--- /dev/null
+repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f
+node: 1991f9d6db779e5b773a27722ee0bb2dbbc40f7c
+branch: default
+tag: NSS_3_17_RC0
+tag: NSS_3_17_RTM
--- /dev/null
+syntax: glob
+*~
+*OPT.OBJ/*
+*DBG.OBJ/*
+*DBG.OBJD/*
ifdef USE_DEBUG_RTL
NSPR_CONFIGURE_OPTS += --enable-debug-rtl
endif
+ifdef USE_STATIC_RTL
+NSPR_CONFIGURE_OPTS += --enable-static-rtl
+endif
ifdef NS_USE_GCC
NSPR_COMPILERS = CC=gcc CXX=g++
endif
output = fopen(consoleName, "w");
if (output == NULL) {
fprintf(stderr, "Error opening output terminal for write\n");
+ fclose(input);
return NULL;
}
-<HTML>\r
-<!-- This Source Code Form is subject to the terms of the Mozilla Public\r
- - License, v. 2.0. If a copy of the MPL was not distributed with this\r
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->\r
-<HEAD>\r
- <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">\r
- <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (WinNT; U) [Netscape]">\r
- <META NAME="Author" CONTENT="Steve Parkinson">\r
- <TITLE>SSLTap - manual</TITLE>\r
-</HEAD>\r
-<BODY>\r
-\r
-<H1>\r
-SSLTap Manual page</H1>\r
-\r
-<H3>\r
-Summary</H3>\r
-A command-line proxy which is SSL-aware. It snoops on TCP connections,\r
-and displays the data going by, including SSL records and handshaking \r
-if the connection is SSL.\r
-<H3>\r
-Synopsis</H3>\r
-<TT>ssltap [-vhfsxl] [-p port] hostname:port</TT>\r
-\r
-<P><TT> -v [prints version string]</TT>\r
-<BR><TT> -h [outputs hex instead\r
-of ASCII]</TT>\r
-<BR><TT> -f [turn on Fancy HTML\r
-coloring]</TT>\r
-<BR><TT> -s [turn on SSL decoding]</TT>\r
-<BR><TT> -x [turn on extra SSL\r
-hex dumps]</TT>\r
-<BR><TT> -p port [specify rendezvous port (default 1924)]</TT>\r
-<BR><TT> -l [loop - continue\r
-to wait for more connections]</TT>\r
-<H3>\r
-Description</H3>\r
-SSLTap opens a socket on a rendezvous port, and waits for an incoming connection\r
-(client side). Once this connection arrives, SSLTap makes another connection\r
-to hostname:port (server side). It passes any data sent by the client to\r
-the server, and vice versa. However, SSLTap will also display the data\r
-to the console. It can do this for plain HTTP connections, or any TCP protocol.\r
-However, SSLTap can also work with SSL streams, as detailed below.\r
-\r
-<P>Let's assume your development machine is called 'intercept'. The simplest\r
-usage of SSLTap is to run the command <TT>'ssltap www.netscape.com:80'</TT>\r
-on intercept. The program will wait for an incoming connection on port\r
-1924. Next you would want to go to your browser, and enter the URL http://intercept:1924.\r
-The page retrieved by the browser will actually be gotten from the server\r
-at www.netscape.com, but will go via SSLTap.\r
-\r
-<P>Data sent from the client to the server is surrounded by a '--> [ ]'\r
-symbol, and data sent from the server to the client, a '<---[ \r
-]' symbol.\r
-\r
-<P>You'll notice that the page retrieved with this example looks incomplete.\r
-This is because SSLTap by default closes down after the first connection\r
-is complete, so the browser is not able to load images. To make the SSLTap\r
-continue to accept connections, switch on looping mode with the -l option.\r
-\r
-<P>You can change the default rendezvous port to something else with the\r
--p option.\r
-\r
-<P>The remaining options change the way the output is produced.\r
-\r
-<P>The -f option prints 'fancy' output - in colored HTML. Data sent from\r
-the client to the server is in blue. The server's reply is in red. This\r
-is designed so you can load the output up into a browser. When used with\r
-looping mode, the different connections are separated with horizontal lines.\r
-\r
-<P>-x will turn on HEX printing. Instead of being output as ascii, the\r
-data is shown as Hex, like this:\r
-<UL><TT><-- [</TT>\r
-<BR><TT> 0: 56 d5 16 3e a1 6b b1 4a 8f 67 c4 d7 \r
-21 2f 6f dd | V..>.k.J.g..!/o.</TT>\r
-<BR><TT> 10: bb 22 c4 75 8c f4 ce 28 16 a6 20 aa \r
-fb 9a 59 a1 | .".u...(.. ...Y.</TT>\r
-<BR><TT> 20: 51 91 14 d2 fc 9f a7 ea 4d 9c f7 3a \r
-9d 83 62 4a | Q.......M..:..bJ</TT>\r
-<BR><TT>]</TT>\r
-<BR> </UL>\r
-\r
-<H4>\r
-SSL Parse mode</H4>\r
-The following options deal with SSL connections.\r
-<UL>-s will turn on SSL parsing. (SSLTap doesn't automatically detect SSL\r
-sessions.)\r
-<BR>-x will turn on extra SSL hexdumps. Mostly, if SSL can decode the data,\r
-it doesn't display the hex.</UL>\r
-The following SSL3 Data structures are parsed: Handshake, ClientHello,\r
-ServerHello, CertificateChain, Certificate. In addition, SSL2 ClientHello,\r
-ServerHello, ClientMasterKey are also partly parsed. NO DECRYPTION IS PERFORMED\r
-ON THE DATA. SSLTAP CANNOT DECRYPT the data.\r
-\r
-<P>If a certificate chain is detected, DER-encoded certificates will be\r
-saved into files in the current directory called 'cert.0x' where x is the\r
-sequence number of the certificate.\r
-<BR> \r
-<H3>\r
-Operation Hints</H3>\r
-Often, you'll find that the server certificate does not get transferred,\r
-or other parts of the handshake do not happen. This is because the browser\r
-is taking advantage of session-id-reuse (using the handshake results from\r
-a previous session). If you restart the browser, it'll clear the session\r
-id cache.\r
-\r
-<P>If you run the ssltap on a different machine that the ssl server you're\r
-trying to connect to, the browser will complain that the host name you're\r
-trying to connect to is different to the certificate, but it will still\r
-let you connect, after showing you a dialog.\r
-<H3>\r
-Bugs</H3>\r
-Please contact <A HREF="mailto:ssltap-support@netscape.com">ssltap-support@netscape.com</A>\r
-for bug reports.\r
-<H3>\r
-History</H3>\r
-2.1 - First public release (March 1998)\r
-<BR> \r
-<H3>\r
-Other</H3>\r
-For reference, here is a table of some well-known port numbers:\r
-<BR> \r
-<TABLE BORDER=2 >\r
-<TR>\r
-<TD>HTTP</TD>\r
-\r
-<TD>80</TD>\r
-</TR>\r
-\r
-<TR>\r
-<TD>SMTP</TD>\r
-\r
-<TD>25</TD>\r
-</TR>\r
-\r
-<TR>\r
-<TD>HTTPS</TD>\r
-\r
-<TD>443</TD>\r
-</TR>\r
-\r
-<TR>\r
-<TD>FTP</TD>\r
-\r
-<TD>21</TD>\r
-</TR>\r
-\r
-<TR>\r
-<TD>IMAPS</TD>\r
-\r
-<TD>993</TD>\r
-</TR>\r
-\r
-<TR>\r
-<TD>NNTP</TD>\r
-\r
-<TD>119</TD>\r
-</TR>\r
-\r
-<TR>\r
-<TD>NNTPS</TD>\r
-\r
-<TD>563</TD>\r
-</TR>\r
-</TABLE>\r
- \r
-\r
-<P> \r
-</BODY>\r
-</HTML>\r
+<HTML>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<HEAD>
+ <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+ <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (WinNT; U) [Netscape]">
+ <META NAME="Author" CONTENT="Steve Parkinson">
+ <TITLE>SSLTap - manual</TITLE>
+</HEAD>
+<BODY>
+
+<H1>
+SSLTap Manual page</H1>
+
+<H3>
+Summary</H3>
+A command-line proxy which is SSL-aware. It snoops on TCP connections,
+and displays the data going by, including SSL records and handshaking
+if the connection is SSL.
+<H3>
+Synopsis</H3>
+<TT>ssltap [-vhfsxl] [-p port] hostname:port</TT>
+
+<P><TT> -v [prints version string]</TT>
+<BR><TT> -h [outputs hex instead
+of ASCII]</TT>
+<BR><TT> -f [turn on Fancy HTML
+coloring]</TT>
+<BR><TT> -s [turn on SSL decoding]</TT>
+<BR><TT> -x [turn on extra SSL
+hex dumps]</TT>
+<BR><TT> -p port [specify rendezvous port (default 1924)]</TT>
+<BR><TT> -l [loop - continue
+to wait for more connections]</TT>
+<H3>
+Description</H3>
+SSLTap opens a socket on a rendezvous port, and waits for an incoming connection
+(client side). Once this connection arrives, SSLTap makes another connection
+to hostname:port (server side). It passes any data sent by the client to
+the server, and vice versa. However, SSLTap will also display the data
+to the console. It can do this for plain HTTP connections, or any TCP protocol.
+However, SSLTap can also work with SSL streams, as detailed below.
+
+<P>Let's assume your development machine is called 'intercept'. The simplest
+usage of SSLTap is to run the command <TT>'ssltap www.netscape.com:80'</TT>
+on intercept. The program will wait for an incoming connection on port
+1924. Next you would want to go to your browser, and enter the URL http://intercept:1924.
+The page retrieved by the browser will actually be gotten from the server
+at www.netscape.com, but will go via SSLTap.
+
+<P>Data sent from the client to the server is surrounded by a '--> [ ]'
+symbol, and data sent from the server to the client, a '<---[
+]' symbol.
+
+<P>You'll notice that the page retrieved with this example looks incomplete.
+This is because SSLTap by default closes down after the first connection
+is complete, so the browser is not able to load images. To make the SSLTap
+continue to accept connections, switch on looping mode with the -l option.
+
+<P>You can change the default rendezvous port to something else with the
+-p option.
+
+<P>The remaining options change the way the output is produced.
+
+<P>The -f option prints 'fancy' output - in colored HTML. Data sent from
+the client to the server is in blue. The server's reply is in red. This
+is designed so you can load the output up into a browser. When used with
+looping mode, the different connections are separated with horizontal lines.
+
+<P>-x will turn on HEX printing. Instead of being output as ascii, the
+data is shown as Hex, like this:
+<UL><TT><-- [</TT>
+<BR><TT> 0: 56 d5 16 3e a1 6b b1 4a 8f 67 c4 d7
+21 2f 6f dd | V..>.k.J.g..!/o.</TT>
+<BR><TT> 10: bb 22 c4 75 8c f4 ce 28 16 a6 20 aa
+fb 9a 59 a1 | .".u...(.. ...Y.</TT>
+<BR><TT> 20: 51 91 14 d2 fc 9f a7 ea 4d 9c f7 3a
+9d 83 62 4a | Q.......M..:..bJ</TT>
+<BR><TT>]</TT>
+<BR> </UL>
+
+<H4>
+SSL Parse mode</H4>
+The following options deal with SSL connections.
+<UL>-s will turn on SSL parsing. (SSLTap doesn't automatically detect SSL
+sessions.)
+<BR>-x will turn on extra SSL hexdumps. Mostly, if SSL can decode the data,
+it doesn't display the hex.</UL>
+The following SSL3 Data structures are parsed: Handshake, ClientHello,
+ServerHello, CertificateChain, Certificate. In addition, SSL2 ClientHello,
+ServerHello, ClientMasterKey are also partly parsed. NO DECRYPTION IS PERFORMED
+ON THE DATA. SSLTAP CANNOT DECRYPT the data.
+
+<P>If a certificate chain is detected, DER-encoded certificates will be
+saved into files in the current directory called 'cert.0x' where x is the
+sequence number of the certificate.
+<BR>
+<H3>
+Operation Hints</H3>
+Often, you'll find that the server certificate does not get transferred,
+or other parts of the handshake do not happen. This is because the browser
+is taking advantage of session-id-reuse (using the handshake results from
+a previous session). If you restart the browser, it'll clear the session
+id cache.
+
+<P>If you run the ssltap on a different machine that the ssl server you're
+trying to connect to, the browser will complain that the host name you're
+trying to connect to is different to the certificate, but it will still
+let you connect, after showing you a dialog.
+<H3>
+Bugs</H3>
+Please contact <A HREF="mailto:ssltap-support@netscape.com">ssltap-support@netscape.com</A>
+for bug reports.
+<H3>
+History</H3>
+2.1 - First public release (March 1998)
+<BR>
+<H3>
+Other</H3>
+For reference, here is a table of some well-known port numbers:
+<BR>
+<TABLE BORDER=2 >
+<TR>
+<TD>HTTP</TD>
+
+<TD>80</TD>
+</TR>
+
+<TR>
+<TD>SMTP</TD>
+
+<TD>25</TD>
+</TR>
+
+<TR>
+<TD>HTTPS</TD>
+
+<TD>443</TD>
+</TR>
+
+<TR>
+<TD>FTP</TD>
+
+<TD>21</TD>
+</TR>
+
+<TR>
+<TD>IMAPS</TD>
+
+<TD>993</TD>
+</TR>
+
+<TR>
+<TD>NNTP</TD>
+
+<TD>119</TD>
+</TR>
+
+<TR>
+<TD>NNTPS</TD>
+
+<TD>563</TD>
+</TR>
+</TABLE>
+
+
+<P>
+</BODY>
+</HTML>
# VC10 (2010) is 16.00.30319.01, VC10SP1 is 16.00.40219.01.
_MSC_VER_GE_10SP1 := $(shell expr $(_MSC_VER) \> 1600 \| \
$(_MSC_VER) = 1600 \& $(_CC_RELEASE) \>= 40219)
+ # VC11 (2012).
+ _MSC_VER_GE_11 := $(shell expr $(_MSC_VER) \>= 1700)
# VC12 (2013).
_MSC_VER_GE_12 := $(shell expr $(_MSC_VER) \>= 1800)
ifeq ($(_CC_VMAJOR),14)
ifdef USE_DYNAMICBASE
OS_DLLFLAGS += -DYNAMICBASE
endif
+ #
+ # Define USE_DEBUG_RTL if you want to use the debug runtime library
+ # (RTL) in the debug build.
+ # Define USE_STATIC_RTL if you want to use the static RTL.
+ #
+ ifdef USE_DEBUG_RTL
+ ifdef USE_STATIC_RTL
+ OS_CFLAGS += -MTd
+ else
+ OS_CFLAGS += -MDd
+ endif
+ OS_CFLAGS += -D_CRTDBG_MAP_ALLOC
+ else
+ ifdef USE_STATIC_RTL
+ OS_CFLAGS += -MT
+ else
+ OS_CFLAGS += -MD
+ endif
+ endif
ifdef BUILD_OPT
- OS_CFLAGS += -MD
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
OPTIMIZER += -O1
else
LDFLAGS += -DEBUG -OPT:REF
endif
else
- #
- # Define USE_DEBUG_RTL if you want to use the debug runtime library
- # (RTL) in the debug build
- #
- ifdef USE_DEBUG_RTL
- OS_CFLAGS += -MDd -D_CRTDBG_MAP_ALLOC
- else
- OS_CFLAGS += -MD
- endif
OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
NULLSTRING :=
SPACE := $(NULLSTRING) # end of the line
DEFINES += -D_AMD64_
else
DEFINES += -D_X86_
+ # VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring
+ # SSE2.
+ ifeq ($(_MSC_VER_GE_11),1)
+ OS_CFLAGS += -arch:IA32
+ endif
endif
endif
ifeq ($(CPU_ARCH), ALPHA)
</varlistentry>
<varlistentry>
+ <term>--dump-ext-val OID </term>
+ <listitem><para>For single cert, print binary DER encoding of extension OID.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-e </term>
<listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
</varlistentry>
</varlistentry>
<varlistentry>
+ <term>--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </term>
+ <listitem>
+ <para>
+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
+ </para>
+ <itemizedlist>
+ <listitem>
+<para>OID (example): 1.2.3.4</para>
+ </listitem>
+ <listitem>
+<para>critical-flag: critical or not-critical</para>
+ </listitem>
+ <listitem>
+<para>filename: full path to a file containing an encoded extension</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-f password-file</term>
<listitem><para>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
<para><command>V</command> (as an SSL server)</para>
</listitem>
<listitem>
+<para><command>L</command> (as an SSL CA)</para>
+ </listitem>
+ <listitem>
+<para><command>A</command> (as Any CA)</para>
+ </listitem>
+ <listitem>
+<para><command>Y</command> (Verify CA)</para>
+ </listitem>
+ <listitem>
<para><command>S</command> (as an email signer)</para>
</listitem>
<listitem>
</varlistentry>
<varlistentry>
+ <term>--extSAN type:name[,type:name]...</term>
+ <listitem><para>
+Create a Subject Alt Name extension with one or multiple names.
+ </para>
+ <para>
+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>--empty-password</term>
<listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
</varlistentry>
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm2
33261230240"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm2
26659332128"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p>
</p><p>
If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity.
Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string
- with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
+ with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">--dump-ext-val OID </span></dt><dd><p>For single cert, print binary DER encoding of extension OID.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </span></dt><dd><p>
+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
The valid key type options are rsa, dsa, ec, or all. The default
</p></li></ul></div><p>
The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
</p><p><span class="command"><strong>-t "TCu,Cu,Tu"</strong></span></p><p>
- Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months,
+ Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>
L</strong></span> (as an SSL CA)</p></li><li class="listitem"><p><span class="command"><strong>A</strong></span> (as Any CA)</p></li><li class="listitem"><p><span class="command"><strong>Y</strong></span> (Verify CA)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months,
for the beginning of a certificate's validity period. Use when creating
the certificate or adding it to a database. Express the offset in integers,
using a minus sign (-) to indicate a negative offset. If this argument is
msTrustListSign
</p></li><li class="listitem"><p>
critical
- </p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
+ </p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSAN type:name[,type:name]...</span></dt><dd><p>
+Create a Subject Alt Name extension with one or multiple names.
+ </p><p>
+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
+ </p></dd><dt><span class="term">--empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--keyOpFlagsOn opflags, </span><span class="term">--keyOpFlagsOff opflags</span></dt><dd><p>
PKCS #11 key Operation Flags.
Comma separated list of one or more of the following:
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]
</code> </p></div></div><div class="refsection"><a name="idm233254308544"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
- </p></div><div class="refsection"><a name="idm2
33250605968"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]
[-u] [-w]</code> </p></div></div><div class="refsection"><a name="idm226689875920"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="idm2
26686118544"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
pkcs7 or crl files
- </p></div><div class="refsection"><a name="idm2
33250603984"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
+ </p></div><div class="refsection"><a name="idm2
26686116608"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd><dt><span class="term"><code class="option">-u </code> </span></dt><dd>Use UTF-8 (default is to show non-ascii as .)</dd><dt><span class="term"><code class="option">-w </code> </span></dt><dd>Don't wrap long output lines</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</p></div></div><div class="navfooter"><hr></div></body></html>
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 5 June 2014
+.\" Date: 29 July 2014
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "CERTUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "29 July 2014" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
is the default\&.
.RE
.PP
+\-\-dump\-ext\-val OID
+.RS 4
+For single cert, print binary DER encoding of extension OID\&.
+.RE
+.PP
\-e
.RS 4
Check a certificate\*(Aqs signature during the process of validating a certificate\&.
Specify the email address of a certificate to list\&. Used with the \-L command option\&.
.RE
.PP
+\-\-extGeneric OID:critical\-flag:filename[,OID:critical\-flag:filename]\&.\&.\&.
+.RS 4
+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+OID (example): 1\&.2\&.3\&.4
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+critical\-flag: critical or not\-critical
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+filename: full path to a file containing an encoded extension
+.RE
+.RE
+.PP
\-f password\-file
.RS 4
Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
.sp -1
.IP \(bu 2.3
.\}
+\fBL\fR
+(as an SSL CA)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBA\fR
+(as Any CA)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBY\fR
+(Verify CA)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
\fBS\fR
(as an email signer)
.RE
Add a Name Constraint extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&.
.RE
.PP
+\-\-extSAN type:name[,type:name]\&.\&.\&.
+.RS 4
+Create a Subject Alt Name extension with one or multiple names\&.
+.sp
+\-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
+.RE
+.PP
\-\-empty\-password
.RS 4
Use empty password when creating new certificate database with \-N\&.
.\" Title: PP
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 5 June 2014
+.\" Date: 29 July 2014
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "PP" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "PP" "1" "29 July 2014" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.SH "NAME"
pp \- Prints certificates, keys, crls, and pkcs7 files
.SH "SYNOPSIS"
-.HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\fR\ 'u
-\fBpp \-t type [\-a] [\-i input] [\-o output]\fR
+.HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\ [\-u]\ [\-w]\fR\ 'u
+\fBpp \-t type [\-a] [\-i input] [\-o output] [\-u] [\-w]\fR
.SH "STATUS"
.PP
This documentation is still work in progress\&. Please contribute to the initial review in
Define an input file to use (default is stdin)
.RE
.PP
-\fB\-u \fR \fIoutputfile\fR
+\fB\-o \fR \fIoutputfile\fR
.RS 4
Define an output file to use (default is stdout)
.RE
+.PP
+\fB\-u \fR
+.RS 4
+Use UTF\-8 (default is to show non\-ascii as \&.)
+.RE
+.PP
+\fB\-w \fR
+.RS 4
+Don\*(Aqt wrap long output lines
+.RE
.SH "ADDITIONAL RESOURCES"
.PP
NSS is maintained in conjunction with PKI and security\-related projects through Mozilla and Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at
<refsynopsisdiv>
<cmdsynopsis>
- <command>pp -t type [-a] [-i input] [-o output]</command>
+ <command>pp -t type [-a] [-i input] [-o output] [-u] [-w]</command>
</cmdsynopsis>
</refsynopsisdiv>
</varlistentry>
<varlistentry>
- <term><option>-u </option> <replaceable>outputfile</replaceable></term>
+ <term><option>-o </option> <replaceable>outputfile</replaceable></term>
<listitem>
<simpara>Define an output file to use (default is stdout)</simpara>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-u </option> </term>
+ <listitem>
+ <simpara>Use UTF-8 (default is to show non-ascii as .)</simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-w </option> </term>
+ <listitem>
+ <simpara>Don't wrap long output lines</simpara>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsection>
/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
extern CERTAuthInfoAccess **
CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
- SECItem *encodedExtension);
+ const SECItem *encodedExtension);
extern CERTPrivKeyUsagePeriod *
CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
CERTAuthInfoAccess **
CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
- SECItem *encodedExtension)
+ const SECItem *encodedExtension)
{
CERTAuthInfoAccess **info = NULL;
SECStatus rv;
CKA_LABEL UTF8 "Mozilla Builtin Roots"
#
+# Certificate "GTE CyberTrust Global Root"
+#
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
+\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
+\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
+\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
+\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
+\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
+\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
+\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
+\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
+\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
+\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
+\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
+\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
+\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
+\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
+\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
+\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
+\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
+\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
+\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
+\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
+\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
+\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
+\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
+\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
+\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
+\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
+\037\042\265\315\225\255\272\247\314\371\253\013\172\177
+END
+
+# Trust for Certificate "GTE CyberTrust Global Root"
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
+\066\176\364\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
# Certificate "Thawte Server CA"
#
# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "USERTrust-temporary-intermediate-after-1024bit-removal"
+#
+# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Serial Number:5d:20:61:8e:8c:0e:b9:34:40:93:b9:b1:d8:63:95:b6
+# Subject: CN=USERTrust Legacy Secure Server CA,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Tue Aug 05 00:00:00 2014
+# Not Valid After : Sun Nov 01 23:59:59 2015
+# Fingerprint (SHA-256): 92:96:6E:83:44:D2:FB:3A:28:0E:B8:60:4D:81:40:77:4C:E1:A0:57:C5:82:BE:BC:83:4D:03:02:E8:59:BC:43
+# Fingerprint (SHA1): 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust-temporary-intermediate-after-1024bit-removal"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025
+\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145
+\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025
+\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145
+\164\167\157\162\153\061\052\060\050\006\003\125\004\003\023\041
+\125\123\105\122\124\162\165\163\164\040\114\145\147\141\143\171
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\040\141\216\214\016\271\064\100\223\271\261\330\143
+\225\266
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\231\060\202\003\201\240\003\002\001\002\002\020\135
+\040\141\216\214\016\271\064\100\223\271\261\330\143\225\266\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\157
+\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024\060
+\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163\164
+\040\101\102\061\046\060\044\006\003\125\004\013\023\035\101\144
+\144\124\162\165\163\164\040\105\170\164\145\162\156\141\154\040
+\124\124\120\040\116\145\164\167\157\162\153\061\042\060\040\006
+\003\125\004\003\023\031\101\144\144\124\162\165\163\164\040\105
+\170\164\145\162\156\141\154\040\103\101\040\122\157\157\164\060
+\036\027\015\061\064\060\070\060\065\060\060\060\060\060\060\132
+\027\015\061\065\061\061\060\061\062\063\065\071\065\071\132\060
+\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
+\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
+\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
+\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
+\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
+\167\157\162\153\061\052\060\050\006\003\125\004\003\023\041\125
+\123\105\122\124\162\165\163\164\040\114\145\147\141\143\171\040
+\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103\101
+\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
+\000\331\115\040\072\346\051\060\206\362\351\206\211\166\064\116
+\150\037\226\104\367\321\371\326\202\116\246\070\236\356\313\133
+\341\216\056\275\362\127\200\375\311\077\374\220\163\104\274\217
+\273\127\133\345\055\037\024\060\165\066\365\177\274\317\126\364
+\177\201\377\256\221\315\330\322\152\313\227\371\367\315\220\152
+\105\055\304\273\244\205\023\150\127\137\357\051\272\052\312\352
+\365\314\244\004\233\143\315\000\353\375\355\215\335\043\306\173
+\036\127\035\066\177\037\010\232\015\141\333\132\154\161\002\123
+\050\302\372\215\375\253\273\263\361\215\164\113\337\275\275\314
+\006\223\143\011\225\302\020\172\235\045\220\062\235\001\302\071
+\123\260\340\025\153\307\327\164\345\244\042\233\344\224\377\204
+\221\373\055\263\031\103\055\223\017\234\022\011\344\147\271\047
+\172\062\255\172\052\314\101\130\300\156\131\137\356\070\053\027
+\042\234\211\372\156\347\345\127\065\364\132\355\222\225\223\055
+\371\314\044\077\245\034\075\047\275\042\003\163\314\365\312\363
+\251\364\334\376\317\351\320\134\320\017\253\207\374\203\375\310
+\251\002\003\001\000\001\243\202\001\037\060\202\001\033\060\037
+\006\003\125\035\043\004\030\060\026\200\024\255\275\230\172\064
+\264\046\367\372\304\046\124\357\003\275\340\044\313\124\032\060
+\035\006\003\125\035\016\004\026\004\024\257\244\100\257\237\026
+\376\253\061\375\373\325\227\213\365\221\243\044\206\026\060\016
+\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060\022
+\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
+\001\000\060\035\006\003\125\035\045\004\026\060\024\006\010\053
+\006\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003
+\002\060\031\006\003\125\035\040\004\022\060\020\060\016\006\014
+\053\006\001\004\001\262\061\001\002\001\003\004\060\104\006\003
+\125\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150
+\164\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162
+\165\163\164\056\143\157\155\057\101\144\144\124\162\165\163\164
+\105\170\164\145\162\156\141\154\103\101\122\157\157\164\056\143
+\162\154\060\065\006\010\053\006\001\005\005\007\001\001\004\051
+\060\047\060\045\006\010\053\006\001\005\005\007\060\001\206\031
+\150\164\164\160\072\057\057\157\143\163\160\056\165\163\145\162
+\164\162\165\163\164\056\143\157\155\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\204\256\055
+\150\070\021\154\203\121\142\300\221\302\230\274\306\073\372\245
+\305\275\073\011\346\156\140\157\060\003\206\042\032\262\213\363
+\306\316\036\273\033\171\340\026\024\115\322\232\005\113\377\217
+\354\360\050\051\352\052\004\035\075\257\021\022\325\111\230\120
+\102\237\141\146\072\266\100\231\004\014\153\020\062\351\367\317
+\206\130\117\055\315\323\254\176\350\133\152\203\174\015\240\234
+\134\120\066\165\015\155\176\102\267\337\246\334\220\134\157\043
+\116\227\035\363\042\165\277\003\065\346\135\177\307\371\233\054
+\207\366\216\326\045\226\131\235\317\352\020\036\357\156\352\132
+\233\167\030\064\314\201\167\257\232\207\302\012\345\345\236\023
+\225\123\275\275\111\032\245\166\022\366\334\362\221\267\351\032
+\341\274\115\075\225\161\175\370\215\174\076\003\117\123\355\376
+\122\375\312\137\223\341\032\001\033\002\267\163\116\272\146\351
+\170\213\120\376\021\313\321\147\320\042\117\167\352\315\024\025
+\100\256\146\135\350\056\177\036\210\157\125\171\326\271\176\343
+\265\375\221\240\300\362\046\207\113\057\235\365\240
+END
+
+# Trust for "USERTrust-temporary-intermediate-after-1024bit-removal"
+# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Serial Number:5d:20:61:8e:8c:0e:b9:34:40:93:b9:b1:d8:63:95:b6
+# Subject: CN=USERTrust Legacy Secure Server CA,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Tue Aug 05 00:00:00 2014
+# Not Valid After : Sun Nov 01 23:59:59 2015
+# Fingerprint (SHA-256): 92:96:6E:83:44:D2:FB:3A:28:0E:B8:60:4D:81:40:77:4C:E1:A0:57:C5:82:BE:BC:83:4D:03:02:E8:59:BC:43
+# Fingerprint (SHA1): 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust-temporary-intermediate-after-1024bit-removal"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\174\057\221\342\273\226\150\251\306\366\275\020\031\054\153\122
+\132\033\272\110
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\131\153\146\214\004\251\341\013\017\356\105\245\220\044\037\016
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\040\141\216\214\016\271\064\100\223\271\261\330\143
+\225\266
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 0
-#define NSS_BUILTINS_LIBRARY_VERSION "2.0"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 1
+#define NSS_BUILTINS_LIBRARY_VERSION "2.1"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
return SECFailure;
}
*destKey = PORT_ZNew(CRMFPOPOPrivKey);
- if (destKey == NULL) {
+ if (*destKey == NULL) {
return SECFailure;
}
return crmf_copy_popoprivkey(NULL,
mov rsi, rdx
push rbp
+ push rbx
sub rsp, 80
mov r11, rsi
xor esi, esi
mov r10, rsi
mov rbp, rsi
mov r8, rsi
- push rbx
mov rbx, rsi
mov rcx, qword ptr [16+rdi]
mov rdi, rsi
if (!rdnArena) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
- issuerNameCopy = (CERTName *)PORT_ArenaZNew(rdnArena, CERTName*);
+ issuerNameCopy = (CERTName *)PORT_ArenaZNew(rdnArena, CERTName);
if (!issuerNameCopy) {
PKIX_ERROR(PKIX_ALLOCERROR);
}
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.16.3" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION "3.17" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
-#define NSS_VMINOR 16
-#define NSS_VPATCH 3
+#define NSS_VMINOR 17
+#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
*/
nssPKIObject_AddInstance(&c->object, certobj);
/* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
- * replace 'c' by a different value. So we add a reference to 'c' to
+ * replace 'c' with a different value. So we add a reference to 'c' to
* prevent 'c' from being destroyed. */
nssCertificate_AddRef(c);
nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
- /* XXX should we pass the original value of 'c' to
- * STAN_ForceCERTCertificateUpdate? */
(void)STAN_ForceCERTCertificateUpdate(c);
nssCertificate_Destroy(c);
SECITEM_FreeItem(keyID,PR_TRUE);
name=nsslowcert_dataStart(ava, ava_length, &name_length, PR_FALSE,
NULL);
- if (oid == NULL) { return NULL; }
+ if (name == NULL) { return NULL; }
ava_length -= (name-ava)+name_length;
ava = name+name_length;
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.16.3" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.17" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 16
-#define SOFTOKEN_VPATCH 3
+#define SOFTOKEN_VMINOR 17
+#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
*/
#define SSL_ENABLE_ALPN 26
+/* SSL_REUSE_SERVER_ECDHE_KEY controls whether the ECDHE server key is
+ * reused for multiple handshakes or generated each time.
+ * SSL_REUSE_SERVER_ECDHE_KEY is currently enabled by default.
+ */
+#define SSL_REUSE_SERVER_ECDHE_KEY 27
+
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
}
rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
serverPubKey, serverKey);
+ if (ss->ephemeralECDHKeyPair) {
+ ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
+ ss->ephemeralECDHKeyPair = NULL;
+ }
if (rv != SECSuccess) {
return SECFailure; /* error code set */
}
return (PRStatus)rv;
}
-/* CallOnce function, called once for each named curve. */
-static PRStatus
-ssl3_CreateECDHEphemeralKeyPair(void * arg)
+/* Create an ECDHE key pair for a given curve */
+static SECStatus
+ssl3_CreateECDHEphemeralKeyPair(ECName ec_curve, ssl3KeyPair** keyPair)
{
SECKEYPrivateKey * privKey = NULL;
SECKEYPublicKey * pubKey = NULL;
- ssl3KeyPair * keyPair = NULL;
- ECName ec_curve = (ECName)arg;
SECKEYECParams ecParams = { siBuffer, NULL, 0 };
- PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
-
- /* ok, no one has generated a global key for this curve yet, do so */
if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) {
- gECDHEKeyPairs[ec_curve].error = PORT_GetError();
- return PR_FAILURE;
+ return SECFailure;
}
-
privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);
SECITEM_FreeItem(&ecParams, PR_FALSE);
- if (!privKey || !pubKey || !(keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
+ if (!privKey || !pubKey || !(*keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
}
SECKEY_DestroyPublicKey(pubKey);
}
ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+/* CallOnce function, called once for each named curve. */
+static PRStatus
+ssl3_CreateECDHEphemeralKeyPairOnce(void * arg)
+{
+ ECName ec_curve = (ECName)arg;
+ ssl3KeyPair * keyPair = NULL;
+
+ PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
+
+ /* ok, no one has generated a global key for this curve yet, do so */
+ if (ssl3_CreateECDHEphemeralKeyPair(ec_curve, &keyPair) != SECSuccess) {
gECDHEKeyPairs[ec_curve].error = PORT_GetError();
return PR_FAILURE;
}
return SECFailure;
}
status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
- ssl3_CreateECDHEphemeralKeyPair,
+ ssl3_CreateECDHEphemeralKeyPairOnce,
(void *)ec_curve);
if (status != PR_SUCCESS) {
PORT_SetError(gECDHEKeyPairs[ec_curve].error);
if (curve == ec_noName) {
goto loser;
}
- rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
+
+ if (ss->opt.reuseServerECDHEKey) {
+ rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
+ } else {
+ rv = ssl3_CreateECDHEphemeralKeyPair(curve, &ss->ephemeralECDHKeyPair);
+ }
if (rv != SECSuccess) {
- goto loser; /* err set by AppendHandshake. */
+ goto loser;
}
+
ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
PORT_Assert(ecdhePub != NULL);
if (!ecdhePub) {
int cipherChoice)
{
switch (cipherChoice) {
-
case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
case SSL_CK_RC2_128_CBC_WITH_MD5:
case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
case SSL_CK_DES_64_CBC_WITH_MD5:
case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
sec->hash = HASH_GetHashObject(HASH_AlgMD5);
- SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
- SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
+ if (SECITEM_CopyItem(0, &sec->sendSecret, writeKey) ||
+ SECITEM_CopyItem(0, &sec->rcvSecret, readKey)) {
+ return SECFailure;
+ }
break;
default:
unsigned int enableOCSPStapling : 1; /* 25 */
unsigned int enableNPN : 1; /* 26 */
unsigned int enableALPN : 1; /* 27 */
+ unsigned int reuseServerECDHEKey : 1; /* 28 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
ss->sec.hashcx = NULL;
}
- SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret);
- if (os->sec.sendSecret.data && !ss->sec.sendSecret.data)
+ if (SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret))
goto loser;
- SECITEM_CopyItem(0, &ss->sec.rcvSecret, &os->sec.rcvSecret);
- if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data)
+ if (SECITEM_CopyItem(0, &ss->sec.rcvSecret, &os->sec.rcvSecret))
goto loser;
/* XXX following code is wrong if either cx != 0 */
PR_TRUE, /* cbcRandomIV */
PR_FALSE, /* enableOCSPStapling */
PR_TRUE, /* enableNPN */
- PR_FALSE /* enableALPN */
+ PR_FALSE, /* enableALPN */
+ PR_TRUE /* reuseServerECDHEKey */
};
/*
ss->opt.enableALPN = on;
break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ ss->opt.reuseServerECDHEKey = on;
+ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break;
case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ on = ss->opt.reuseServerECDHEKey; break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
break;
case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break;
case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ on = ssl_defaults.reuseServerECDHEKey;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
ssl_defaults.enableALPN = on;
break;
+ case SSL_REUSE_SERVER_ECDHE_KEY:
+ ssl_defaults.reuseServerECDHEKey = on;
+ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.16.3"
+#define NSSUTIL_VERSION "3.17"
#define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 16
-#define NSSUTIL_VPATCH 3
+#define NSSUTIL_VMINOR 17
+#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
db trustanchors
import NameConstraints.ca:x:CT,C,C
-import NameConstraints.ncca:x:CT,C,C
# Name Constrained CA: Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
import NameConstraints.dcisscopy:x:CT,C,C
# Intermediate 1: Name constrained to permited DNSName ".example"
n
CERTSCRIPT
-#the following cert MUST not pass
+#the following cert MUST pass
certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT
0
2
projects / platform / upstream / nss.git / commitdiff