# Not Valid After : Mon Dec 31 17:28:07 2029 +# Fingerprint (SHA-256): 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C +# Fingerprint (SHA1): 58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "TrustCor ECA-1" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\130\321\337\225\225\147\153\143\300\360\133\034\027\115\213\204 +\013\310\170\275 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\047\222\043\035\012\365\100\174\351\346\153\235\330\365\347\154 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101 +\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155 +\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141 +\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012 +\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145 +\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060 +\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162 +\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164 +\150\157\162\151\164\171\061\027\060\025\006\003\125\004\003\014 +\016\124\162\165\163\164\103\157\162\040\105\103\101\055\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\011\000\204\202\054\137\034\142\320\100 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "SSL.com Root Certification Authority RSA" +# +# Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:7b:2c:9b:d3:16:80:32:99 +# Subject: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Fri Feb 12 17:39:39 2016 +# Not Valid After : Tue Feb 12 17:39:39 2041 +# Fingerprint (SHA-256): 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 +# Fingerprint (SHA1): B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com Root Certification Authority RSA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006 +\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157 +\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156 +\040\101\165\164\150\157\162\151\164\171\040\122\123\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006 +\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157 +\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156 +\040\101\165\164\150\157\162\151\164\171\040\122\123\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\173\054\233\323\026\200\062\231 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\335\060\202\003\305\240\003\002\001\002\002\010\173 +\054\233\323\026\200\062\231\060\015\006\011\052\206\110\206\367 +\015\001\001\013\005\000\060\174\061\013\060\011\006\003\125\004 +\006\023\002\125\123\061\016\060\014\006\003\125\004\010\014\005 +\124\145\170\141\163\061\020\060\016\006\003\125\004\007\014\007 +\110\157\165\163\164\157\156\061\030\060\026\006\003\125\004\012 +\014\017\123\123\114\040\103\157\162\160\157\162\141\164\151\157 +\156\061\061\060\057\006\003\125\004\003\014\050\123\123\114\056 +\143\157\155\040\122\157\157\164\040\103\145\162\164\151\146\151 +\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\040\122\123\101\060\036\027\015\061\066\060\062\061\062\061\067 +\063\071\063\071\132\027\015\064\061\060\062\061\062\061\067\063 +\071\063\071\132\060\174\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145 +\170\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157 +\165\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017 +\123\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061 +\061\060\057\006\003\125\004\003\014\050\123\123\114\056\143\157 +\155\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122 +\123\101\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\371\017\335\243\053\175\313\320\052\376\354\147\205 +\246\347\056\033\272\167\341\343\365\257\244\354\372\112\135\221 +\304\127\107\153\030\167\153\166\362\375\223\344\075\017\302\026 +\236\013\146\303\126\224\236\027\203\205\316\126\357\362\026\375 +\000\142\365\042\011\124\350\145\027\116\101\271\340\117\106\227 +\252\033\310\270\156\142\136\151\261\137\333\052\002\176\374\154 +\312\363\101\330\355\320\350\374\077\141\110\355\260\003\024\035 +\020\016\113\031\340\273\116\354\206\145\377\066\363\136\147\002 +\013\235\206\125\141\375\172\070\355\376\342\031\000\267\157\241 +\120\142\165\164\074\240\372\310\045\222\264\156\172\042\307\370 +\036\241\343\262\335\221\061\253\053\035\004\377\245\112\004\067 +\351\205\244\063\053\375\342\326\125\064\174\031\244\112\150\307 +\262\250\323\267\312\241\223\210\353\301\227\274\214\371\035\331 +\042\204\044\164\307\004\075\152\251\051\223\314\353\270\133\341 +\376\137\045\252\064\130\310\301\043\124\235\033\230\021\303\070 +\234\176\075\206\154\245\017\100\206\174\002\364\134\002\117\050 +\313\256\161\237\017\072\310\063\376\021\045\065\352\374\272\305 +\140\075\331\174\030\325\262\251\323\165\170\003\162\042\312\072 +\303\037\357\054\345\056\251\372\236\054\266\121\106\375\257\003 +\326\352\140\150\352\205\026\066\153\205\351\036\300\263\335\304 +\044\334\200\052\201\101\155\224\076\310\340\311\201\101\000\236 +\136\277\177\305\010\230\242\030\054\102\100\263\371\157\070\047 +\113\116\200\364\075\201\107\340\210\174\352\034\316\265\165\134 +\121\056\034\053\177\032\162\050\347\000\265\321\164\306\327\344 +\237\255\007\223\266\123\065\065\374\067\344\303\366\135\026\276 +\041\163\336\222\012\370\240\143\152\274\226\222\152\076\370\274 +\145\125\233\336\365\015\211\046\004\374\045\032\246\045\151\313 +\302\155\312\174\342\131\137\227\254\353\357\056\310\274\327\033 +\131\074\053\314\362\031\310\223\153\047\143\031\317\374\351\046 +\370\312\161\233\177\223\376\064\147\204\116\231\353\374\263\170 +\011\063\160\272\146\246\166\355\033\163\353\032\245\015\304\042 +\023\040\224\126\012\116\054\154\116\261\375\317\234\011\272\242 +\063\355\207\002\003\001\000\001\243\143\060\141\060\035\006\003 +\125\035\016\004\026\004\024\335\004\011\007\242\365\172\175\122 +\123\022\222\225\356\070\200\045\015\246\131\060\017\006\003\125 +\035\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003 +\125\035\043\004\030\060\026\200\024\335\004\011\007\242\365\172 +\175\122\123\022\222\225\356\070\200\045\015\246\131\060\016\006 +\003\125\035\017\001\001\377\004\004\003\002\001\206\060\015\006 +\011\052\206\110\206\367\015\001\001\013\005\000\003\202\002\001 +\000\040\030\021\224\051\373\046\235\034\036\036\160\141\361\225 +\162\223\161\044\255\150\223\130\216\062\257\033\263\160\003\374 +\045\053\164\205\220\075\170\152\364\271\213\245\227\073\265\030 +\221\273\036\247\371\100\133\221\371\125\231\257\036\021\320\134 +\035\247\146\343\261\224\007\014\062\071\246\352\033\260\171\330 +\035\234\160\104\343\212\335\304\371\225\037\212\070\103\077\001 +\205\245\107\247\075\106\262\274\345\042\150\367\173\234\330\054 +\076\012\041\310\055\063\254\277\305\201\231\061\164\301\165\161 +\305\276\261\360\043\105\364\235\153\374\031\143\235\243\274\004 +\306\030\013\045\273\123\211\017\263\200\120\336\105\356\104\177 +\253\224\170\144\230\323\366\050\335\207\330\160\145\164\373\016 +\271\023\353\247\017\141\251\062\226\314\336\273\355\143\114\030 +\273\251\100\367\240\124\156\040\210\161\165\030\352\172\264\064 +\162\340\043\047\167\134\266\220\352\206\045\100\253\357\063\017 +\313\237\202\276\242\040\373\366\265\055\032\346\302\205\261\164 +\017\373\310\145\002\244\122\001\107\335\111\042\301\277\330\353 +\153\254\176\336\354\143\063\025\267\043\010\217\306\017\215\101 +\132\335\216\305\271\217\345\105\077\170\333\272\322\033\100\261 +\376\161\115\077\340\201\242\272\136\264\354\025\340\223\335\010 +\037\176\341\125\231\013\041\336\223\236\012\373\346\243\111\275 +\066\060\376\347\167\262\240\165\227\265\055\201\210\027\145\040 +\367\332\220\000\237\311\122\314\062\312\065\174\365\075\017\330 +\053\327\365\046\154\311\006\064\226\026\352\160\131\032\062\171 +\171\013\266\210\177\017\122\110\075\277\154\330\242\104\056\321 +\116\267\162\130\323\211\023\225\376\104\253\370\327\213\033\156 +\234\274\054\240\133\325\152\000\257\137\067\341\325\372\020\013 +\230\234\206\347\046\217\316\360\354\156\212\127\013\200\343\116 +\262\300\240\143\141\220\272\125\150\067\164\152\266\222\333\237 +\241\206\042\266\145\047\016\354\266\237\102\140\344\147\302\265 +\332\101\013\304\323\213\141\033\274\372\037\221\053\327\104\007 +\136\272\051\254\331\305\351\357\123\110\132\353\200\361\050\130 +\041\315\260\006\125\373\047\077\123\220\160\251\004\036\127\047 +\271 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "SSL.com Root Certification Authority RSA" +# Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:7b:2c:9b:d3:16:80:32:99 +# Subject: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Fri Feb 12 17:39:39 2016 +# Not Valid After : Tue Feb 12 17:39:39 2041 +# Fingerprint (SHA-256): 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 +# Fingerprint (SHA1): B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com Root Certification Authority RSA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\267\253\063\010\321\352\104\167\272\024\200\022\132\157\275\251 +\066\111\014\273 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\206\151\022\300\160\361\354\254\254\302\325\274\245\133\241\051 +END +CKA_ISSUER MULTILINE_OCTAL +\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006 +\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157 +\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156 +\040\101\165\164\150\157\162\151\164\171\040\122\123\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\173\054\233\323\026\200\062\231 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "SSL.com Root Certification Authority ECC" +# +# Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:75:e6:df:cb:c1:68:5b:a8 +# Subject: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Fri Feb 12 18:14:03 2016 +# Not Valid After : Tue Feb 12 18:14:03 2041 +# Fingerprint (SHA-256): 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 +# Fingerprint (SHA1): C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com Root Certification Authority ECC" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006 +\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157 +\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156 +\040\101\165\164\150\157\162\151\164\171\040\105\103\103 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006 +\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157 +\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156 +\040\101\165\164\150\157\162\151\164\171\040\105\103\103 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\165\346\337\313\301\150\133\250 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\215\060\202\002\024\240\003\002\001\002\002\010\165 +\346\337\313\301\150\133\250\060\012\006\010\052\206\110\316\075 +\004\003\002\060\174\061\013\060\011\006\003\125\004\006\023\002 +\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145\170 +\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157\165 +\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017\123 +\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061\061 +\060\057\006\003\125\004\003\014\050\123\123\114\056\143\157\155 +\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164 +\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103 +\103\060\036\027\015\061\066\060\062\061\062\061\070\061\064\060 +\063\132\027\015\064\061\060\062\061\062\061\070\061\064\060\063 +\132\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163 +\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164 +\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114 +\040\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057 +\006\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122 +\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157 +\156\040\101\165\164\150\157\162\151\164\171\040\105\103\103\060 +\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201 +\004\000\042\003\142\000\004\105\156\251\120\304\246\043\066\236 +\137\050\215\027\313\226\042\144\077\334\172\216\035\314\010\263 +\242\161\044\272\216\111\271\004\033\107\226\130\253\055\225\310 +\355\236\010\065\310\047\353\211\214\123\130\353\142\212\376\360 +\133\017\153\061\122\143\101\073\211\315\354\354\266\215\031\323 +\064\007\334\273\306\006\177\302\105\225\354\313\177\250\043\340 +\011\351\201\372\363\107\323\243\143\060\141\060\035\006\003\125 +\035\016\004\026\004\024\202\321\205\163\060\347\065\004\323\216 +\002\222\373\345\244\321\304\041\350\315\060\017\006\003\125\035 +\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125 +\035\043\004\030\060\026\200\024\202\321\205\163\060\347\065\004 +\323\216\002\222\373\345\244\321\304\041\350\315\060\016\006\003 +\125\035\017\001\001\377\004\004\003\002\001\206\060\012\006\010 +\052\206\110\316\075\004\003\002\003\147\000\060\144\002\060\157 +\347\353\131\021\244\140\317\141\260\226\173\355\005\371\057\023 +\221\334\355\345\374\120\153\021\106\106\263\034\041\000\142\273 +\276\303\347\350\315\007\231\371\015\013\135\162\076\304\252\002 +\060\037\274\272\013\342\060\044\373\174\155\200\125\012\231\076 +\200\015\063\345\146\243\263\243\273\245\325\213\217\011\054\246 +\135\176\342\360\007\010\150\155\322\174\151\156\137\337\345\152 +\145 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "SSL.com Root Certification Authority ECC" +# Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:75:e6:df:cb:c1:68:5b:a8 +# Subject: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Fri Feb 12 18:14:03 2016 +# Not Valid After : Tue Feb 12 18:14:03 2041 +# Fingerprint (SHA-256): 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 +# Fingerprint (SHA1): C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com Root Certification Authority ECC" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\303\031\174\071\044\346\124\257\033\304\253\040\225\172\342\303 +\016\023\002\152 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\056\332\344\071\177\234\217\067\321\160\237\046\027\121\072\216 +END +CKA_ISSUER MULTILINE_OCTAL +\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006 +\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157 +\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156 +\040\101\165\164\150\157\162\151\164\171\040\105\103\103 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\165\346\337\313\301\150\133\250 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "SSL.com EV Root Certification Authority RSA R2" +# +# Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:56:b6:29:cd:34:bc:78:f6 +# Subject: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Wed May 31 18:14:37 2017 +# Not Valid After : Fri May 30 18:14:37 2042 +# Fingerprint (SHA-256): 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C +# Fingerprint (SHA1): 74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA R2" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163 +\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164 +\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114 +\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060\065 +\006\003\125\004\003\014\056\123\123\114\056\143\157\155\040\105 +\126\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122 +\123\101\040\122\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163 +\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164 +\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114 +\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060\065 +\006\003\125\004\003\014\056\123\123\114\056\143\157\155\040\105 +\126\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122 +\123\101\040\122\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\126\266\051\315\064\274\170\366 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\353\060\202\003\323\240\003\002\001\002\002\010\126 +\266\051\315\064\274\170\366\060\015\006\011\052\206\110\206\367 +\015\001\001\013\005\000\060\201\202\061\013\060\011\006\003\125 +\004\006\023\002\125\123\061\016\060\014\006\003\125\004\010\014 +\005\124\145\170\141\163\061\020\060\016\006\003\125\004\007\014 +\007\110\157\165\163\164\157\156\061\030\060\026\006\003\125\004 +\012\014\017\123\123\114\040\103\157\162\160\157\162\141\164\151 +\157\156\061\067\060\065\006\003\125\004\003\014\056\123\123\114 +\056\143\157\155\040\105\126\040\122\157\157\164\040\103\145\162 +\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157 +\162\151\164\171\040\122\123\101\040\122\062\060\036\027\015\061 +\067\060\065\063\061\061\070\061\064\063\067\132\027\015\064\062 +\060\065\063\060\061\070\061\064\063\067\132\060\201\202\061\013 +\060\011\006\003\125\004\006\023\002\125\123\061\016\060\014\006 +\003\125\004\010\014\005\124\145\170\141\163\061\020\060\016\006 +\003\125\004\007\014\007\110\157\165\163\164\157\156\061\030\060 +\026\006\003\125\004\012\014\017\123\123\114\040\103\157\162\160 +\157\162\141\164\151\157\156\061\067\060\065\006\003\125\004\003 +\014\056\123\123\114\056\143\157\155\040\105\126\040\122\157\157 +\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040 +\101\165\164\150\157\162\151\164\171\040\122\123\101\040\122\062 +\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001 +\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001 +\000\217\066\145\100\341\326\115\300\327\264\351\106\332\153\352 +\063\107\315\114\371\175\175\276\275\055\075\360\333\170\341\206 +\245\331\272\011\127\150\355\127\076\240\320\010\101\203\347\050 +\101\044\037\343\162\025\320\001\032\373\136\160\043\262\313\237 +\071\343\317\305\116\306\222\155\046\306\173\273\263\332\047\235 +\012\206\351\201\067\005\376\360\161\161\354\303\034\351\143\242 +\027\024\235\357\033\147\323\205\125\002\002\326\111\311\314\132 +\341\261\367\157\062\237\311\324\073\210\101\250\234\275\313\253 +\333\155\173\011\037\242\114\162\220\332\053\010\374\317\074\124 +\316\147\017\250\317\135\226\031\013\304\343\162\353\255\321\175 +\035\047\357\222\353\020\277\133\353\073\257\317\200\335\301\322 +\226\004\133\172\176\244\251\074\070\166\244\142\216\240\071\136 +\352\167\317\135\000\131\217\146\054\076\007\242\243\005\046\021 +\151\227\352\205\267\017\226\013\113\310\100\341\120\272\056\212 +\313\367\017\232\042\347\177\232\067\023\315\362\115\023\153\041 +\321\300\314\042\362\241\106\366\104\151\234\312\141\065\007\000 +\157\326\141\010\021\352\272\270\366\351\263\140\345\115\271\354 +\237\024\146\311\127\130\333\315\207\151\370\212\206\022\003\107 +\277\146\023\166\254\167\175\064\044\205\203\315\327\252\234\220 +\032\237\041\054\177\170\267\144\270\330\350\246\364\170\263\125 +\313\204\322\062\304\170\256\243\217\141\335\316\010\123\255\354 +\210\374\025\344\232\015\346\237\032\167\316\114\217\270\024\025 +\075\142\234\206\070\006\000\146\022\344\131\166\132\123\300\002 +\230\242\020\053\150\104\173\216\171\316\063\112\166\252\133\201 +\026\033\265\212\330\320\000\173\136\142\264\011\326\206\143\016 +\246\005\225\111\272\050\213\210\223\262\064\034\330\244\125\156 +\267\034\320\336\231\125\073\043\364\042\340\371\051\146\046\354 +\040\120\167\333\112\013\217\276\345\002\140\160\101\136\324\256 +\120\071\042\024\046\313\262\073\163\164\125\107\007\171\201\071 +\250\060\023\104\345\004\212\256\226\023\045\102\017\271\123\304 +\233\374\315\344\034\336\074\372\253\326\006\112\037\147\246\230 +\060\034\335\054\333\334\030\225\127\146\306\377\134\213\126\365 +\167\002\003\001\000\001\243\143\060\141\060\017\006\003\125\035 +\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125 +\035\043\004\030\060\026\200\024\371\140\273\324\343\325\064\366 +\270\365\006\200\045\247\163\333\106\151\250\236\060\035\006\003 +\125\035\016\004\026\004\024\371\140\273\324\343\325\064\366\270 +\365\006\200\045\247\163\333\106\151\250\236\060\016\006\003\125 +\035\017\001\001\377\004\004\003\002\001\206\060\015\006\011\052 +\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000\126 +\263\216\313\012\235\111\216\277\244\304\221\273\146\027\005\121 +\230\165\373\345\120\054\172\236\361\024\372\253\323\212\076\377 +\221\051\217\143\213\330\264\251\124\001\015\276\223\206\057\371 +\112\155\307\136\365\127\371\312\125\034\022\276\107\017\066\305 +\337\152\267\333\165\302\107\045\177\271\361\143\370\150\055\125 +\004\321\362\215\260\244\317\274\074\136\037\170\347\245\240\040 +\160\260\004\305\267\367\162\247\336\042\015\275\063\045\106\214 +\144\222\046\343\076\056\143\226\332\233\214\075\370\030\011\327 +\003\314\175\206\202\340\312\004\007\121\120\327\377\222\325\014 +\357\332\206\237\231\327\353\267\257\150\342\071\046\224\272\150 +\267\277\203\323\352\172\147\075\142\147\256\045\345\162\350\342 +\344\354\256\022\366\113\053\074\237\351\260\100\363\070\124\263 +\375\267\150\310\332\306\217\121\074\262\373\221\334\034\347\233 +\235\341\267\015\162\217\342\244\304\251\170\371\353\024\254\306 +\103\005\302\145\071\050\030\002\303\202\262\235\005\276\145\355 +\226\137\145\164\074\373\011\065\056\173\234\023\375\033\017\135 +\307\155\201\072\126\017\314\073\341\257\002\057\042\254\106\312 +\106\074\240\034\114\326\104\264\136\056\134\025\146\011\341\046 +\051\376\306\122\141\272\261\163\377\303\014\234\345\154\152\224 +\077\024\312\100\026\225\204\363\131\251\254\137\114\141\223\155 +\321\073\314\242\225\014\042\246\147\147\104\056\271\331\322\212 +\101\263\146\013\132\373\175\043\245\362\032\260\377\336\233\203 +\224\056\321\077\337\222\267\221\257\005\073\145\307\240\154\261 +\315\142\022\303\220\033\343\045\316\064\274\157\167\166\261\020 +\303\367\005\032\300\326\257\164\142\110\027\167\222\151\220\141 +\034\336\225\200\164\124\217\030\034\303\363\003\320\277\244\103 +\165\206\123\030\172\012\056\011\034\066\237\221\375\202\212\042 +\113\321\016\120\045\335\313\003\014\027\311\203\000\010\116\065 +\115\212\213\355\360\002\224\146\054\104\177\313\225\047\226\027 +\255\011\060\254\266\161\027\156\213\027\366\034\011\324\055\073 +\230\245\161\323\124\023\331\140\363\365\113\146\117\372\361\356 +\040\022\215\264\254\127\261\105\143\241\254\166\251\302\373 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "SSL.com EV Root Certification Authority RSA R2" +# Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:56:b6:29:cd:34:bc:78:f6 +# Subject: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Wed May 31 18:14:37 2017 +# Not Valid After : Fri May 30 18:14:37 2042 +# Fingerprint (SHA-256): 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C +# Fingerprint (SHA1): 74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA R2" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\164\072\360\122\233\320\062\240\364\112\203\315\324\272\251\173 +\174\056\304\232 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\341\036\061\130\032\256\124\123\002\366\027\152\021\173\115\225 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163 +\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164 +\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114 +\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060\065 +\006\003\125\004\003\014\056\123\123\114\056\143\157\155\040\105 +\126\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122 +\123\101\040\122\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\126\266\051\315\064\274\170\366 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "SSL.com EV Root Certification Authority ECC" +# +# Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:2c:29:9c:5b:16:ed:05:95 +# Subject: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Fri Feb 12 18:15:23 2016 +# Not Valid After : Tue Feb 12 18:15:23 2041 +# Fingerprint (SHA-256): 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 +# Fingerprint (SHA1): 4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority ECC" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\064\060\062\006 +\003\125\004\003\014\053\123\123\114\056\143\157\155\040\105\126 +\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164 +\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103 +\103 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\064\060\062\006 +\003\125\004\003\014\053\123\123\114\056\143\157\155\040\105\126 +\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164 +\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103 +\103 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\054\051\234\133\026\355\005\225 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\224\060\202\002\032\240\003\002\001\002\002\010\054 +\051\234\133\026\355\005\225\060\012\006\010\052\206\110\316\075 +\004\003\002\060\177\061\013\060\011\006\003\125\004\006\023\002 +\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145\170 +\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157\165 +\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017\123 +\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061\064 +\060\062\006\003\125\004\003\014\053\123\123\114\056\143\157\155 +\040\105\126\040\122\157\157\164\040\103\145\162\164\151\146\151 +\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\040\105\103\103\060\036\027\015\061\066\060\062\061\062\061\070 +\061\065\062\063\132\027\015\064\061\060\062\061\062\061\070\061 +\065\062\063\132\060\177\061\013\060\011\006\003\125\004\006\023 +\002\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145 +\170\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157 +\165\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017 +\123\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061 +\064\060\062\006\003\125\004\003\014\053\123\123\114\056\143\157 +\155\040\105\126\040\122\157\157\164\040\103\145\162\164\151\146 +\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164 +\171\040\105\103\103\060\166\060\020\006\007\052\206\110\316\075 +\002\001\006\005\053\201\004\000\042\003\142\000\004\252\022\107 +\220\230\033\373\357\303\100\007\203\040\116\361\060\202\242\006 +\321\362\222\206\141\362\366\041\150\312\000\304\307\352\103\000 +\124\206\334\375\037\337\000\270\101\142\134\334\160\026\062\336 +\037\231\324\314\305\007\310\010\037\141\026\007\121\075\175\134 +\007\123\343\065\070\214\337\315\237\331\056\015\112\266\031\056 +\132\160\132\006\355\276\360\241\260\312\320\011\051\243\143\060 +\141\060\035\006\003\125\035\016\004\026\004\024\133\312\136\345 +\336\322\201\252\315\250\055\144\121\266\331\162\233\227\346\117 +\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001 +\377\060\037\006\003\125\035\043\004\030\060\026\200\024\133\312 +\136\345\336\322\201\252\315\250\055\144\121\266\331\162\233\227 +\346\117\060\016\006\003\125\035\017\001\001\377\004\004\003\002 +\001\206\060\012\006\010\052\206\110\316\075\004\003\002\003\150 +\000\060\145\002\061\000\212\346\100\211\067\353\351\325\023\331 +\312\324\153\044\363\260\075\207\106\130\032\354\261\337\157\373 +\126\272\160\153\307\070\314\350\261\214\117\017\367\361\147\166 +\016\203\320\036\121\217\002\060\075\366\043\050\046\114\306\140 +\207\223\046\233\262\065\036\272\326\367\074\321\034\316\372\045 +\074\246\032\201\025\133\363\022\017\154\356\145\212\311\207\250 +\371\007\340\142\232\214\134\112 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "SSL.com EV Root Certification Authority ECC" +# Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Serial Number:2c:29:9c:5b:16:ed:05:95 +# Subject: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US +# Not Valid Before: Fri Feb 12 18:15:23 2016 +# Not Valid After : Tue Feb 12 18:15:23 2041 +# Fingerprint (SHA-256): 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 +# Fingerprint (SHA1): 4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority ECC" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\114\335\121\243\321\365\040\062\024\260\306\305\062\043\003\221 +\307\106\102\155 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\131\123\042\145\203\102\001\124\300\316\102\271\132\174\362\220 +END +CKA_ISSUER MULTILINE_OCTAL +\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061 +\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157 +\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040 +\103\157\162\160\157\162\141\164\151\157\156\061\064\060\062\006 +\003\125\004\003\014\053\123\123\114\056\143\157\155\040\105\126 +\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164 +\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103 +\103 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\010\054\051\234\133\026\355\005\225 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h index 498751d13d..b3bc04a38a 100644 --- a/lib/ckfw/builtins/nssckbi.h +++ b/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 16 -#define NSS_BUILTINS_LIBRARY_VERSION "2.16" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 18 +#define NSS_BUILTINS_LIBRARY_VERSION "2.18" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/lib/cryptohi/cryptohi.h b/lib/cryptohi/cryptohi.h index f658daa9ef..e529fa34f5 100644 --- a/lib/cryptohi/cryptohi.h +++ b/lib/cryptohi/cryptohi.h @@ -59,6 +59,14 @@ extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len); */ extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey); +/* +** Create a new signature context from an algorithmID. +** "alg" the signature algorithm to use +** "privKey" the private key to use +*/ +extern SGNContext *SGN_NewContextWithAlgorithmID(SECAlgorithmID *alg, + SECKEYPrivateKey *privKey); + /* ** Destroy a signature-context object ** "cx" the object @@ -105,6 +113,21 @@ extern SECStatus SEC_SignData(SECItem *result, const unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algid); +/* +** Sign a single block of data using private key encryption and given +** signature/hash algorithm with parameters from an algorithmID. +** "result" the final signature data (memory is allocated) +** "buf" the input data to sign +** "len" the amount of data to sign +** "pk" the private key to encrypt with +** "algid" the signature/hash algorithm to sign with +** (must be compatible with the key type). +*/ +extern SECStatus SEC_SignDataWithAlgorithmID(SECItem *result, + const unsigned char *buf, int len, + SECKEYPrivateKey *pk, + SECAlgorithmID *algid); + /* ** Sign a pre-digested block of data using private key encryption, encoding ** The given signature/hash algorithm. @@ -131,6 +154,27 @@ extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result, const unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algid); +/* +** DER sign a single block of data using private key encryption and +** the given signature/hash algorithm with parameters from an +** algorithmID. This routine first computes a digital signature using +** SEC_SignData, then wraps it with an CERTSignedData and then der +** encodes the result. +** "arena" is the memory arena to use to allocate data from +** "result" the final der encoded data (memory is allocated) +** "buf" the input data to sign +** "len" the amount of data to sign +** "pk" the private key to encrypt with +** "algid" the signature/hash algorithm to sign with +** (must be compatible with the key type). +*/ +extern SECStatus SEC_DerSignDataWithAlgorithmID(PLArenaPool *arena, + SECItem *result, + const unsigned char *buf, + int len, + SECKEYPrivateKey *pk, + SECAlgorithmID *algid); + /* ** Destroy a signed-data object. ** "sd" the object @@ -146,6 +190,23 @@ extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit); extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag); +/* +** Create algorithm parameters for signing. Return a new item +** allocated from arena, or NULL on failure. +** "arena" is the memory arena to use to allocate data from +** "result" the encoded parameters (memory is allocated) +** "signAlgTag" is the signing algorithm +** "hashAlgTag" is the preferred hash algorithm +** "params" is the default parameters +** "key" is the private key +*/ +extern SECItem *SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena, + SECItem *result, + SECOidTag signAlgTag, + SECOidTag hashAlgTag, + const SECItem *params, + const SECKEYPrivateKey *key); + /****************************************/ /* ** Signature verification operations diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h index f8f5f7f7da..ee11fc905e 100644 --- a/lib/cryptohi/keyi.h +++ b/lib/cryptohi/keyi.h @@ -17,6 +17,9 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid); SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); +SECStatus sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech, + const SECKEYRSAPSSParams *params); + SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c index 7d60dcbabe..a352a269e1 100644 --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c @@ -1046,6 +1046,7 @@ SECKEY_SignatureLen(const SECKEYPublicKey *pubk) switch (pubk->keyType) { case rsaKey: + case rsaPssKey: b0 = pubk->u.rsa.modulus.data[0]; return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1; case dsaKey: @@ -1972,3 +1973,92 @@ SECKEY_GetECCOid(const SECKEYECParams *params) return oidData->offset; } + +static CK_MECHANISM_TYPE +sec_GetHashMechanismByOidTag(SECOidTag tag) +{ + switch (tag) { + case SEC_OID_SHA512: + return CKM_SHA512; + case SEC_OID_SHA384: + return CKM_SHA384; + case SEC_OID_SHA256: + return CKM_SHA256; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + /* fallthrough */ + case SEC_OID_SHA1: + break; + } + return CKM_SHA_1; +} + +static CK_RSA_PKCS_MGF_TYPE +sec_GetMgfTypeByOidTag(SECOidTag tag) +{ + switch (tag) { + case SEC_OID_SHA512: + return CKG_MGF1_SHA512; + case SEC_OID_SHA384: + return CKG_MGF1_SHA384; + case SEC_OID_SHA256: + return CKG_MGF1_SHA256; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + /* fallthrough */ + case SEC_OID_SHA1: + break; + } + return CKG_MGF1_SHA1; +} + +SECStatus +sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech, + const SECKEYRSAPSSParams *params) +{ + SECStatus rv = SECSuccess; + SECOidTag hashAlgTag; + unsigned long saltLength; + + PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); + + if (params->hashAlg) { + hashAlgTag = SECOID_GetAlgorithmTag(params->hashAlg); + } else { + hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */ + } + mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag); + + if (params->maskAlg) { + SECAlgorithmID maskHashAlg; + SECOidTag maskHashAlgTag; + PORTCheapArenaPool tmpArena; + + if (SECOID_GetAlgorithmTag(params->maskAlg) != SEC_OID_PKCS1_MGF1) { + /* only MGF1 is known to PKCS#11 */ + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &maskHashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + ¶ms->maskAlg->parameters); + PORT_DestroyCheapArena(&tmpArena); + if (rv != SECSuccess) { + return rv; + } + maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg); + mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag); + } else { + mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ + } + + rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); + if (rv != SECSuccess) { + return rv; + } + mech->sLen = saltLength; + + return rv; +} diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c index d06cb2e852..693e79c65a 100644 --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -22,10 +22,11 @@ struct SGNContextStr { void *hashcx; const SECHashObject *hashobj; SECKEYPrivateKey *key; + SECItem *params; }; -SGNContext * -SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) +static SGNContext * +sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) { SGNContext *cx; SECOidTag hashalg, signalg; @@ -40,7 +41,7 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) * it may just support CKM_SHA1_RSA_PKCS and/or CKM_MD5_RSA_PKCS. */ /* we have a private key, not a public key, so don't pass it in */ - rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg); + rv = sec_DecodeSigAlg(NULL, alg, params, &signalg, &hashalg); if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return 0; @@ -49,7 +50,8 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) /* verify our key type */ if (key->keyType != keyType && - !((key->keyType == dsaKey) && (keyType == fortezzaKey))) { + !((key->keyType == dsaKey) && (keyType == fortezzaKey)) && + !((key->keyType == rsaKey) && (keyType == rsaPssKey))) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return 0; } @@ -59,10 +61,24 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) cx->hashalg = hashalg; cx->signalg = signalg; cx->key = key; + cx->params = params; } return cx; } +SGNContext * +SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) +{ + return sgn_NewContext(alg, NULL, key); +} + +SGNContext * +SGN_NewContextWithAlgorithmID(SECAlgorithmID *alg, SECKEYPrivateKey *key) +{ + SECOidTag tag = SECOID_GetAlgorithmTag(alg); + return sgn_NewContext(tag, &alg->parameters, key); +} + void SGN_DestroyContext(SGNContext *cx, PRBool freeit) { @@ -148,6 +164,7 @@ SGN_End(SGNContext *cx, SECItem *result) result->data = 0; digder.data = 0; + sigitem.data = 0; /* Finish up digest function */ if (cx->hashcx == NULL) { @@ -156,7 +173,8 @@ SGN_End(SGNContext *cx, SECItem *result) } (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest)); - if (privKey->keyType == rsaKey) { + if (privKey->keyType == rsaKey && + cx->signalg != SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { @@ -200,26 +218,65 @@ SGN_End(SGNContext *cx, SECItem *result) goto loser; } - rv = PK11_Sign(privKey, &sigitem, &digder); - if (rv != SECSuccess) { - PORT_Free(sigitem.data); - sigitem.data = NULL; - goto loser; + if (cx->signalg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + CK_RSA_PKCS_PSS_PARAMS mech; + SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) }; + + PORT_Memset(&mech, 0, sizeof(mech)); + + if (cx->params && cx->params->data) { + SECKEYRSAPSSParams params; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + rv = SECFailure; + goto loser; + } + + PORT_Memset(¶ms, 0, sizeof(params)); + rv = SEC_QuickDERDecodeItem(arena, ¶ms, + SECKEY_RSAPSSParamsTemplate, + cx->params); + if (rv != SECSuccess) { + goto loser; + } + rv = sec_RSAPSSParamsToMechanism(&mech, ¶ms); + if (rv != SECSuccess) { + goto loser; + } + } else { + mech.hashAlg = CKM_SHA_1; + mech.mgf = CKG_MGF1_SHA1; + mech.sLen = digder.len; + } + rv = PK11_SignWithMechanism(privKey, CKM_RSA_PKCS_PSS, &mechItem, + &sigitem, &digder); + if (rv != SECSuccess) { + goto loser; + } + } else { + rv = PK11_Sign(privKey, &sigitem, &digder); + if (rv != SECSuccess) { + goto loser; + } } if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) || (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */ rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len); - PORT_Free(sigitem.data); if (rv != SECSuccess) goto loser; + SECITEM_FreeItem(&sigitem, PR_FALSE); } else { result->len = sigitem.len; result->data = sigitem.data; } loser: + if (rv != SECSuccess) { + SECITEM_FreeItem(&sigitem, PR_FALSE); + } SGN_DestroyDigestInfo(di); if (arena != NULL) { PORT_FreeArena(arena, PR_FALSE); @@ -229,18 +286,14 @@ SGN_End(SGNContext *cx, SECItem *result) /************************************************************************/ -/* -** Sign a block of data returning in result a bunch of bytes that are the -** signature. Returns zero on success, an error code on failure. -*/ -SECStatus -SEC_SignData(SECItem *res, const unsigned char *buf, int len, - SECKEYPrivateKey *pk, SECOidTag algid) +static SECStatus +sec_SignData(SECItem *res, const unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algid, SECItem *params) { SECStatus rv; SGNContext *sgn; - sgn = SGN_NewContext(algid, pk); + sgn = sgn_NewContext(algid, params, pk); if (sgn == NULL) return SECFailure; @@ -260,6 +313,25 @@ SEC_SignData(SECItem *res, const unsigned char *buf, int len, return rv; } +/* +** Sign a block of data returning in result a bunch of bytes that are the +** signature. Returns zero on success, an error code on failure. +*/ +SECStatus +SEC_SignData(SECItem *res, const unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algid) +{ + return sec_SignData(res, buf, len, pk, algid, NULL); +} + +SECStatus +SEC_SignDataWithAlgorithmID(SECItem *res, const unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECAlgorithmID *algid) +{ + SECOidTag tag = SECOID_GetAlgorithmTag(algid); + return sec_SignData(res, buf, len, pk, tag, &algid->parameters); +} + /************************************************************************/ DERTemplate CERTSignedDataTemplate[] = @@ -294,10 +366,10 @@ const SEC_ASN1Template CERT_SignedDataTemplate[] = SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate) -SECStatus -SEC_DerSignData(PLArenaPool *arena, SECItem *result, +static SECStatus +sec_DerSignData(PLArenaPool *arena, SECItem *result, const unsigned char *buf, int len, SECKEYPrivateKey *pk, - SECOidTag algID) + SECOidTag algID, SECItem *params) { SECItem it; CERTSignedData sd; @@ -339,7 +411,7 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result, } /* Sign input buffer */ - rv = SEC_SignData(&it, buf, len, pk, algID); + rv = sec_SignData(&it, buf, len, pk, algID, params); if (rv) goto loser; @@ -349,7 +421,7 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result, sd.data.len = len; sd.signature.data = it.data; sd.signature.len = it.len << 3; /* convert to bit string */ - rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0); + rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, params); if (rv) goto loser; @@ -362,6 +434,24 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result, return rv; } +SECStatus +SEC_DerSignData(PLArenaPool *arena, SECItem *result, + const unsigned char *buf, int len, SECKEYPrivateKey *pk, + SECOidTag algID) +{ + return sec_DerSignData(arena, result, buf, len, pk, algID, NULL); +} + +SECStatus +SEC_DerSignDataWithAlgorithmID(PLArenaPool *arena, SECItem *result, + const unsigned char *buf, int len, + SECKEYPrivateKey *pk, + SECAlgorithmID *algID) +{ + SECOidTag tag = SECOID_GetAlgorithmTag(algID); + return sec_DerSignData(arena, result, buf, len, pk, tag, &algID->parameters); +} + SECStatus SGN_Digest(SECKEYPrivateKey *privKey, SECOidTag algtag, SECItem *result, SECItem *digest) @@ -509,3 +599,226 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) } return sigTag; } + +static SECItem * +sec_CreateRSAPSSParameters(PLArenaPool *arena, + SECItem *result, + SECOidTag hashAlgTag, + const SECItem *params, + const SECKEYPrivateKey *key) +{ + SECKEYRSAPSSParams pssParams; + int modBytes, hashLength; + unsigned long saltLength; + SECStatus rv; + + if (key->keyType != rsaKey && key->keyType != rsaPssKey) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + + PORT_Memset(&pssParams, 0, sizeof(pssParams)); + + if (params && params->data) { + /* The parameters field should either be empty or contain + * valid RSA-PSS parameters */ + PORT_Assert(!(params->len == 2 && + params->data[0] == SEC_ASN1_NULL && + params->data[1] == 0)); + rv = SEC_QuickDERDecodeItem(arena, &pssParams, + SECKEY_RSAPSSParamsTemplate, + params); + if (rv != SECSuccess) { + return NULL; + } + } + + if (pssParams.trailerField.data) { + unsigned long trailerField; + + rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.trailerField, + &trailerField); + if (rv != SECSuccess) { + return NULL; + } + if (trailerField != 1) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + } + + modBytes = PK11_GetPrivateModulusLen((SECKEYPrivateKey *)key); + + /* Determine the hash algorithm to use, based on hashAlgTag and + * pssParams.hashAlg; there are four cases */ + if (hashAlgTag != SEC_OID_UNKNOWN) { + if (pssParams.hashAlg) { + if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + } + } else if (hashAlgTag == SEC_OID_UNKNOWN) { + if (pssParams.hashAlg) { + hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } else { + /* Find a suitable hash algorithm based on the NIST recommendation */ + if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ + hashAlgTag = SEC_OID_SHA256; + } else if (modBytes <= 960) { /* 192, NIST 800-57, Part 1 */ + hashAlgTag = SEC_OID_SHA384; + } else { + hashAlgTag = SEC_OID_SHA512; + } + } + } + + if (hashAlgTag != SEC_OID_SHA1 && hashAlgTag != SEC_OID_SHA224 && + hashAlgTag != SEC_OID_SHA256 && hashAlgTag != SEC_OID_SHA384 && + hashAlgTag != SEC_OID_SHA512) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + + /* Now that the hash algorithm is decided, check if it matches the + * existing parameters if any */ + if (pssParams.maskAlg) { + SECAlgorithmID maskHashAlg; + + if (SECOID_GetAlgorithmTag(pssParams.maskAlg) != SEC_OID_PKCS1_MGF1) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + + if (pssParams.maskAlg->parameters.data == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + + PORT_Memset(&maskHashAlg, 0, sizeof(maskHashAlg)); + rv = SEC_QuickDERDecodeItem(arena, &maskHashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + &pssParams.maskAlg->parameters); + if (rv != SECSuccess) { + return NULL; + } + + /* Following the recommendation in RFC 4055, assume the hash + * algorithm identical to pssParam.hashAlg */ + if (SECOID_GetAlgorithmTag(&maskHashAlg) != hashAlgTag) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + } + + hashLength = HASH_ResultLenByOidTag(hashAlgTag); + + if (pssParams.saltLength.data) { + rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.saltLength, + &saltLength); + if (rv != SECSuccess) { + return NULL; + } + + /* The specified salt length is too long */ + if (saltLength > modBytes - hashLength - 2) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + } + + /* Fill in the parameters */ + if (pssParams.hashAlg) { + if (hashAlgTag == SEC_OID_SHA1) { + /* Omit hashAlg if the the algorithm is SHA-1 (default) */ + pssParams.hashAlg = NULL; + } + } else { + if (hashAlgTag != SEC_OID_SHA1) { + pssParams.hashAlg = PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID)); + if (!pssParams.hashAlg) { + return NULL; + } + rv = SECOID_SetAlgorithmID(arena, pssParams.hashAlg, hashAlgTag, + NULL); + if (rv != SECSuccess) { + return NULL; + } + } + } + + if (pssParams.maskAlg) { + if (hashAlgTag == SEC_OID_SHA1) { + /* Omit maskAlg if the the algorithm is SHA-1 (default) */ + pssParams.maskAlg = NULL; + } + } else { + if (hashAlgTag != SEC_OID_SHA1) { + SECItem *hashAlgItem; + + PORT_Assert(pssParams.hashAlg != NULL); + + hashAlgItem = SEC_ASN1EncodeItem(arena, NULL, pssParams.hashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); + if (!hashAlgItem) { + return NULL; + } + pssParams.maskAlg = PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID)); + if (!pssParams.maskAlg) { + return NULL; + } + rv = SECOID_SetAlgorithmID(arena, pssParams.maskAlg, + SEC_OID_PKCS1_MGF1, hashAlgItem); + if (rv != SECSuccess) { + return NULL; + } + } + } + + if (pssParams.saltLength.data) { + if (saltLength == 20) { + /* Omit the salt length if it is the default */ + pssParams.saltLength.data = NULL; + } + } else { + /* Find a suitable length from the hash algorithm and modulus bits */ + saltLength = PR_MIN(hashLength, modBytes - hashLength - 2); + + if (saltLength != 20 && + !SEC_ASN1EncodeInteger(arena, &pssParams.saltLength, saltLength)) { + return NULL; + } + } + + if (pssParams.trailerField.data) { + /* Omit trailerField if the value is 1 (default) */ + pssParams.trailerField.data = NULL; + } + + return SEC_ASN1EncodeItem(arena, result, + &pssParams, SECKEY_RSAPSSParamsTemplate); +} + +SECItem * +SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena, + SECItem *result, + SECOidTag signAlgTag, + SECOidTag hashAlgTag, + const SECItem *params, + const SECKEYPrivateKey *key) +{ + switch (signAlgTag) { + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + return sec_CreateRSAPSSParameters(arena, result, + hashAlgTag, params, key); + + default: + if (params == NULL) + return NULL; + if (result == NULL) + result = SECITEM_AllocItem(arena, NULL, 0); + if (SECITEM_CopyItem(arena, result, params) != SECSuccess) + return NULL; + return result; + } +} diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c index 2ac21abd4d..83c9c579da 100644 --- a/lib/cryptohi/secvfy.c +++ b/lib/cryptohi/secvfy.c @@ -136,6 +136,8 @@ struct VFYContextStr { unsigned char dsasig[DSA_MAX_SIGNATURE_LEN]; /* the full ECDSA signature */ unsigned char ecdsasig[2 * MAX_ECKEY_LEN]; + /* the full RSA signature, only used in RSA-PSS */ + unsigned char rsasig[(RSA_MAX_MODULUS_BITS + 7) / 8]; } u; unsigned int pkcs1RSADigestInfoLen; /* the encoded DigestInfo from a RSA PKCS#1 signature */ @@ -148,6 +150,7 @@ struct VFYContextStr { * VFY_CreateContext call. If false, the * signature must be provided with a * VFY_EndWithSignature call. */ + SECItem *params; }; static SECStatus @@ -250,9 +253,38 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, *hashalg = SEC_OID_SHA1; break; case SEC_OID_PKCS1_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ break; + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + if (param && param->data) { + SECKEYRSAPSSParams pssParam; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return SECFailure; + } + PORT_Memset(&pssParam, 0, sizeof pssParam); + rv = SEC_QuickDERDecodeItem(arena, &pssParam, + SECKEY_RSAPSSParamsTemplate, + param); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + return rv; + } + if (pssParam.hashAlg) { + *hashalg = SECOID_GetAlgorithmTag(pssParam.hashAlg); + } else { + *hashalg = SEC_OID_SHA1; /* default, SHA-1 */ + } + PORT_FreeArena(arena, PR_FALSE); + /* only accept hash algorithms */ + if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { + /* error set by HASH_GetHashTypeByOidTag */ + return SECFailure; + } + } else { + *hashalg = SEC_OID_SHA1; /* default, SHA-1 */ + } + break; case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: @@ -434,6 +466,20 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, cx->key, sig, wincx); break; + case rsaPssKey: + sigLen = SECKEY_SignatureLen(key); + if (sigLen == 0) { + /* error set by SECKEY_SignatureLen */ + rv = SECFailure; + break; + } + if (sig->len != sigLen) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + rv = SECFailure; + break; + } + PORT_Memcpy(cx->u.buffer, sig->data, sigLen); + break; case dsaKey: case ecKey: sigLen = SECKEY_SignatureLen(key); @@ -496,6 +542,7 @@ VFYContext * VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig, const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) { + VFYContext *cx; SECOidTag encAlg, hashAlg; SECStatus rv = sec_DecodeSigAlg(key, SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), @@ -503,7 +550,13 @@ VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig, if (rv != SECSuccess) { return NULL; } - return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); + + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); + if (sigAlgorithm->parameters.data) { + cx->params = SECITEM_DupItem(&sigAlgorithm->parameters); + } + + return cx; } void @@ -520,6 +573,9 @@ VFY_DestroyContext(VFYContext *cx, PRBool freeit) if (cx->pkcs1RSADigestInfo) { PORT_Free(cx->pkcs1RSADigestInfo); } + if (cx->params) { + SECITEM_FreeItem(cx->params, PR_TRUE); + } if (freeit) { PORT_ZFree(cx, sizeof(VFYContext)); } @@ -562,7 +618,7 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig) { unsigned char final[HASH_LENGTH_MAX]; unsigned part; - SECItem hash, dsasig; /* dsasig is also used for ECDSA */ + SECItem hash, rsasig, dsasig; /* dsasig is also used for ECDSA */ SECStatus rv; if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) { @@ -598,25 +654,70 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig) return SECFailure; } break; - case rsaKey: { - SECItem digest; - digest.data = final; - digest.len = part; - if (sig) { - SECOidTag hashid; - PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN); - rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid, - &cx->pkcs1RSADigestInfo, - &cx->pkcs1RSADigestInfoLen, - cx->key, - sig, cx->wincx); - PORT_Assert(cx->hashAlg == hashid); + case rsaKey: + if (cx->encAlg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + CK_RSA_PKCS_PSS_PARAMS mech; + SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) }; + SECKEYRSAPSSParams params; + PLArenaPool *arena; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return SECFailure; + } + + PORT_Memset(¶ms, 0, sizeof(params)); + rv = SEC_QuickDERDecodeItem(arena, ¶ms, + SECKEY_RSAPSSParamsTemplate, + cx->params); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + return SECFailure; + } + rv = sec_RSAPSSParamsToMechanism(&mech, ¶ms); + PORT_FreeArena(arena, PR_FALSE); if (rv != SECSuccess) { return SECFailure; } + rsasig.data = cx->u.buffer; + rsasig.len = SECKEY_SignatureLen(cx->key); + if (rsasig.len == 0) { + return SECFailure; + } + if (sig) { + if (sig->len != rsasig.len) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + PORT_Memcpy(rsasig.data, sig->data, rsasig.len); + } + hash.data = final; + hash.len = part; + if (PK11_VerifyWithMechanism(cx->key, CKM_RSA_PKCS_PSS, &mechItem, + &rsasig, &hash, cx->wincx) != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + } else { + SECItem digest; + digest.data = final; + digest.len = part; + if (sig) { + SECOidTag hashid; + PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN); + rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid, + &cx->pkcs1RSADigestInfo, + &cx->pkcs1RSADigestInfoLen, + cx->key, + sig, cx->wincx); + PORT_Assert(cx->hashAlg == hashid); + if (rv != SECSuccess) { + return SECFailure; + } + } + return verifyPKCS1DigestInfo(cx, &digest); } - return verifyPKCS1DigestInfo(cx, &digest); - } + break; default: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; /* shouldn't happen */ @@ -722,7 +823,7 @@ VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, static SECStatus vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, - SECOidTag *hash, void *wincx) + const SECItem *params, SECOidTag *hash, void *wincx) { SECStatus rv; VFYContext *cx; @@ -730,6 +831,9 @@ vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); if (cx == NULL) return SECFailure; + if (params) { + cx->params = SECITEM_DupItem(params); + } rv = VFY_Begin(cx); if (rv == SECSuccess) { @@ -748,7 +852,7 @@ VFY_VerifyDataDirect(const unsigned char *buf, int len, SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) { - return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx); + return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, hash, wincx); } SECStatus @@ -760,7 +864,7 @@ VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, if (rv != SECSuccess) { return rv; } - return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, wincx); + return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, NULL, wincx); } SECStatus @@ -777,5 +881,6 @@ VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, if (rv != SECSuccess) { return rv; } - return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx); + return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, + &sigAlgorithm->parameters, hash, wincx); } diff --git a/lib/freebl/poly1305.h b/lib/freebl/poly1305.h index 0a463483fc..125f49b3ba 100644 --- a/lib/freebl/poly1305.h +++ b/lib/freebl/poly1305.h @@ -8,6 +8,8 @@ #ifndef FREEBL_POLY1305_H_ #define FREEBL_POLY1305_H_ +#include "stddef.h" + typedef unsigned char poly1305_state[512]; /* Poly1305Init sets up |state| so that it can be used to calculate an diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c index 7354d93179..204c8ff023 100644 --- a/lib/freebl/rsa.c +++ b/lib/freebl/rsa.c @@ -318,6 +318,13 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) key->version.data[0] = 0; /* 3. Set the public exponent */ SECITEM_TO_MPINT(*publicExponent, &e); +#ifndef NSS_FIPS_DISABLED + /* check the exponent size we */ + if (mp_cmp_d(&e, 0x10001) < 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto cleanup; + } +#endif kiter = 0; max_attempts = 5 * (keySizeInBits / 2); /* FIPS 186-4 B.3.3 steps 4.7 and 5.8 */ do { diff --git a/lib/nss/nss.def b/lib/nss/nss.def index b61ce023ae..4f0ade4d0b 100644 --- a/lib/nss/nss.def +++ b/lib/nss/nss.def @@ -1123,3 +1123,13 @@ CERT_FindCertByNicknameOrEmailAddrForUsageCX; ;+ local: ;+ *; ;+}; +;+NSS_3.34 { # NSS 3.34 release +;+ global: +PK11_CreateManagedGenericObject; +SGN_NewContextWithAlgorithmID; +SEC_SignDataWithAlgorithmID; +SEC_DerSignDataWithAlgorithmID; +SEC_CreateSignatureAlgorithmParameters; +;+ local: +;+ *; +;+}; diff --git a/lib/nss/nss.h b/lib/nss/nss.h index f043f86e2e..6854664145 100644 --- a/lib/nss/nss.h +++ b/lib/nss/nss.h @@ -22,9 +22,9 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.34" _NSS_CUSTOMIZED " Beta" +#define NSS_VERSION "3.35" _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 -#define NSS_VMINOR 34 +#define NSS_VMINOR 35 #define NSS_VPATCH 0 #define NSS_VBUILD 0 #define NSS_BETA PR_TRUE diff --git a/lib/pk11wrap/pk11merge.c b/lib/pk11wrap/pk11merge.c index 8c4c5129aa..d14f44c780 100644 --- a/lib/pk11wrap/pk11merge.c +++ b/lib/pk11wrap/pk11merge.c @@ -1258,6 +1258,7 @@ pk11_newMergeLogNode(PLArenaPool *arena, /* initialize it */ obj->slot = slot; obj->objectID = id; + obj->owner = PR_FALSE; newLog->object = obj; newLog->error = error; diff --git a/lib/pk11wrap/pk11obj.c b/lib/pk11wrap/pk11obj.c index 9e9b611e51..b97caddd44 100644 --- a/lib/pk11wrap/pk11obj.c +++ b/lib/pk11wrap/pk11obj.c @@ -1505,6 +1505,7 @@ PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass) /* initialize it */ obj->slot = PK11_ReferenceSlot(slot); obj->objectID = objectIDs[i]; + obj->owner = PR_FALSE; obj->next = NULL; obj->prev = NULL; @@ -1585,6 +1586,9 @@ PK11_DestroyGenericObject(PK11GenericObject *object) PK11_UnlinkGenericObject(object); if (object->slot) { + if (object->owner) { + PK11_DestroyObject(object->slot, object->objectID); + } PK11_FreeSlot(object->slot); } PORT_Free(object); @@ -1626,8 +1630,9 @@ PK11_DestroyGenericObjects(PK11GenericObject *objects) * Hand Create a new object and return the Generic object for our new object. */ PK11GenericObject * -PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, - int count, PRBool token) +pk11_CreateGenericObjectHelper(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, + int count, PRBool token, PRBool owner) { CK_OBJECT_HANDLE objectID; PK11GenericObject *obj; @@ -1651,11 +1656,40 @@ PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, /* initialize it */ obj->slot = PK11_ReferenceSlot(slot); obj->objectID = objectID; + obj->owner = owner; obj->next = NULL; obj->prev = NULL; return obj; } +/* This is the classic interface. Applications would call this function to + * create new object that would not be destroyed later. This lead to resource + * leaks (and thus memory leaks in the PKCS #11 module). To solve this we have + * a new interface that automatically marks objects created on the fly to be + * destroyed later. + * The old interface is preserved because applications like Mozilla purposefully + * leak the reference to be found later with PK11_FindGenericObjects. New + * applications should use the new interface PK11_CreateManagedGenericObject */ +PK11GenericObject * +PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, + int count, PRBool token) +{ + return pk11_CreateGenericObjectHelper(slot, pTemplate, count, token, + PR_FALSE); +} + +/* Use this interface. It will automatically destroy any temporary objects + * (token = PR_FALSE) when the PK11GenericObject is freed. Permanent objects still + * need to be destroyed by hand with PK11_DestroyTokenObject. + */ +PK11GenericObject * +PK11_CreateManagedGenericObject(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, int count, PRBool token) +{ + return pk11_CreateGenericObjectHelper(slot, pTemplate, count, token, + !token); +} + /* * Change an attribute on a raw object */ diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h index edfe82f5ae..dbd8da0923 100644 --- a/lib/pk11wrap/pk11pub.h +++ b/lib/pk11wrap/pk11pub.h @@ -831,6 +831,10 @@ SECStatus PK11_LinkGenericObject(PK11GenericObject *list, PK11GenericObject *object); SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object); SECStatus PK11_DestroyGenericObject(PK11GenericObject *object); +PK11GenericObject *PK11_CreateManagedGenericObject(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, + int count, PRBool token); +/* deprecated */ PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, int count, PRBool token); diff --git a/lib/pk11wrap/secmodti.h b/lib/pk11wrap/secmodti.h index 63c2079297..260e6387d7 100644 --- a/lib/pk11wrap/secmodti.h +++ b/lib/pk11wrap/secmodti.h @@ -175,6 +175,7 @@ struct PK11GenericObjectStr { PK11GenericObject *next; PK11SlotInfo *slot; CK_OBJECT_HANDLE objectID; + PRBool owner; }; #define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */ diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c index 96ada5c0f5..d8f4369542 100644 --- a/lib/pkcs7/p7create.c +++ b/lib/pkcs7/p7create.c @@ -18,7 +18,7 @@ #include "secder.h" #include "secpkcs5.h" -const int NSS_PBE_DEFAULT_ITERATION_COUNT = 2000; /* used in p12e.c too */ +const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */ static SECStatus sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp, diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c index b4465d221e..968fa09d59 100644 --- a/lib/softoken/pkcs11.c +++ b/lib/softoken/pkcs11.c @@ -421,11 +421,20 @@ static const struct mechanismList mechanisms[] = { #endif /* --------------------- Secret Key Operations ------------------------ */ { CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE }, - { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_GENERATE }, PR_FALSE }, - { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE }, - { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_GENERATE }, PR_FALSE }, - { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE }, + { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + /* ---------------------- SSL Key Derivations ------------------------- */ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE }, { CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c index b88513b79f..d675d73315 100644 --- a/lib/softoken/pkcs11c.c +++ b/lib/softoken/pkcs11c.c @@ -6240,6 +6240,43 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len, return CKR_MECHANISM_INVALID; } +/* + * Handle the derive from a block encryption cipher + */ +CK_RV +sftk_DeriveEncrypt(SFTKCipher encrypt, void *cipherInfo, + int blockSize, SFTKObject *key, CK_ULONG keySize, + unsigned char *data, CK_ULONG len) +{ + /* large enough for a 512-bit key */ + unsigned char tmpdata[SFTK_MAX_DERIVE_KEY_SIZE]; + SECStatus rv; + unsigned int outLen; + CK_RV crv; + + if ((len % blockSize) != 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + if (len > SFTK_MAX_DERIVE_KEY_SIZE) { + return CKR_MECHANISM_PARAM_INVALID; + } + if (keySize && (len < keySize)) { + return CKR_MECHANISM_PARAM_INVALID; + } + if (keySize == 0) { + keySize = len; + } + + rv = (*encrypt)(cipherInfo, &tmpdata, &outLen, len, data, len); + if (rv != SECSuccess) { + crv = sftk_MapCryptError(PORT_GetError()); + return crv; + } + + crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize); + return crv; +} + /* * SSL Key generation given pre master secret */ @@ -6898,6 +6935,172 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, break; } + case CKM_DES3_ECB_ENCRYPT_DATA: + case CKM_DES3_CBC_ENCRYPT_DATA: { + void *cipherInfo; + unsigned char des3key[MAX_DES3_KEY_SIZE]; + CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_DES3_ECB_ENCRYPT_DATA) { + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) + pMechanism->pParameter; + mode = NSS_DES_EDE3; + iv = NULL; + data = stringPtr->pData; + len = stringPtr->ulLen; + } else { + mode = NSS_DES_EDE3_CBC; + desEncryptPtr = + (CK_DES_CBC_ENCRYPT_DATA_PARAMS *) + pMechanism->pParameter; + iv = desEncryptPtr->iv; + data = desEncryptPtr->pData; + len = desEncryptPtr->length; + } + if (att->attrib.ulValueLen == 16) { + PORT_Memcpy(des3key, att->attrib.pValue, 16); + PORT_Memcpy(des3key + 16, des3key, 8); + } else if (att->attrib.ulValueLen == 24) { + PORT_Memcpy(des3key, att->attrib.pValue, 24); + } else { + crv = CKR_KEY_SIZE_RANGE; + break; + } + cipherInfo = DES_CreateContext(des3key, iv, mode, PR_TRUE); + PORT_Memset(des3key, 0, 24); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt, + cipherInfo, 8, key, keySize, + data, len); + DES_DestroyContext(cipherInfo, PR_TRUE); + break; + } + + case CKM_AES_ECB_ENCRYPT_DATA: + case CKM_AES_CBC_ENCRYPT_DATA: { + void *cipherInfo; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_AES_ECB_ENCRYPT_DATA) { + mode = NSS_AES; + iv = NULL; + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; + data = stringPtr->pData; + len = stringPtr->ulLen; + } else { + aesEncryptPtr = + (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)pMechanism->pParameter; + mode = NSS_AES_CBC; + iv = aesEncryptPtr->iv; + data = aesEncryptPtr->pData; + len = aesEncryptPtr->length; + } + + cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue, + iv, mode, PR_TRUE, + att->attrib.ulValueLen, 16); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)AES_Encrypt, + cipherInfo, 16, key, keySize, + data, len); + AES_DestroyContext(cipherInfo, PR_TRUE); + break; + } + + case CKM_CAMELLIA_ECB_ENCRYPT_DATA: + case CKM_CAMELLIA_CBC_ENCRYPT_DATA: { + void *cipherInfo; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_CAMELLIA_ECB_ENCRYPT_DATA) { + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) + pMechanism->pParameter; + aesEncryptPtr = NULL; + mode = NSS_CAMELLIA; + data = stringPtr->pData; + len = stringPtr->ulLen; + iv = NULL; + } else { + stringPtr = NULL; + aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) + pMechanism->pParameter; + mode = NSS_CAMELLIA_CBC; + iv = aesEncryptPtr->iv; + data = aesEncryptPtr->pData; + len = aesEncryptPtr->length; + } + + cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue, + iv, mode, PR_TRUE, + att->attrib.ulValueLen); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)Camellia_Encrypt, + cipherInfo, 16, key, keySize, + data, len); + Camellia_DestroyContext(cipherInfo, PR_TRUE); + break; + } + + case CKM_SEED_ECB_ENCRYPT_DATA: + case CKM_SEED_CBC_ENCRYPT_DATA: { + void *cipherInfo; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_SEED_ECB_ENCRYPT_DATA) { + mode = NSS_SEED; + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) + pMechanism->pParameter; + aesEncryptPtr = NULL; + data = stringPtr->pData; + len = stringPtr->ulLen; + iv = NULL; + } else { + mode = NSS_SEED_CBC; + aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) + pMechanism->pParameter; + iv = aesEncryptPtr->iv; + data = aesEncryptPtr->pData; + len = aesEncryptPtr->length; + } + + cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue, + iv, mode, PR_TRUE); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)SEED_Encrypt, + cipherInfo, 16, key, keySize, + data, len); + SEED_DestroyContext(cipherInfo, PR_TRUE); + break; + } + case CKM_CONCATENATE_BASE_AND_KEY: { SFTKObject *newKey; diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c index 4be6e5dffe..716f62c0bf 100644 --- a/lib/softoken/sftkdb.c +++ b/lib/softoken/sftkdb.c @@ -40,7 +40,7 @@ */ #define BBP 8 -static PRBool +PRBool sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type) { switch (type) { @@ -1370,7 +1370,8 @@ sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object, } /* make sure we don't have attributes that conflict with the existing DB */ - crv = sftkdb_checkConflicts(db, object->objclass, template, count, objectID); + crv = sftkdb_checkConflicts(db, object->objclass, ntemplate, count, + objectID); if (crv != CKR_OK) { goto loser; } @@ -1386,8 +1387,8 @@ sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object, goto loser; } inTransaction = PR_TRUE; - crv = sftkdb_setAttributeValue(arena, handle, db, - objectID, template, count); + crv = sftkdb_setAttributeValue(arena, handle, db, objectID, ntemplate, + count); if (crv != CKR_OK) { goto loser; } diff --git a/lib/softoken/sftkdbti.h b/lib/softoken/sftkdbti.h index 4942e1b12e..7b1db45607 100644 --- a/lib/softoken/sftkdbti.h +++ b/lib/softoken/sftkdbti.h @@ -49,6 +49,7 @@ SECStatus sftkdb_VerifyAttribute(SECItem *passKey, CK_ATTRIBUTE_TYPE attrType, SECItem *plainText, SECItem *sigText); +PRBool sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type); void sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value); CK_RV sftkdb_Update(SFTKDBHandle *handle, SECItem *key); CK_RV sftkdb_PutAttributeSignature(SFTKDBHandle *handle, diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c index 0b8c91bfda..e0d2df9ab4 100644 --- a/lib/softoken/sftkpwd.c +++ b/lib/softoken/sftkpwd.c @@ -926,6 +926,13 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, continue; } + if (authAttrs[i].ulValueLen == sizeof(CK_ULONG) && + sftkdb_isULONGAttribute(authAttrs[i].type)) { + CK_ULONG value = *(CK_ULONG *)authAttrs[i].pValue; + sftk_ULong2SDBULong(authAttrs[i].pValue, value); + authAttrs[i].ulValueLen = SDB_ULONG_SIZE; + } + plainText.data = authAttrs[i].pValue; plainText.len = authAttrs[i].ulValueLen; rv = sftkdb_SignAttribute(arena, newKey, id, diff --git a/lib/softoken/softkver.h b/lib/softoken/softkver.h index 32987a4f4f..b08a84e294 100644 --- a/lib/softoken/softkver.h +++ b/lib/softoken/softkver.h @@ -17,9 +17,9 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.34" SOFTOKEN_ECC_STRING " Beta" +#define SOFTOKEN_VERSION "3.35" SOFTOKEN_ECC_STRING " Beta" #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 34 +#define SOFTOKEN_VMINOR 35 #define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_TRUE diff --git a/lib/softoken/softoknt.h b/lib/softoken/softoknt.h index 0716898425..03c92361c0 100644 --- a/lib/softoken/softoknt.h +++ b/lib/softoken/softoknt.h @@ -9,6 +9,9 @@ #define _SOFTOKNT_H_ #define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048 +#define DES_BLOCK_SIZE 8 /* bytes */ +#define MAX_DES3_KEY_SIZE 24 /* DES_BLOCK_SIZE * 3 */ +#define SFTK_MAX_DERIVE_KEY_SIZE 64 /* * FIPS 140-2 auditing diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 0d27bbfce2..9634d17186 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -2288,7 +2288,6 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type, *written = contentLen; return SECSuccess; } - /* Process the plain text before sending it. * Returns the number of bytes of plaintext that were successfully sent * plus the number of bytes of plaintext that were copied into the @@ -6040,7 +6039,7 @@ ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes) if (!initHashes) { return SECSuccess; } - /* Now we've have a cipher suite, initialize the handshake hashes. */ + /* Now we have a cipher suite, initialize the handshake hashes. */ return ssl3_InitHandshakeHashes(ss); } @@ -8832,8 +8831,8 @@ ssl3_SendServerHello(sslSocket *ss) goto loser; /* err set by AppendHandshake. */ } /* Random already generated in ssl3_HandleClientHello */ - rv = ssl3_AppendHandshake( - ss, ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); + rv = ssl3_AppendHandshake(ss, ss->ssl3.hs.server_random, + SSL3_RANDOM_LENGTH); if (rv != SECSuccess) { goto loser; /* err set by AppendHandshake. */ } @@ -12181,6 +12180,9 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); + /* Ensure that we don't process this data again. */ + databuf->len = 0; + /* Ignore a CCS if the alternative handshake is negotiated. Note that * this will fail if the server fails to negotiate the alternative * handshake type in a 0-RTT session that is resumed from a session that @@ -12191,14 +12193,13 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) ss->ssl3.hs.altHandshakeType && cText->buf->len == 1 && cText->buf->buf[0] == change_cipher_spec_choice) { - databuf->len = 0; + /* Ignore the CCS. */ return SECSuccess; } if (IS_DTLS(ss) || (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_trial)) { /* Silently drop the packet */ - databuf->len = 0; /* Needed to ensure data not left around */ return SECSuccess; } else { int errCode = PORT_GetError(); diff --git a/lib/util/nssutil.h b/lib/util/nssutil.h index c1b9e1fbde..3afa4a52b3 100644 --- a/lib/util/nssutil.h +++ b/lib/util/nssutil.h @@ -19,9 +19,9 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.34 Beta" +#define NSSUTIL_VERSION "3.35 Beta" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 34 +#define NSSUTIL_VMINOR 35 #define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_TRUE diff --git a/nss.gyp b/nss.gyp index 76302d7765..9e9b49f7ff 100644 --- a/nss.gyp +++ b/nss.gyp @@ -148,6 +148,7 @@ 'cmd/pk1sign/pk1sign.gyp:pk1sign', 'cmd/pp/pp.gyp:pp', 'cmd/rsaperf/rsaperf.gyp:rsaperf', + 'cmd/rsapoptst/rsapoptst.gyp:rsapoptst', 'cmd/sdrtest/sdrtest.gyp:sdrtest', 'cmd/selfserv/selfserv.gyp:selfserv', 'cmd/shlibsign/mangle/mangle.gyp:mangle', @@ -163,6 +164,7 @@ 'cmd/vfychain/vfychain.gyp:vfychain', 'cmd/vfyserv/vfyserv.gyp:vfyserv', 'gtests/certhigh_gtest/certhigh_gtest.gyp:certhigh_gtest', + 'gtests/cryptohi_gtest/cryptohi_gtest.gyp:cryptohi_gtest', 'gtests/der_gtest/der_gtest.gyp:der_gtest', 'gtests/certdb_gtest/certdb_gtest.gyp:certdb_gtest', 'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest', diff --git a/tests/all.sh b/tests/all.sh index 3141571e80..7c9448a461 100755 --- a/tests/all.sh +++ b/tests/all.sh @@ -130,14 +130,20 @@ run_tests() } ########################## run_cycle_standard ########################## -# run test suites with defaults settings (no PKIX, no sharedb) +# run test suites with dbm database (no PKIX, no sharedb) ######################################################################## run_cycle_standard() { TEST_MODE=STANDARD TESTS="${ALL_TESTS}" - TESTS_SKIP= + TESTS_SKIP="cipher libpkix sdr ocsp pkits" + + NSS_DEFAULT_DB_TYPE="dbm" + export NSS_DEFAULT_DB_TYPE + + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` + NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` run_tests } @@ -162,7 +168,12 @@ run_cycle_pkix() TESTS="${ALL_TESTS}" TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` + export -n NSS_SSL_RUN + + # use the default format + export -n NSS_DEFAULT_DB_TYPE run_tests } @@ -231,10 +242,10 @@ run_cycle_shared_db() # run the tests for native sharedb support TESTS="${ALL_TESTS}" - TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits" + TESTS_SKIP="dbupgrade" - NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` - NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` + export -n NSS_SSL_TESTS + export -n NSS_SSL_RUN run_tests } diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh index 1e7c091e57..9fb29c6458 100755 --- a/tests/cert/cert.sh +++ b/tests/cert/cert.sh @@ -510,7 +510,11 @@ cert_all_CA() # dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain - +# +# Create RSA-PSS version of TestCA + ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 + rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert # @@ -627,7 +631,7 @@ CERTSCRIPT ################################ cert_dsa_CA ############################# # local shell function to build the Temp. Certificate Authority (CA) # used for testing purposes, creating a CA Certificate and a root cert -# This is the ECC version of cert_CA. +# This is the DSA version of cert_CA. ########################################################################## cert_dsa_CA() { @@ -638,7 +642,7 @@ cert_dsa_CA() DOMAIN=$5 CERTSERIAL=$6 - echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME ==========================" + echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME ==========================" if [ ! -d "${CUR_CADIR}" ]; then mkdir -p "${CUR_CADIR}" @@ -651,7 +655,7 @@ cert_dsa_CA() LPROFILE="multiaccess:${DOMAIN}" fi - ################# Creating an DSA CA Cert ############################### + ################# Creating a DSA CA Cert ############################### # CU_ACTION="Creating DSA CA Cert $NICKNAME " CU_SUBJECT=$ALL_CU_SUBJECT @@ -690,6 +694,79 @@ CERTSCRIPT + +################################ cert_rsa_pss_CA ############################# +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +# This is the RSA-PSS version of cert_CA. +########################################################################## +cert_rsa_pss_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + HASHALG=$7 + + echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + HASHOPT= + if [ -n "$HASHALG" ]; then + HASHOPT="-Z $HASHALG" + fi + + ################# Creating an RSA-PSS CA Cert ############################### + # + CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \ + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ + -m $CERTSERIAL 2>&1 <&1 + CU_ACTION="Attempt to generate a key with exponent of 3 (too small)" + certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" + CU_ACTION="Attempt to generate a key with exponent of 17 (too small)" + certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" RETEXPECTED=0 CU_ACTION="Generate Certificate for ${CERTNAME}" @@ -1268,6 +1349,20 @@ MODSCRIPT if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" fi + +} + +########################## cert_rsa_exponent ################################# +# local shell function to verify small rsa exponent can be used (only +# run if FIPS has not been turned on in the build). +############################################################################## +cert_rsa_exponent() +{ + echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" + CU_ACTION="Attempt to generate a key with exponent of 3" + certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" + CU_ACTION="Attempt to generate a key with exponent of 17" + certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" } ############################## cert_eccurves ########################### @@ -1955,6 +2050,263 @@ cert_test_implicit_db_init() certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" } +check_sign_algo() +{ + certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ + sed -n '/^ *Data:/,/^$/{ +/^ Signature Algorithm/,/^ *Salt Length/s/^ //p +}' > ${TMP}/signalgo.txt + + diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt + RET=$? + if [ "$RET" -ne 0 ]; then + CERTFAILED=$RET + html_failed "${CU_ACTION} ($RET) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi +} + +cert_test_rsapss() +{ + TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt" + + cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}" + + CU_ACTION="Initialize Cert DB" + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import RSA CA Cert" + certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA.ca.cert" 2>&1 + + CU_ACTION="Import RSA-PSS CA Cert" + certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1 + + CU_ACTION="Verify RSA-PSS CA Cert" + certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" + + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explicit, with --pss-sign) + CERTNAME="TestUser-rsa-pss1" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + RETEXPECTED=255 + certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + RETEXPECTED=0 + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (with compatible hash algorithm) + CERTNAME="TestUser-rsa-pss8" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <
    " } -############################## ssl_cov ################################# +############################# setup_policy ############################# +# local shell function to create policy configuration +######################################################################## +setup_policy() +{ + policy="$1" + OUTFILE=${P_R_CLIENTDIR}/pkcs11.txt + cat > "$OUTFILE" << ++EOF++ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +++EOF++ + echo "config=${policy}" >> "$OUTFILE" + echo "" >> "$OUTFILE" + echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> "$OUTFILE" + cat >> "$OUTFILE" << ++EOF++ +name=RootCerts +NSS=trustOrder=100 +++EOF++ + + echo "******************************Testing with: " + cat ${P_R_CLIENTDIR}/pkcs11.txt + echo "******************************" +} + +############################## ssl_policy ############################## # local shell function to perform SSL Policy tests ######################################################################## ssl_policy() @@ -688,7 +714,8 @@ ssl_policy() sparam="$CIPHER_SUITES" if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then - return; + html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" + return 1; fi echo "Saving pkcs11.txt" @@ -696,9 +723,6 @@ ssl_policy() start_selfserv # Launch the server - VMIN="ssl3" - VMAX="tls1.2" - ignore_blank_lines ${SSLPOLICY} | \ while read value ectype testmax param policy testname do @@ -721,24 +745,7 @@ ssl_policy() # load the policy policy=`echo ${policy} | sed -e 's;_; ;g'` - - cat > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++ -library= -name=NSS Internal PKCS #11 Module -parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) -++EOF++ - echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt - echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt - echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt - cat >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++ -name=RootCerts -NSS=trustOrder=100 -++EOF++ - - echo "******************************Testing with: " - cat ${P_R_CLIENTDIR}/pkcs11.txt - echo "******************************" + setup_policy "$policy" echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" @@ -764,6 +771,54 @@ NSS=trustOrder=100 kill_selfserv html "
    " } + +list_enabled_suites() +{ + echo "SSL_DIR=${P_R_CLIENTDIR} ${BINDIR}/listsuites" + SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites | tail -n+3 | \ + sed -n -e '/^TLS_/h' -e '/^ .*Enabled.*/{g;p}' | sed 's/:$//' +} + +############################## ssl_policy_listsuites ################### +# local shell function to perform SSL Policy tests, using listsuites +######################################################################## +ssl_policy_listsuites() +{ + #verbose="-v" + html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + sparam="$CIPHER_SUITES" + + if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized" + return 1; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav + + # Disallow all explicitly + setup_policy "disallow=all" + RET_EXP=1 + list_enabled_suites | grep '^TLS_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + # Disallow RSA in key exchange explicitly + setup_policy "disallow=rsa/ssl-key-exchange" + RET_EXP=1 + list_enabled_suites | grep '^TLS_RSA_' + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + + cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt + + html "
    " +} + ############################# is_revoked ############################### # local shell function to check if certificate is revoked ######################################################################## @@ -1150,7 +1205,8 @@ ssl_run_tests() case "${SSL_TEST}" in "policy") if [ "${TEST_MODE}" = "SHARED_DB" ] ; then - ssl_policy + ssl_policy_listsuites + ssl_policy fi ;; "crl") diff --git a/tests/ssl_gtests/ssl_gtests.sh b/tests/ssl_gtests/ssl_gtests.sh index ac39f212ce..665b5a6297 100755 --- a/tests/ssl_gtests/ssl_gtests.sh +++ b/tests/ssl_gtests/ssl_gtests.sh @@ -41,6 +41,7 @@ certscript() { make_cert() { name=$1 type=$2 + unset type_args trust sign case $type in dsa) type_args='-g 1024' ;; rsa) type_args='-g 1024' ;; @@ -51,6 +52,9 @@ make_cert() { p521) type_args='-q secp521r1';type=ec ;; rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;; rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;; + rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';ca=y;type=rsa ;; + rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;; + rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;; ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;; esac shift 2 @@ -87,6 +91,9 @@ ssl_gtest_certs() { make_cert ecdh_ecdsa p256 kex make_cert rsa_ca rsa_ca ca make_cert rsa_chain rsa_chain sign + make_cert rsa_pss_ca rsapss_ca ca + make_cert rsa_pss_chain rsapss_chain sign + make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign make_cert ecdh_rsa ecdh_rsa kex make_cert dsa dsa sign }