repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f
-node: e826416013cc80bed56ad7eb19a5bd3a1f4c66b1
-branch: NSS_3_15_3_RELEASE_BRANCH
-tag: NSS_3_15_3_1_RTM
+node: c3565a90b8c489a5f6f0b12e3ed53b09b4f038a7
+branch: default
+tag: NSS_3_15_4_RTM
--- /dev/null
+#! /bin/bash
+
+# Each buildbot-slave requires a bbenv.sh file that defines
+# machine specific variables. This is an example file.
+
+
+HOST=$(hostname | cut -d. -f1)
+export HOST
+
+# if your machine's IP isn't registered in DNS,
+# you must set appropriate environment variables
+# that can be resolved locally.
+# For example, if localhost.localdomain works on your system, set:
+#HOST=localhost
+#DOMSUF=localdomain
+#export DOMSUF
+
+ARCH=$(uname -s)
+
+ulimit -c unlimited 2> /dev/null
+
+export NSS_ENABLE_ECC=1
+export NSS_ECC_MORE_THAN_SUITE_B=1
+export NSPR_LOG_MODULES="pkix:1"
+
+#export JAVA_HOME_32=
+#export JAVA_HOME_64=
+
+#enable if you have PKITS data
+#export PKITS_DATA=$HOME/pkits/data/
+
+NSS_BUILD_TARGET="clean nss_build_all"
+JSS_BUILD_TARGET="clean all"
+
+MAKE=gmake
+AWK=awk
+PATCH=patch
+
+if [ "${ARCH}" = "SunOS" ]; then
+ AWK=nawk
+ PATCH=gpatch
+ ARCH=SunOS/$(uname -p)
+fi
+
+if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then
+ VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release`
+ ARCH=Linux/${VERSION}
+ echo ${ARCH}
+fi
+
+PROCESSOR=$(uname -p)
+if [ "${PROCESSOR}" = "ppc64" ]; then
+ ARCH="${ARCH}/ppc64"
+fi
+if [ "${PROCESSOR}" = "powerpc" ]; then
+ ARCH="${ARCH}/ppc"
+fi
+
+PORT_64_DBG=8543
+PORT_64_OPT=8544
+PORT_32_DBG=8545
+PORT_32_OPT=8546
+
+if [ "${NSS_TESTS}" = "memleak" ]; then
+ PORT_64_DBG=8547
+ PORT_64_OPT=8548
+ PORT_32_DBG=8549
+ PORT_32_OPT=8550
+fi
--- /dev/null
+#! /bin/bash
+
+# Ensure a failure of the first command inside a pipe
+# won't be hidden by commands later in the pipe.
+# (e.g. as in ./dosomething | grep)
+
+set -o pipefail
+
+proc_args()
+{
+ while [ -n "$1" ]; do
+ OPT=$(echo $1 | cut -d= -f1)
+ VAL=$(echo $1 | cut -d= -f2)
+
+ case $OPT in
+ "--build-nss")
+ BUILD_NSS=1
+ ;;
+ "--test-nss")
+ TEST_NSS=1
+ ;;
+ "--build-jss")
+ BUILD_JSS=1
+ ;;
+ "--test-jss")
+ TEST_JSS=1
+ ;;
+ "--memtest")
+ NSS_TESTS="memleak"
+ export NSS_TESTS
+ ;;
+ "--nojsssign")
+ NO_JSS_SIGN=1
+ ;;
+ *)
+ echo "Usage: $0 ..."
+ echo " --memtest - run the memory leak tests"
+ echo " --nojsssign - try to sign jss"
+ echo " --build-nss"
+ echo " --build-jss"
+ echo " --test-nss"
+ echo " --test-jss"
+ exit 1
+ ;;
+ esac
+
+ shift
+ done
+}
+
+set_env()
+{
+ TOPDIR=$(pwd)
+ HGDIR=$(pwd)$(echo "/hg")
+ OUTPUTDIR=$(pwd)$(echo "/output")
+ LOG_ALL="${OUTPUTDIR}/all.log"
+ LOG_TMP="${OUTPUTDIR}/tmp.log"
+
+ echo "hello" |grep --line-buffered hello >/dev/null 2>&1
+ [ $? -eq 0 ] && GREP_BUFFER="--line-buffered"
+}
+
+print_log()
+{
+ DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]")
+ echo "${DATE} $*"
+ echo "${DATE} $*" >> ${LOG_ALL}
+}
+
+print_result()
+{
+ TESTNAME=$1
+ RET=$2
+ EXP=$3
+
+ if [ ${RET} -eq ${EXP} ]; then
+ print_log "${TESTNAME} PASSED"
+ else
+ print_log "${TESTNAME} FAILED"
+ fi
+}
+
+print_env()
+{
+ print_log "######## Environment variables ########"
+
+ uname -a | tee -a ${LOG_ALL}
+ if [ -e "/etc/redhat-release" ]; then
+ cat "/etc/redhat-release" | tee -a ${LOG_ALL}
+ fi
+ # don't print the MAIL command, it might contain a password
+ env | grep -v "^MAIL=" | tee -a ${LOG_ALL}
+}
+
+set_cycle()
+{
+ BITS=$1
+ OPT=$2
+
+ if [ "${BITS}" = "64" ]; then
+ USE_64=1
+ JAVA_HOME=${JAVA_HOME_64}
+ PORT_DBG=${PORT_64_DBG}
+ PORT_OPT=${PORT_64_OPT}
+ else
+ USE_64=
+ JAVA_HOME=${JAVA_HOME_32}
+ PORT_DBG=${PORT_32_DBG}
+ PORT_OPT=${PORT_32_OPT}
+ fi
+ export USE_64
+ export JAVA_HOME
+
+ BUILD_OPT=
+ if [ "${OPT}" = "OPT" ]; then
+ BUILD_OPT=1
+ XPCLASS=xpclass.jar
+ PORT=${PORT_OPT}
+ else
+ BUILD_OPT=
+ XPCLASS=xpclass_dbg.jar
+ PORT=${PORT_DBG}
+ fi
+ export BUILD_OPT
+
+ PORT_JSS_SERVER=$(expr ${PORT} + 20)
+ PORT_JSSE_SERVER=$(expr ${PORT} + 40)
+
+ export PORT
+ export PORT_JSS_SERVER
+ export PORT_JSSE_SERVER
+}
+
+build_nss()
+{
+ print_log "######## NSS - build - ${BITS} bits - ${OPT} ########"
+
+ print_log "$ cd ${HGDIR}/nss"
+ cd ${HGDIR}/nss
+
+ print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
+ #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+ ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+ RET=$?
+ print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
+
+ if [ ${RET} -eq 0 ]; then
+ return 0
+ else
+ tail -100 ${LOG_ALL}
+ return ${RET}
+ fi
+}
+
+build_jss()
+{
+ print_log "######## JSS - build - ${BITS} bits - ${OPT} ########"
+
+ print_log "$ cd ${HGDIR}/jss"
+ cd ${HGDIR}/jss
+
+ print_log "$ ${MAKE} ${JSS_BUILD_TARGET}"
+ #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+ ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+ RET=$?
+ print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0
+ [ ${RET} -eq 0 ] || return ${RET}
+
+ print_log "$ cd ${HGDIR}/dist"
+ cd ${HGDIR}/dist
+
+ if [ -z "${NO_JSS_SIGN}" ]; then
+ print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa"
+ cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1
+ RET=$?
+ print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0
+ [ ${RET} -eq 0 ] || return ${RET}
+ fi
+ print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}"
+ ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1
+ RET=$?
+ print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0
+ [ ${RET} -eq 0 ] || return ${RET}
+
+ return 0
+}
+
+test_nss()
+{
+ print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########"
+
+ if [ "${OS_TARGET}" = "Android" ]; then
+ print_log "$ cd ${HGDIR}/nss/tests/remote"
+ cd ${HGDIR}/nss/tests/remote
+ print_log "$ make test_android"
+ make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
+ OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log
+ else
+ print_log "$ cd ${HGDIR}/nss/tests"
+ cd ${HGDIR}/nss/tests
+ print_log "$ ./all.sh"
+ ./all.sh 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
+ OUTPUTFILE=${LOG_TMP}
+ fi
+
+ cat ${LOG_TMP} >> ${LOG_ALL}
+ tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL}
+ RET=$?
+
+ print_log "######## details of detected failures (if any) ########"
+ grep -B50 FAIL ${OUTPUTFILE}
+ [ $? -eq 1 ] || RET=1
+
+ print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
+ return ${RET}
+}
+
+test_jss()
+{
+ print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
+
+ print_log "$ cd ${HGDIR}/jss"
+ cd ${HGDIR}/jss
+
+ print_log "$ ${MAKE} platform"
+ PLATFORM=$(${MAKE} platform)
+ print_log "PLATFORM=${PLATFORM}"
+
+ print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests"
+ cd ${HGDIR}/jss/org/mozilla/jss/tests
+
+ print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}"
+ perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP}
+ cat ${LOG_TMP} >> ${LOG_ALL}
+
+ tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null
+ RET=$?
+
+ grep FAIL ${LOG_TMP}
+ [ $? -eq 1 ] || RET=1
+
+ print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
+ return ${RET}
+}
+
+build_and_test()
+{
+ if [ -n "${BUILD_NSS}" ]; then
+ build_nss
+ [ $? -eq 0 ] || return 1
+ fi
+
+ if [ -n "${TEST_NSS}" ]; then
+ test_nss
+ [ $? -eq 0 ] || return 1
+ fi
+
+ if [ -n "${BUILD_JSS}" ]; then
+ build_jss
+ [ $? -eq 0 ] || return 1
+ fi
+
+ if [ -n "${TEST_JSS}" ]; then
+ test_jss
+ [ $? -eq 0 ] || return 1
+ fi
+
+ return 0
+}
+
+run_cycle()
+{
+ print_env
+ build_and_test
+ RET=$?
+
+ grep ^TinderboxPrint ${LOG_ALL}
+
+ return ${RET}
+}
+
+prepare()
+{
+ rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1
+ mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1
+ mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1
+ mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1
+ mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1
+ mkdir -p ${OUTPUTDIR}
+
+ if [ -n "${NSS_ENABLE_ECC}" -a -n "${NSS_ECC_MORE_THAN_SUITE_B}" ]; then
+ cd ${HGDIR}/nss
+ ECF="lib/freebl/ecl/ecl-curve.h"
+ print_log "hg revert -r NSS_3_11_1_RTM ${ECF}"
+ hg revert -r NSS_3_11_1_RTM security/nss/${ECF}
+ cp -f security/nss/${ECF} ${ECF}
+ fi
+
+ return 0
+}
+
+move_results()
+{
+ cd ${HGDIR}
+ if [ -n "${TEST_NSS}" ]; then
+ mv -f tests_results ${OUTPUTDIR}
+ fi
+ tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist
+ rm -rf dist
+}
+
+run_all()
+{
+ set_cycle ${BITS} ${OPT}
+ prepare
+ run_cycle
+ RESULT=$?
+ print_log "### result of run_cycle is ${RESULT}"
+ move_results
+ return ${RESULT}
+}
+
+main()
+{
+ VALID=0
+ RET=1
+
+ for BITS in 32 64; do
+ echo ${RUN_BITS} | grep ${BITS} > /dev/null
+ [ $? -eq 0 ] || continue
+ for OPT in DBG OPT; do
+ echo ${RUN_OPT} | grep ${OPT} > /dev/null
+ [ $? -eq 0 ] || continue
+
+ VALID=1
+ set_env
+ run_all
+ RET=$?
+ print_log "### result of run_all is ${RET}"
+ done
+ done
+
+ if [ ${VALID} -ne 1 ]; then
+ echo "Need to set valid bits/opt values."
+ return 1
+ fi
+
+ return ${RET}
+}
+
+#function killallsub()
+#{
+# FINAL_RET=$?
+# for proc in `jobs -p`
+# do
+# kill -9 $proc
+# done
+# return ${FINAL_RET}
+#}
+#trap killallsub EXIT
+
+#IS_RUNNING_FILE="./build-is-running"
+
+#if [ -a $IS_RUNNING_FILE ]; then
+# echo "exiting, because old job is still running"
+# exit 1
+#fi
+
+#touch $IS_RUNNING_FILE
+
+echo "tinderbox args: $0 $@"
+. ${ENVVARS}
+proc_args "$@"
+main
+
+#RET=$?
+#rm $IS_RUNNING_FILE
+#exit ${RET}
--- /dev/null
+IF EXIST ..\buildbot-is-building (
+ del ..\buildbot-is-building
+ shutdown /r /t 0
+
+ timeout /t 120
+)
--- /dev/null
+echo running > ..\buildbot-is-building
+
+echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
+"%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
+
+if %errorlevel% neq 0 (
+ set EXITCODE=1
+) else (
+ set EXITCODE=0
+)
+
+del ..\buildbot-is-building
+
+exit /b %EXITCODE%
const ECParams *srcParams);
#endif
-/* Temporary - add debugging output on windows for RSA to track QA failure */
-#ifdef _WIN32
-#define TRACK_BLTEST_BUG
- char __bltDBG[] = "BLTEST DEBUG";
-#endif
-
char *progName;
char *testdir = NULL;
const unsigned char *src,
PRUint32 src_length);
+/* Note: Algorithms are grouped in order to support is_symmkeyCipher /
+ * is_pubkeyCipher / is_hashCipher / is_sigCipher
+ */
typedef enum {
bltestINVALID = -1,
bltestDES_ECB, /* Symmetric Key Ciphers */
bltestCAMELLIA_CBC, /* . */
bltestSEED_ECB, /* SEED algorithm */
bltestSEED_CBC, /* SEED algorithm */
- bltestRSA, /* Public Key Ciphers */
+ bltestRSA, /* Public Key Ciphers */
+ bltestRSA_OAEP, /* . (Public Key Enc.) */
+ bltestRSA_PSS, /* . (Public Key Sig.) */
#ifdef NSS_ENABLE_ECC
- bltestECDSA, /* . (Public Key Sig.) */
+ bltestECDSA, /* . (Public Key Sig.) */
#endif
- bltestDSA, /* . */
+ bltestDSA, /* . (Public Key Sig.) */
bltestMD2, /* Hash algorithms */
bltestMD5, /* . */
bltestSHA1, /* . */
"seed_ecb",
"seed_cbc",
"rsa",
+ "rsa_oaep",
+ "rsa_pss",
#ifdef NSS_ENABLE_ECC
"ecdsa",
#endif
typedef struct
{
bltestIO key;
- int keysizeInBits;
- RSAPrivateKey *rsakey;
+ int keysizeInBits;
+
+ /* OAEP & PSS */
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+ bltestIO seed; /* salt if PSS */
} bltestRSAParams;
typedef struct
{
- bltestIO key;
bltestIO pqgdata;
unsigned int keysize;
bltestIO keyseed;
bltestIO sigseed;
- bltestIO sig; /* if doing verify, have additional input */
PQGParams *pqg;
- DSAPrivateKey *dsakey;
} bltestDSAParams;
#ifdef NSS_ENABLE_ECC
typedef struct
{
- bltestIO key;
char *curveName;
bltestIO sigseed;
- bltestIO sig; /* if doing verify, have additional input */
- ECPrivateKey *eckey;
} bltestECDSAParams;
#endif
typedef struct
{
+ bltestIO key;
+ void * privKey;
+ void * pubKey;
+ bltestIO sig; /* if doing verify, the signature (which may come
+ * from sigfile. */
+
+ union {
+ bltestRSAParams rsa;
+ bltestDSAParams dsa;
+#ifdef NSS_ENABLE_ECC
+ bltestECDSAParams ecdsa;
+#endif
+ } cipherParams;
+} bltestAsymKeyParams;
+
+typedef struct
+{
bltestIO key; /* unused */
PRBool restart;
} bltestHashParams;
bltestSymmKeyParams sk;
bltestAuthSymmKeyParams ask;
bltestRC5Params rc5;
- bltestRSAParams rsa;
- bltestDSAParams dsa;
-#ifdef NSS_ENABLE_ECC
- bltestECDSAParams ecdsa;
-#endif
+ bltestAsymKeyParams asymk;
bltestHashParams hash;
} bltestParams;
is_sigCipher(bltestCipherMode mode)
{
/* change as needed! */
-#ifdef NSS_ENABLE_ECC
- if (mode >= bltestECDSA && mode <= bltestDSA)
-#else
- if (mode >= bltestDSA && mode <= bltestDSA)
-#endif
- return PR_TRUE;
+ if (mode >= bltestRSA_PSS && mode <= bltestDSA)
+ return PR_TRUE;
return PR_FALSE;
}
if (file && (numBytes == 0 || file == PR_STDIN)) {
/* grabbing data from a file */
rv = SECU_FileToItem(&fileData, file);
- if (rv != SECSuccess) {
- PR_Close(file);
+ if (rv != SECSuccess)
return SECFailure;
- }
in = &fileData;
} else if (str) {
/* grabbing data from command line */
}
SECStatus
-rsa_PublicKeyOp(void *key, SECItem *output, const SECItem *input)
+rsa_PublicKeyOp(void *cx, SECItem *output, const SECItem *input)
+{
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ RSAPublicKey *pubKey = (RSAPublicKey *)params->pubKey;
+ SECStatus rv = RSA_PublicKeyOp(pubKey, output->data, input->data);
+ if (rv == SECSuccess) {
+ output->len = pubKey->modulus.data[0] ? pubKey->modulus.len :
+ pubKey->modulus.len - 1;
+ }
+ return rv;
+}
+
+SECStatus
+rsa_PrivateKeyOp(void *cx, SECItem *output, const SECItem *input)
+{
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ RSAPrivateKey *privKey = (RSAPrivateKey *)params->privKey;
+ SECStatus rv = RSA_PrivateKeyOp(privKey, output->data, input->data);
+ if (rv == SECSuccess) {
+ output->len = privKey->modulus.data[0] ? privKey->modulus.len :
+ privKey->modulus.len - 1;
+ }
+ return rv;
+}
+
+SECStatus
+rsa_signDigestPSS(void *cx, SECItem *output, const SECItem *input)
+{
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
+ return RSA_SignPSS((RSAPrivateKey *)params->privKey,
+ rsaParams->hashAlg,
+ rsaParams->maskHashAlg,
+ rsaParams->seed.buf.data,
+ rsaParams->seed.buf.len,
+ output->data, &output->len, output->len,
+ input->data, input->len);
+}
+
+SECStatus
+rsa_verifyDigestPSS(void *cx, SECItem *output, const SECItem *input)
{
- return RSA_PublicKeyOp((RSAPublicKey *)key, output->data, input->data);
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
+ return RSA_CheckSignPSS((RSAPublicKey *)params->pubKey,
+ rsaParams->hashAlg,
+ rsaParams->maskHashAlg,
+ rsaParams->seed.buf.len,
+ output->data, output->len,
+ input->data, input->len);
}
SECStatus
-rsa_PrivateKeyOp(void *key, SECItem *output, const SECItem *input)
+rsa_encryptOAEP(void *cx, SECItem *output, const SECItem *input)
{
- return RSA_PrivateKeyOp((RSAPrivateKey *)key, output->data, input->data);
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
+ return RSA_EncryptOAEP((RSAPublicKey *)params->pubKey,
+ rsaParams->hashAlg,
+ rsaParams->maskHashAlg,
+ NULL, 0,
+ rsaParams->seed.buf.data,
+ rsaParams->seed.buf.len,
+ output->data, &output->len, output->len,
+ input->data, input->len);
}
SECStatus
-dsa_signDigest(void *key, SECItem *output, const SECItem *input)
+rsa_decryptOAEP(void *cx, SECItem *output, const SECItem *input)
{
- return DSA_SignDigest((DSAPrivateKey *)key, output, input);
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
+ return RSA_DecryptOAEP((RSAPrivateKey *)params->privKey,
+ rsaParams->hashAlg,
+ rsaParams->maskHashAlg,
+ NULL, 0,
+ output->data, &output->len, output->len,
+ input->data, input->len);
}
SECStatus
-dsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
+dsa_signDigest(void *cx, SECItem *output, const SECItem *input)
{
- return DSA_VerifyDigest((DSAPublicKey *)key, output, input);
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ if (params->cipherParams.dsa.sigseed.buf.len > 0) {
+ return DSA_SignDigestWithSeed((DSAPrivateKey *)params->privKey,
+ output, input,
+ params->cipherParams.dsa.sigseed.buf.data);
+ }
+ return DSA_SignDigest((DSAPrivateKey *)params->privKey, output, input);
+}
+
+SECStatus
+dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
+{
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input);
}
#ifdef NSS_ENABLE_ECC
SECStatus
-ecdsa_signDigest(void *key, SECItem *output, const SECItem *input)
+ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input)
{
- return ECDSA_SignDigest((ECPrivateKey *)key, output, input);
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ if (params->cipherParams.ecdsa.sigseed.buf.len > 0) {
+ return ECDSA_SignDigestWithSeed(
+ (ECPrivateKey *)params->privKey,
+ output, input,
+ params->cipherParams.ecdsa.sigseed.buf.data,
+ params->cipherParams.ecdsa.sigseed.buf.len);
+ }
+ return ECDSA_SignDigest((ECPrivateKey *)params->privKey, output, input);
}
SECStatus
-ecdsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
+ecdsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
{
- return ECDSA_VerifyDigest((ECPublicKey *)key, output, input);
+ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
+ return ECDSA_VerifyDigest((ECPublicKey *)params->pubKey, output, input);
}
#endif
{
int i;
RSAPrivateKey **dummyKey;
+ RSAPrivateKey *privKey;
+ RSAPublicKey *pubKey;
PRIntervalTime time1, time2;
- bltestRSAParams *rsap = &cipherInfo->params.rsa;
+
+ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
+ bltestRSAParams *rsap = &asymk->cipherParams.rsa;
+
/* RSA key gen was done during parameter setup */
- cipherInfo->cx = cipherInfo->params.rsa.rsakey;
+ cipherInfo->cx = asymk;
+ privKey = (RSAPrivateKey *)asymk->privKey;
+
/* For performance testing */
if (cipherInfo->cxreps > 0) {
/* Create space for n private key objects */
TIMESTART();
for (i=0; i<cipherInfo->cxreps; i++)
dummyKey[i] = RSA_NewKey(rsap->keysizeInBits,
- &rsap->rsakey->publicExponent);
+ &privKey->publicExponent);
TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
/* Free the n key objects */
for (i=0; i<cipherInfo->cxreps; i++)
PORT_FreeArena(dummyKey[i]->arena, PR_TRUE);
PORT_Free(dummyKey);
}
- if (encrypt) {
+
+ if ((encrypt && !is_sigCipher(cipherInfo->mode)) ||
+ (!encrypt && is_sigCipher(cipherInfo->mode))) {
/* Have to convert private key to public key. Memory
* is freed with private key's arena */
- RSAPublicKey *pubkey;
- RSAPrivateKey *key = (RSAPrivateKey *)cipherInfo->cx;
- pubkey = (RSAPublicKey *)PORT_ArenaAlloc(key->arena,
+ pubKey = (RSAPublicKey *)PORT_ArenaAlloc(privKey->arena,
sizeof(RSAPublicKey));
- pubkey->modulus.len = key->modulus.len;
- pubkey->modulus.data = key->modulus.data;
- pubkey->publicExponent.len = key->publicExponent.len;
- pubkey->publicExponent.data = key->publicExponent.data;
- cipherInfo->cx = (void *)pubkey;
- cipherInfo->cipher.pubkeyCipher = rsa_PublicKeyOp;
- } else {
- cipherInfo->cipher.pubkeyCipher = rsa_PrivateKeyOp;
+ pubKey->modulus.len = privKey->modulus.len;
+ pubKey->modulus.data = privKey->modulus.data;
+ pubKey->publicExponent.len = privKey->publicExponent.len;
+ pubKey->publicExponent.data = privKey->publicExponent.data;
+ asymk->pubKey = (void *)pubKey;
+ }
+ switch (cipherInfo->mode) {
+ case bltestRSA:
+ cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_PublicKeyOp
+ : rsa_PrivateKeyOp;
+ break;
+ case bltestRSA_PSS:
+ cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_signDigestPSS
+ : rsa_verifyDigestPSS;
+ break;
+ case bltestRSA_OAEP:
+ cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_encryptOAEP
+ : rsa_decryptOAEP;
+ break;
}
return SECSuccess;
}
DSAPrivateKey **dummyKey;
PQGParams *dummypqg;
PRIntervalTime time1, time2;
- bltestDSAParams *dsap = &cipherInfo->params.dsa;
+ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
+ bltestDSAParams *dsap = &asymk->cipherParams.dsa;
PQGVerify *ignore = NULL;
- /* DSA key gen was done during parameter setup */
- cipherInfo->cx = cipherInfo->params.dsa.dsakey;
+ cipherInfo->cx = asymk;
/* For performance testing */
if (cipherInfo->cxreps > 0) {
/* Create space for n private key objects */
if (!dsap->pqg && dsap->pqgdata.buf.len > 0) {
dsap->pqg = pqg_from_filedata(&dsap->pqgdata.buf);
}
- if (!cipherInfo->cx && dsap->key.buf.len > 0) {
- cipherInfo->cx = dsakey_from_filedata(&dsap->key.buf);
+ if (!asymk->privKey && asymk->key.buf.len > 0) {
+ asymk->privKey = dsakey_from_filedata(&asymk->key.buf);
}
if (encrypt) {
cipherInfo->cipher.pubkeyCipher = dsa_signDigest;
/* Have to convert private key to public key. Memory
* is freed with private key's arena */
DSAPublicKey *pubkey;
- DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
+ DSAPrivateKey *key = (DSAPrivateKey *)asymk->privKey;
pubkey = (DSAPublicKey *)PORT_ArenaZAlloc(key->params.arena,
sizeof(DSAPublicKey));
pubkey->params.prime.len = key->params.prime.len;
pubkey->params.base.data = key->params.base.data;
pubkey->publicValue.len = key->publicValue.len;
pubkey->publicValue.data = key->publicValue.data;
+ asymk->pubKey = pubkey;
cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
}
return SECSuccess;
int i;
ECPrivateKey **dummyKey;
PRIntervalTime time1, time2;
- bltestECDSAParams *ecdsap = &cipherInfo->params.ecdsa;
- /* ECDSA key gen was done during parameter setup */
- cipherInfo->cx = cipherInfo->params.ecdsa.eckey;
+ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
+ cipherInfo->cx = asymk;
/* For performance testing */
if (cipherInfo->cxreps > 0) {
/* Create space for n private key objects */
/* Time n keygens, storing in the array */
TIMESTART();
for (i=0; i<cipherInfo->cxreps; i++) {
- EC_NewKey(&ecdsap->eckey->ecParams, &dummyKey[i]);
+ EC_NewKey(&((ECPrivateKey *)asymk->privKey)->ecParams, &dummyKey[i]);
}
TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
/* Free the n key objects */
PORT_FreeArena(dummyKey[i]->ecParams.arena, PR_TRUE);
PORT_Free(dummyKey);
}
- if (!cipherInfo->cx && ecdsap->key.buf.len > 0) {
- cipherInfo->cx = eckey_from_filedata(&ecdsap->key.buf);
+ if (!asymk->privKey && asymk->key.buf.len > 0) {
+ asymk->privKey = eckey_from_filedata(&asymk->key.buf);
}
if (encrypt) {
cipherInfo->cipher.pubkeyCipher = ecdsa_signDigest;
/* Have to convert private key to public key. Memory
* is freed with private key's arena */
ECPublicKey *pubkey;
- ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
+ ECPrivateKey *key = (ECPrivateKey *)asymk->privKey;
pubkey = (ECPublicKey *)PORT_ArenaZAlloc(key->ecParams.arena,
sizeof(ECPublicKey));
pubkey->ecParams.type = key->ecParams.type;
pubkey->ecParams.name= key->ecParams.name;
pubkey->publicValue.len = key->publicValue.len;
pubkey->publicValue.data = key->publicValue.data;
+ asymk->pubKey = pubkey;
cipherInfo->cipher.pubkeyCipher = ecdsa_verifyDigest;
}
return SECSuccess;
{
int i;
SECStatus rv = SECSuccess;
+ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
bltestRSAParams *rsap;
+ RSAPrivateKey **rsaKey = NULL;
bltestDSAParams *dsap;
+ DSAPrivateKey **dsaKey = NULL;
#ifdef NSS_ENABLE_ECC
- bltestECDSAParams *ecdsap;
SECItem *tmpECParamsDER;
ECParams *tmpECParams = NULL;
SECItem ecSerialize[3];
+ ECPrivateKey **ecKey = NULL;
#endif
switch (cipherInfo->mode) {
case bltestRSA:
- rsap = &cipherInfo->params.rsa;
+ case bltestRSA_PSS:
+ case bltestRSA_OAEP:
+ rsap = &asymk->cipherParams.rsa;
+ rsaKey = (RSAPrivateKey **)&asymk->privKey;
if (keysize > 0) {
SECItem expitem = { 0, 0, 0 };
SECITEM_AllocItem(cipherInfo->arena, &expitem, sizeof(int));
for (i = 1; i <= sizeof(int); i++)
expitem.data[i-1] = exponent >> (8*(sizeof(int) - i));
- rsap->rsakey = RSA_NewKey(keysize * 8, &expitem);
- serialize_key(&rsap->rsakey->version, 9, file);
+ *rsaKey = RSA_NewKey(keysize * 8, &expitem);
+ serialize_key(&(*rsaKey)->version, 9, file);
rsap->keysizeInBits = keysize * 8;
} else {
- setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
- rsap->rsakey = rsakey_from_filedata(&cipherInfo->params.key.buf);
- rsap->keysizeInBits = rsap->rsakey->modulus.len * 8;
+ setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
+ *rsaKey = rsakey_from_filedata(&asymk->key.buf);
+ rsap->keysizeInBits = (*rsaKey)->modulus.len * 8;
}
break;
case bltestDSA:
- dsap = &cipherInfo->params.dsa;
+ dsap = &asymk->cipherParams.dsa;
+ dsaKey = (DSAPrivateKey **)&asymk->privKey;
if (keysize > 0) {
dsap->keysize = keysize*8;
if (!dsap->pqg)
bltest_pqg_init(dsap);
- rv = DSA_NewKey(dsap->pqg, &dsap->dsakey);
+ rv = DSA_NewKey(dsap->pqg, dsaKey);
CHECKERROR(rv, __LINE__);
- serialize_key(&dsap->dsakey->params.prime, 5, file);
+ serialize_key(&(*dsaKey)->params.prime, 5, file);
} else {
- setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
- dsap->dsakey = dsakey_from_filedata(&cipherInfo->params.key.buf);
- dsap->keysize = dsap->dsakey->params.prime.len*8;
+ setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
+ *dsaKey = dsakey_from_filedata(&asymk->key.buf);
+ dsap->keysize = (*dsaKey)->params.prime.len*8;
}
break;
#ifdef NSS_ENABLE_ECC
case bltestECDSA:
- ecdsap = &cipherInfo->params.ecdsa;
+ ecKey = (ECPrivateKey **)&asymk->privKey;
if (curveName != NULL) {
tmpECParamsDER = getECParams(curveName);
rv = SECOID_Init();
CHECKERROR(rv, __LINE__);
rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
CHECKERROR(rv, __LINE__);
- rv = EC_NewKey(tmpECParams, &ecdsap->eckey);
+ rv = EC_NewKey(tmpECParams, ecKey);
CHECKERROR(rv, __LINE__);
ecSerialize[0].type = tmpECParamsDER->type;
ecSerialize[0].data = tmpECParamsDER->data;
ecSerialize[0].len = tmpECParamsDER->len;
- ecSerialize[1].type = ecdsap->eckey->publicValue.type;
- ecSerialize[1].data = ecdsap->eckey->publicValue.data;
- ecSerialize[1].len = ecdsap->eckey->publicValue.len;
- ecSerialize[2].type = ecdsap->eckey->privateValue.type;
- ecSerialize[2].data = ecdsap->eckey->privateValue.data;
- ecSerialize[2].len = ecdsap->eckey->privateValue.len;
+ ecSerialize[1].type = (*ecKey)->publicValue.type;
+ ecSerialize[1].data = (*ecKey)->publicValue.data;
+ ecSerialize[1].len = (*ecKey)->publicValue.len;
+ ecSerialize[2].type = (*ecKey)->privateValue.type;
+ ecSerialize[2].data = (*ecKey)->privateValue.data;
+ ecSerialize[2].len = (*ecKey)->privateValue.len;
serialize_key(&(ecSerialize[0]), 3, file);
SECITEM_FreeItem(tmpECParamsDER, PR_TRUE);
PORT_FreeArena(tmpECParams->arena, PR_TRUE);
rv = SECOID_Shutdown();
CHECKERROR(rv, __LINE__);
} else {
- setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
- ecdsap->eckey = eckey_from_filedata(&cipherInfo->params.key.buf);
+ setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
+ *ecKey = eckey_from_filedata(&asymk->key.buf);
}
break;
#endif
return bltest_seed_init(cipherInfo, encrypt);
break;
case bltestRSA:
- SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
- cipherInfo->input.pBuf.len);
+ case bltestRSA_OAEP:
+ case bltestRSA_PSS:
+ if (encrypt || cipherInfo->mode != bltestRSA_PSS) {
+ /* Don't allocate a buffer for PSS in verify mode, as no actual
+ * output is produced. */
+ SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+ RSA_MAX_MODULUS_BITS / 8);
+ }
return bltest_rsa_init(cipherInfo, encrypt);
break;
case bltestDSA:
- SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
- DSA_MAX_SIGNATURE_LEN);
+ if (encrypt) {
+ SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+ DSA_MAX_SIGNATURE_LEN);
+ }
return bltest_dsa_init(cipherInfo, encrypt);
break;
#ifdef NSS_ENABLE_ECC
case bltestECDSA:
- SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
- 2 * MAX_ECKEY_LEN);
+ if (encrypt) {
+ SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+ 2 * MAX_ECKEY_LEN);
+ }
return bltest_ecdsa_init(cipherInfo, encrypt);
break;
#endif
}
SECStatus
-dsaOp(bltestCipherInfo *cipherInfo)
-{
- PRIntervalTime time1, time2;
- SECStatus rv = SECSuccess;
- int i;
- int maxLen = cipherInfo->output.pBuf.len;
- SECItem dummyOut = { 0, 0, 0 };
- SECITEM_AllocItem(NULL, &dummyOut, maxLen);
- if (cipherInfo->cipher.pubkeyCipher == dsa_signDigest) {
- if (cipherInfo->params.dsa.sigseed.buf.len > 0) {
- bltestDSAParams *dsa = &cipherInfo->params.dsa;
- DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
-
- TIMESTART();
- rv = DSA_SignDigestWithSeed(key,
- &cipherInfo->output.pBuf,
- &cipherInfo->input.pBuf,
- dsa->sigseed.buf.data);
- TIMEFINISH(cipherInfo->optime, 1.0);
- CHECKERROR(rv, __LINE__);
- cipherInfo->repetitions = 0;
- if (cipherInfo->repetitionsToPerfom != 0) {
- TIMESTART();
- for (i=0; i<cipherInfo->repetitionsToPerfom;
- i++, cipherInfo->repetitions++) {
- rv = DSA_SignDigestWithSeed(key, &dummyOut,
- &cipherInfo->input.pBuf,
- dsa->sigseed.buf.data);
- CHECKERROR(rv, __LINE__);
- }
- } else {
- int opsBetweenChecks = 0;
- TIMEMARK(cipherInfo->seconds);
- while (! (TIMETOFINISH())) {
- int j = 0;
- for (;j < opsBetweenChecks;j++) {
- rv = DSA_SignDigestWithSeed(key, &dummyOut,
- &cipherInfo->input.pBuf,
- dsa->sigseed.buf.data);
- CHECKERROR(rv, __LINE__);
- }
- cipherInfo->repetitions += j;
- }
- }
- TIMEFINISH(cipherInfo->optime, 1.0);
- } else {
- TIMESTART();
- rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
- &cipherInfo->output.pBuf,
- &cipherInfo->input.pBuf);
- TIMEFINISH(cipherInfo->optime, 1.0);
- CHECKERROR(rv, __LINE__);
- cipherInfo->repetitions = 0;
- if (cipherInfo->repetitionsToPerfom != 0) {
- TIMESTART();
- for (i=0; i<cipherInfo->repetitionsToPerfom;
- i++, cipherInfo->repetitions++) {
- rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
- &dummyOut,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- } else {
- int opsBetweenChecks = 0;
- TIMEMARK(cipherInfo->seconds);
- while (! (TIMETOFINISH())) {
- int j = 0;
- for (;j < opsBetweenChecks;j++) {
- rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
- &dummyOut,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- cipherInfo->repetitions += j;
- }
- }
- TIMEFINISH(cipherInfo->optime, 1.0);
- }
- cipherInfo->output.buf.len = cipherInfo->output.pBuf.len;
- bltestCopyIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
- &cipherInfo->output);
- } else {
- TIMESTART();
- rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
- &cipherInfo->params.dsa.sig.buf,
- &cipherInfo->input.pBuf);
- TIMEFINISH(cipherInfo->optime, 1.0);
- CHECKERROR(rv, __LINE__);
- cipherInfo->repetitions = 0;
- if (cipherInfo->repetitionsToPerfom != 0) {
- TIMESTART();
- for (i=0; i<cipherInfo->repetitionsToPerfom;
- i++, cipherInfo->repetitions++) {
- rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
- &cipherInfo->params.dsa.sig.buf,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- } else {
- int opsBetweenChecks = 0;
- TIMEMARK(cipherInfo->seconds);
- while (! (TIMETOFINISH())) {
- int j = 0;
- for (;j < opsBetweenChecks;j++) {
- rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
- &cipherInfo->params.dsa.sig.buf,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- cipherInfo->repetitions += j;
- }
- }
- TIMEFINISH(cipherInfo->optime, 1.0);
- }
- SECITEM_FreeItem(&dummyOut, PR_FALSE);
- return rv;
-}
-
-#ifdef NSS_ENABLE_ECC
-SECStatus
-ecdsaOp(bltestCipherInfo *cipherInfo)
-{
- PRIntervalTime time1, time2;
- SECStatus rv = SECSuccess;
- int i;
- int maxLen = cipherInfo->output.pBuf.len;
- SECItem dummyOut = { 0, 0, 0 };
- SECITEM_AllocItem(NULL, &dummyOut, maxLen);
- if (cipherInfo->cipher.pubkeyCipher == ecdsa_signDigest) {
- if (cipherInfo->params.ecdsa.sigseed.buf.len > 0) {
- ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
- bltestECDSAParams *ecdsa = &cipherInfo->params.ecdsa;
-
- TIMESTART();
- rv = ECDSA_SignDigestWithSeed(key,
- &cipherInfo->output.pBuf,
- &cipherInfo->input.pBuf,
- ecdsa->sigseed.buf.data,
- ecdsa->sigseed.buf.len);
- TIMEFINISH(cipherInfo->optime, 1.0);
- CHECKERROR(rv, __LINE__);
- cipherInfo->repetitions = 0;
- if (cipherInfo->repetitionsToPerfom != 0) {
- TIMESTART();
- for (i=0; i<cipherInfo->repetitionsToPerfom;
- i++, cipherInfo->repetitions++) {
- rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
- &cipherInfo->input.pBuf,
- ecdsa->sigseed.buf.data,
- ecdsa->sigseed.buf.len);
- CHECKERROR(rv, __LINE__);
- }
- } else {
- int opsBetweenChecks = 0;
- TIMEMARK(cipherInfo->seconds);
- while (! (TIMETOFINISH())) {
- int j = 0;
- for (;j < opsBetweenChecks;j++) {
- rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
- &cipherInfo->input.pBuf,
- ecdsa->sigseed.buf.data,
- ecdsa->sigseed.buf.len);
- CHECKERROR(rv, __LINE__);
- }
- cipherInfo->repetitions += j;
- }
- }
- TIMEFINISH(cipherInfo->optime, 1.0);
- } else {
- TIMESTART();
- rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
- &cipherInfo->output.pBuf,
- &cipherInfo->input.pBuf);
- TIMEFINISH(cipherInfo->optime, 1.0);
- CHECKERROR(rv, __LINE__);
- cipherInfo->repetitions = 0;
- if (cipherInfo->repetitionsToPerfom != 0) {
- TIMESTART();
- for (i=0; i<cipherInfo->repetitionsToPerfom;
- i++, cipherInfo->repetitions++) {
- rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
- &dummyOut,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- } else {
- int opsBetweenChecks = 0;
- TIMEMARK(cipherInfo->seconds);
- while (! (TIMETOFINISH())) {
- int j = 0;
- for (;j < opsBetweenChecks;j++) {
- rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
- &dummyOut,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- cipherInfo->repetitions += j;
- }
- }
- TIMEFINISH(cipherInfo->optime, 1.0);
- }
- bltestCopyIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig,
- &cipherInfo->output);
- } else {
- TIMESTART();
- rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
- &cipherInfo->params.ecdsa.sig.buf,
- &cipherInfo->input.pBuf);
- TIMEFINISH(cipherInfo->optime, 1.0);
- CHECKERROR(rv, __LINE__);
- cipherInfo->repetitions = 0;
- if (cipherInfo->repetitionsToPerfom != 0) {
- TIMESTART();
- for (i=0; i<cipherInfo->repetitionsToPerfom;
- i++, cipherInfo->repetitions++) {
- rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
- &cipherInfo->params.ecdsa.sig.buf,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- } else {
- int opsBetweenChecks = 0;
- TIMEMARK(cipherInfo->seconds);
- while (! (TIMETOFINISH())) {
- int j = 0;
- for (;j < opsBetweenChecks;j++) {
- rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
- &cipherInfo->params.ecdsa.sig.buf,
- &cipherInfo->input.pBuf);
- CHECKERROR(rv, __LINE__);
- }
- cipherInfo->repetitions += j;
- }
- }
- TIMEFINISH(cipherInfo->optime, 1.0);
- }
- SECITEM_FreeItem(&dummyOut, PR_FALSE);
- return rv;
-}
-#endif
-
-SECStatus
cipherDoOp(bltestCipherInfo *cipherInfo)
{
PRIntervalTime time1, time2;
unsigned int len;
unsigned int maxLen = cipherInfo->output.pBuf.len;
unsigned char *dummyOut;
- if (cipherInfo->mode == bltestDSA)
- return dsaOp(cipherInfo);
-#ifdef NSS_ENABLE_ECC
- else if (cipherInfo->mode == bltestECDSA)
- return ecdsaOp(cipherInfo);
-#endif
dummyOut = PORT_Alloc(maxLen);
if (is_symmkeyCipher(cipherInfo->mode)) {
const unsigned char *input = cipherInfo->input.pBuf.data;
RC5_DestroyContext((RC5Context *)cipherInfo->cx, PR_TRUE);
break;
#endif
- case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
- case bltestDSA: /* will be freed with it. */
+ case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
+ case bltestRSA_PSS: /* will be freed with it. */
+ case bltestRSA_OAEP:
+ case bltestDSA:
#ifdef NSS_ENABLE_ECC
case bltestECDSA:
#endif
break;
#endif
case bltestRSA:
+ case bltestRSA_PSS:
+ case bltestRSA_OAEP:
if (td) {
fprintf(stdout, "%8s", "rsa_mod");
fprintf(stdout, "%12s", "rsa_pe");
} else {
- fprintf(stdout, "%8d", info->params.rsa.keysizeInBits);
- print_exponent(&info->params.rsa.rsakey->publicExponent);
+ bltestAsymKeyParams *asymk = &info->params.asymk;
+ fprintf(stdout, "%8d", asymk->cipherParams.rsa.keysizeInBits);
+ print_exponent(
+ &((RSAPrivateKey *)asymk->privKey)->publicExponent);
}
break;
case bltestDSA:
- if (td)
+ if (td) {
fprintf(stdout, "%8s", "pqg_mod");
- else
- fprintf(stdout, "%8d", info->params.dsa.keysize);
+ } else {
+ fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize);
+ }
break;
#ifdef NSS_ENABLE_ECC
case bltestECDSA:
- if (td)
+ if (td) {
fprintf(stdout, "%12s", "ec_curve");
- else {
- ECCurveName curveName = info->params.ecdsa.eckey->ecParams.name;
+ } else {
+ ECPrivateKey *key = (ECPrivateKey*)info->params.asymk.privKey;
+ ECCurveName curveName = key->ecParams.name;
fprintf(stdout, "%12s",
ecCurve_map[curveName]? ecCurve_map[curveName]->text:
- "Unsupported curve");
- }
+ "Unsupported curve");
+ }
break;
#endif
case bltestMD2:
data->pBuf.data = NULL;
data->pBuf.len = 0;
file = PR_Open(fn, PR_RDONLY, 00660);
- if (file)
+ if (file) {
setupIO(arena, data, file, NULL, 0);
+ PR_Close(file);
+ }
+}
+
+HASH_HashType
+mode_str_to_hash_alg(const SECItem *modeStr)
+{
+ bltestCipherMode mode;
+ char* tempModeStr = NULL;
+ if (!modeStr || modeStr->len == 0)
+ return HASH_AlgNULL;
+ tempModeStr = PORT_Alloc(modeStr->len + 1);
+ if (!tempModeStr)
+ return HASH_AlgNULL;
+ memcpy(tempModeStr, modeStr->data, modeStr->len);
+ tempModeStr[modeStr->len] = '\0';
+ mode = get_mode(tempModeStr);
+ PORT_Free(tempModeStr);
+ switch (mode) {
+ case bltestMD2: return HASH_AlgMD2;
+ case bltestMD5: return HASH_AlgMD5;
+ case bltestSHA1: return HASH_AlgSHA1;
+ case bltestSHA224: return HASH_AlgSHA224;
+ case bltestSHA256: return HASH_AlgSHA256;
+ case bltestSHA384: return HASH_AlgSHA384;
+ case bltestSHA512: return HASH_AlgSHA512;
+ }
+ return HASH_AlgNULL;
}
void
{
char filename[256];
char *modestr = mode_strings[mode];
+ bltestIO tempIO;
+
#ifdef NSS_SOFTOKEN_DOES_RC5
FILE *file;
char *mark, *param, *val;
}
break;
#endif
+ case bltestRSA_PSS:
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
+ load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
+ /* fall through */
+ case bltestRSA_OAEP:
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "seed", j);
+ load_file_data(arena, ¶ms->asymk.cipherParams.rsa.seed,
+ filename, bltestBase64Encoded);
+
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "hash", j);
+ load_file_data(arena, &tempIO, filename, bltestBinary);
+ params->asymk.cipherParams.rsa.hashAlg =
+ mode_str_to_hash_alg(&tempIO.buf);
+
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "maskhash", j);
+ load_file_data(arena, &tempIO, filename, bltestBinary);
+ params->asymk.cipherParams.rsa.maskHashAlg =
+ mode_str_to_hash_alg(&tempIO.buf);
+ /* fall through */
case bltestRSA:
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
- load_file_data(arena, ¶ms->rsa.key, filename, bltestBase64Encoded);
- params->rsa.rsakey = rsakey_from_filedata(¶ms->key.buf);
+ load_file_data(arena, ¶ms->asymk.key, filename,
+ bltestBase64Encoded);
+ params->asymk.privKey =
+ (void *)rsakey_from_filedata(¶ms->asymk.key.buf);
break;
case bltestDSA:
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
- load_file_data(arena, ¶ms->dsa.key, filename, bltestBase64Encoded);
- params->dsa.dsakey = dsakey_from_filedata(¶ms->key.buf);
+ load_file_data(arena, ¶ms->asymk.key, filename, bltestBase64Encoded);
+ params->asymk.privKey =
+ (void *)dsakey_from_filedata(¶ms->asymk.key.buf);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "pqg", j);
- load_file_data(arena, ¶ms->dsa.pqgdata, filename,
- bltestBase64Encoded);
- params->dsa.pqg = pqg_from_filedata(¶ms->dsa.pqgdata.buf);
+ load_file_data(arena, ¶ms->asymk.cipherParams.dsa.pqgdata, filename,
+ bltestBase64Encoded);
+ params->asymk.cipherParams.dsa.pqg =
+ pqg_from_filedata(¶ms->asymk.cipherParams.dsa.pqgdata.buf);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "keyseed", j);
- load_file_data(arena, ¶ms->dsa.keyseed, filename,
+ load_file_data(arena, ¶ms->asymk.cipherParams.dsa.keyseed, filename,
bltestBase64Encoded);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
- load_file_data(arena, ¶ms->dsa.sigseed, filename,
+ load_file_data(arena, ¶ms->asymk.cipherParams.dsa.sigseed, filename,
bltestBase64Encoded);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
- load_file_data(arena, ¶ms->dsa.sig, filename, bltestBase64Encoded);
+ load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
break;
#ifdef NSS_ENABLE_ECC
case bltestECDSA:
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
- load_file_data(arena, ¶ms->ecdsa.key, filename, bltestBase64Encoded);
- params->ecdsa.eckey = eckey_from_filedata(¶ms->key.buf);
+ load_file_data(arena, ¶ms->asymk.key, filename, bltestBase64Encoded);
+ params->asymk.privKey =
+ (void *)eckey_from_filedata(¶ms->asymk.key.buf);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
- load_file_data(arena, ¶ms->ecdsa.sigseed, filename,
- bltestBase64Encoded);
+ load_file_data(arena, ¶ms->asymk.cipherParams.ecdsa.sigseed,
+ filename, bltestBase64Encoded);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
- load_file_data(arena, ¶ms->ecdsa.sig, filename, bltestBase64Encoded);
+ load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
break;
#endif
case bltestMD2:
modestr = mode_strings[mode];
cipherInfo.mode = mode;
params = &cipherInfo.params;
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Self-Testing RSA\n", __bltDBG);
- }
-#endif
/* get the number of tests in the directory */
sprintf(filename, "%s/tests/%s/%s", testdir, modestr, "numtests");
file = PR_Open(filename, PR_RDONLY, 00660);
return SECFailure;
}
rv = SECU_FileToItem(&item, file);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Loaded data from %s\n", __bltDBG, filename);
- }
-#endif
PR_Close(file);
/* loop over the tests in the directory */
numtests = 0;
numtests += (int) (item.data[j] - '0');
}
for (j=0; j<numtests; j++) {
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Executing self-test #%d\n", __bltDBG, j);
- }
-#endif
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
- "plaintext", j);
- load_file_data(arena, &pt, filename,
-#ifdef NSS_ENABLE_ECC
- ((mode == bltestDSA) || (mode == bltestECDSA))
-#else
- (mode == bltestDSA)
-#endif
- ? bltestBase64Encoded : bltestBinary);
+ "plaintext", j);
+ load_file_data(arena, &pt, filename,
+ is_sigCipher(mode) ? bltestBase64Encoded
+ : bltestBinary);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
- "ciphertext", j);
+ "ciphertext", j);
load_file_data(arena, &ct, filename, bltestBase64Encoded);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Loaded data for self-test #%d\n", __bltDBG, j);
- }
-#endif
get_params(arena, params, mode, j);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Got parameters for #%d\n", __bltDBG, j);
- }
-#endif
/* Forward Operation (Encrypt/Sign/Hash)
** Align the input buffer (plaintext) according to request
** then perform operation and compare to ciphertext
memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
rv |= cipherInit(&cipherInfo, PR_TRUE);
misalignBuffer(arena, &cipherInfo.output, outoff);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
- }
-#endif
rv |= cipherDoOp(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Performed encrypt for #%d\n", __bltDBG, j);
- }
-#endif
rv |= cipherFinish(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Finished encrypt for #%d\n", __bltDBG, j);
- }
-#endif
rv |= verify_self_test(&cipherInfo.output,
&ct, mode, PR_TRUE, 0);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
- }
-#endif
/* If testing hash, only one op to test */
if (is_hashCipher(mode))
continue;
/*if (rv) return rv;*/
+ if (is_sigCipher(mode)) {
+ /* Verify operations support detached signature files. For
+ ** consistency between tests that run Sign/Verify back to
+ ** back (eg: self-tests) and tests that are only running
+ ** verify operations, copy the output into the sig buf,
+ ** and then copy the sig buf back out when verifying. For
+ ** self-tests, this is unnecessary copying, but for
+ ** verify-only operations, this ensures that the output
+ ** buffer is properly configured
+ */
+ bltestCopyIO(arena, ¶ms->asymk.sig, &cipherInfo.output);
+ }
}
if (!decrypt)
continue;
** Align the input buffer (ciphertext) according to request
** then perform operation and compare to plaintext
*/
-#ifdef NSS_ENABLE_ECC
- if ((mode != bltestDSA) && (mode != bltestECDSA))
-#else
- if (mode != bltestDSA)
-#endif
- bltestCopyIO(arena, &cipherInfo.input, &ct);
- else
+ if (is_sigCipher(mode)) {
bltestCopyIO(arena, &cipherInfo.input, &pt);
+ bltestCopyIO(arena, &cipherInfo.output, ¶ms->asymk.sig);
+ } else {
+ bltestCopyIO(arena, &cipherInfo.input, &ct);
+ memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
+ }
misalignBuffer(arena, &cipherInfo.input, inoff);
- memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
rv |= cipherInit(&cipherInfo, PR_FALSE);
misalignBuffer(arena, &cipherInfo.output, outoff);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
- }
-#endif
srv = SECSuccess;
srv |= cipherDoOp(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Performed decrypt for #%d\n", __bltDBG, j);
- }
-#endif
rv |= cipherFinish(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Finished decrypt for #%d\n", __bltDBG, j);
- }
-#endif
rv |= verify_self_test(&cipherInfo.output,
&pt, mode, PR_FALSE, srv);
-#ifdef TRACK_BLTEST_BUG
- if (mode == bltestRSA) {
- fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
- }
-#endif
/*if (rv) return rv;*/
}
}
bltestIO keydata;
PLArenaPool *arena = NULL;
arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
- if (mode == bltestRSA) {
+ if (mode == bltestRSA || mode == bltestRSA_PSS || mode == bltestRSA_OAEP) {
RSAPrivateKey *key;
load_file_data(arena, &keydata, filename, bltestBase64Encoded);
key = rsakey_from_filedata(&keydata.buf);
!bltest.commands[cmd_Decrypt].activated)
decrypt = PR_FALSE;
rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
- encrypt, decrypt);
- PORT_Free(cipherInfo);
- return rv;
+ encrypt, decrypt);
+ PORT_Free(cipherInfo);
+ return rv;
}
/* Do FIPS self-test */
if (bltest.commands[cmd_Verify].activated) {
file = PR_Open(bltest.options[opt_SigFile].arg, PR_RDONLY, 00660);
- if (cipherInfo->mode == bltestDSA) {
- memset(&cipherInfo->params.dsa.sig, 0, sizeof(bltestIO));
- cipherInfo->params.dsa.sig.mode = ioMode;
- setupIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
- file, NULL, 0);
-#ifdef NSS_ENABLE_ECC
- } else if (cipherInfo->mode == bltestECDSA) {
- memset(&cipherInfo->params.ecdsa.sig, 0, sizeof(bltestIO));
- cipherInfo->params.ecdsa.sig.mode = ioMode;
- setupIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig,
- file, NULL, 0);
-#endif
+ if (is_sigCipher(cipherInfo->mode)) {
+ memset(¶ms->asymk.sig, 0, sizeof(bltestIO));
+ params->asymk.sig.mode = ioMode;
+ setupIO(cipherInfo->arena, ¶ms->asymk.sig, file, NULL, 0);
}
if (file) {
PR_Close(file);
if (bltest.options[opt_PQGFile].activated) {
file = PR_Open(bltest.options[opt_PQGFile].arg, PR_RDONLY, 00660);
- params->dsa.pqgdata.mode = bltestBase64Encoded;
- setupIO(cipherInfo->arena, ¶ms->dsa.pqgdata, file, NULL, 0);
+ params->asymk.cipherParams.dsa.pqgdata.mode = bltestBase64Encoded;
+ setupIO(cipherInfo->arena, ¶ms->asymk.cipherParams.dsa.pqgdata,
+ file, NULL, 0);
if (file) {
PR_Close(file);
}
bltest -E -m rsa -i plaintext0 -o ciphertext0 -e 65537 -g 32 -a
mv tmp.key key0
+RSA-OAEP/RSA-PSS:
+RSA-OAEP and RSA-PSS have a number of additional parameters to feed in.
+- "seedN": The seed or salt to use when encrypting/signing
+- "hashN" / "maskhashN" - The base digest algorithm and the digest algorithm
+ to use with MGF1, respectively. This should be an ASCII string specifying
+ one of the hash algorithms recognized by bltest (eg: "sha1", "sha256")
+
[note: specifying a keysize (-g) when using RSA is important!]
--- /dev/null
+NU/me0oSbV01/jbHd3kaP3uhPe9ITi05CK/3IvrUaPshaW3pXQvpEcLTF0+K/MIBA197bY5pQC3l
+RRYYwhpTX6nXv8W43Z/CQ/jPkn2zEyLW6IHqqRqZYXDmV6BaJmQm2YyIAD+Ed8EicJSg2foejEAk
+MJzh7My1IQA11HrHLoo=
--- /dev/null
+ZA2xrMWOBWj+VAfl+bcB3/jDyR5xbFNvx/zsbLW3HBFlmI1KJ54Vd9cw/Hopky4/AMgVFSNtjY4x
+AXp6Cd9DUtkEzet5qlg63MMeppikwFKD2rqQib5UkfZ8Gk7kjcdLu+ZkOu+EZnm0yzlaNS1e0RWR
+LfaW/+BwKTKUbXFJK0Q=
--- /dev/null
+Iyr7ySf6CML2onuH1KXLCcB9wm+uc9c6kFWIOfT9ZtKBuH7HNLziN7oWZpjtgpEGp95pQs1s3OeP
+7Y0uTYFCjmZJDQNiZM75KvlB0+NQVf45geFNKcu5pPZ0cwY7rseaEXn1oXycGDLyg4/X1eWbuWWd
+VtzooBnt7xuzrMxpfMbMenePYKBkx/b11SnGIQJi4APeWD6B4xZ7iZcfuMDhXUT//vibU9jWTdeX
+0Vm1bSsI6lMH6hLCQb1Y1O4nih8u
--- /dev/null
+Q4zH3AimjaJJ5CUF+Fc7pg4sJ3PVspD0z53/cY6EIIHDg+ZwJKDylZTqmHudJeS3OPKFlw0ZWrs6
+jIBU49eda5yagye6WW8SWeJxJmdHZpB9jVgv86hHYVSSmtsebRI1ssy07I9mO6nMZwqSvr2FPI2/
+acZDbQFvYa3YNulHMkUENCB/n9TEPewqEqlY76Ae/iZpiZteYEwlXFX7cWbeVYnjaVl7sJFowG3V
+2xd+BqF0DrLVyC+uym2S/O6ZMbqf
--- /dev/null
+U+pdwIzSYPs7hYVnKH+pFVLDCy/r+6IT8K6HcC0GjRm6sH/ldFI9+0ITnWjDxa/u4L/ky3lpy/OC
+uATW5hOWFE4tDmB0H4mTwwFLWLmxlXqLq80jr4VPTDVvsWYqpyv8x+WGVZ3EKA0WDBJnhacj6+6+
+/3HxFZRECq74fRB5Ood0ojnUoEyH/hRnudr4UgjsbHJVeUqWzCkUL5qL1Bjjwf1nNEsM0IKd87K+
+xgJTGWKTxrNNP3XTLyE91Fxic9UFrfTM7RBXy3WPwmru+kQSVe1OZMGZ7gdefxZkYYL9tGRzm2ir
+Xa/w5j6VUgFoJPBUv008jJCpe7a2VTKE60KfzA==
--- /dev/null
+orGkMKnWV+L6HCu17UP/slwFowj+kJPAEDF5X1h0QAEQgorlj7m1gc6d3dPlSa4EoJhUWb3mxiZZ
+TnsF3EJ4sqFGXBNoQIgjyF6W3GbDowmDxjlmT8RWmjf+IeWhlbV3bu0t+NjTYa9obnUCKbvWY/Fh
+hopQYV4MM3vsDKNf7AuxnDbrLgu8wFgvodk6rNsGEGP1nyzh7kNgXl2J7KGD0qzf6fgQEQIq07Q6
+PdQX2slLThHqgbGSlm6WaxgggucZZGB7T4AC82KZhEoR8q4PrqwurnD49PmAiKzc0KxVbp/MxRFS
+GQj60m8ExkIBRQMFd4dYsFOL+LW7FEqCjmKXlQ==
--- /dev/null
+mIbD5nZKi5qE6EFI69jDsaqAUDgaePZocUwW2c/Spu3FaXnFNdne47RLhcGL6JKJkjcXEUciFtld
+2pjS7oNHybFN/9/4SqSNJawG99fmU5islnsc6Qkl9n3OBJt/gS2wdCmXp01E/oHb4Oej/q8uXECv
+iI1VDdu+O8IGV6KVQ/j8KRO5vRphsqsiVuxAm719wNF3F+olxD9C7Sffhzi/SvxnZv96/whZVV7i
+g5IPTIpjxKc0DLr93DOezbSwUVAC+WyTK1t5Fnr2mcCtP8z98PROhacCYr8uGP40uFBYmXXoZ/+W
+nUjqvyEicVRs3AWmnstSblKHDINvMHvXmHgO3g==
--- /dev/null
+Yxjp+1wNBeUwfhaDQ26QMpOsRkI1iqoiPXFjATq6h+Lf2o5gxoYOKaHpJoYWPqC5F18ynKOxMaHt
+06d3Wai5e61qT49DlvKM9vOcpYES5IFg1uID2qWFbzrKX/7Vd69JlAjj39Iz4+YE2+NKnEyQgt5l
+UnysYzHSncgOBQig+nEi5/Mp9sylz6NNTR2kF4BUV+AIvsVJ5Hj/nhKnY8R30Vu7ePW2m9V4MPws
+TtaG15vHKpXYX4gTTGsK/laozPvIVYKLszm9F5Cc8dcN4zNa4HA5CT5gbWVTZd5lULhyzW3h1EDu
+AxthlF9imtijU7DUCTnpajxFDSqNXu6fZ4CTyA==
--- /dev/null
+dSkIcsz9SkUFZg1lH1babaoJyhMB2JBjL2qZLz1WXO5GSv3tQO07W+k1ZxTqWqdlX0oTZsLxfHKP
+byxaXR+OKEKbxOb48s/42o3A4KmAjkX9CeovpAyyts5v//XA4VnRG2jZCoX3uE4QOwnmgmZkgMZX
+UFwJKSWUaKMUeG106rExVzzyNL9X232eZsxnSBkuAC3A3uqTBYXwgx/c2bwz1R957S/8Frz01ZgS
+/OvKo/kGmw5EVobWRMJcz2O0Vu5fpv/pbxnN91H+2erzWVd1Tb9L/qUhaqGETcUHyy0IDnIuuhUD
+CMK1/xGTYg8XZuz0SBuvuUO9KSh38hNspJSroA==
--- /dev/null
+LSB6c0Mqj7TAMFGz9zsophdkCY36NMR6IJlfgRWqaBZnm1V+gtvuWEkIxuaXgtfes029Za8GPVf8
+p2pf0GlJL9YGjZmE0gk1BWWmLlx38jA4wSyxDGY0cJtUfEb2tKcJvYXKEi10Rl75d2LCl2Pgbbx6
+nnOMeL/KAQLcXnnWW5c/KCQMqrLhYaeLV9JiRX7YGV1T48eunaAhiDxtt8JK/dIyLqyXKtPDVMX8
+7x4UbDoCkPtnrfAHBm4AQo0s7BjOWPkyhpje/vSy617HaRj94cGYy7OLevxnYmqa7+xDIr/ZDSVj
+SByaIh94yCcsgtG2KrkU4cafavbvMMpSYNtKRg==
--- /dev/null
+Qjc27QNfYCavJ2w1wLN0GzZeX3bKCRtOjCni8L7+5gNZWqgyLWAtLmJeleuBsvHJck6CLsp224YY
+zwnFNDUDpDYINbWQO8Y344efsF4O8yaF1a7FBnzXzJb+SyZwturDBmsfz1aGtoWJqvt9YpsC2Phi
+XKODNiTUgA+wgbHPlOs=
--- /dev/null
+RerUylUeZiyYAPGsqCg7BSXmq64wvktKunYvpA/T044iq+/Gl5T267vAXduxEhYkfS9BL9D7qHxu
+Os2IiBNkb9DkjnhSBPnD9z1tgjlWJyLd3Ydx/sSLg6Me5vWSxM/UvIgXTzsToRKq47n3uA4Pxvcl
+W6iA3H2AIeIq1qhfB1U=
--- /dev/null
+NvbjTZSo002qy6M6ITnQCthak0WoYFHnMHFiAFa5IOIZAFhVohOg8jiXzc1zG0UlfHd/6QggK+/d
+C1g4axJE6gz1OaBdXRAynaROEwMP12Dc1kTP7yCU0ZENP0M+HHxt0YvB8t9/ZD1mL7ndN+rZBZGQ
+9PpmyjnoacTrRJy9xDk=
--- /dev/null
+Qs7iYXsezqTbP0gpOG+9Ydr78DjhgNg3yWNm3yTAl7SrD6xr31kNghyfEGQuaBrQW414s3jA9Gzi
++tY/dOCtPfBrB11+tfVjb41AO5BZynYbXGK7UqpFAC6nC6rOCN7SQ7nYy9YqaK3iZYMrVlZOQ6b6
+Qu0ZmgmXaXQt8VOeglU=
--- /dev/null
+JnvNEYrKsfyLqByF1zADy4YQ+lXB2X2o1Ip8fwaJak23UaooQlW502rWXzdlPYKfGzf5e4ABlCVF
+svwsVac3bKehvksXYMjgWjPlqiUmuNmOMXCI54NMdVsqWbEmMaGCwF1dQ6sXeSZPhFb1Fc5X399R
+LVST2re3M43Et9eNucCRrDuvU3pp/H9UnZefDv+alP2kFpvU0dGaacmeM8O1VJDVAbObHtrhGP9n
+k6FTJhWE06Xzn25oLj0XyM0SYfpy
--- /dev/null
+k6yfBnHsKay7RE7/waV0E1HWD9sOOT+/dUrPDeSXYaFIQd93cum8gnc5ZqFYTE1yuuoAEY+D81zK
+blN8vU2BH1WDspeD2KbZTNMb5w1vUmwQ/wnG+nzgaXlaP80FEf1fy1ZLzIDqnHjzi4ABJTnYpN32
+/oHpzdt/UNu7vMfl2GCXzPTsSRifuL8xi+bVoHFdUWtJrxkSWM0y3IM85utGc8A6Gbus6IzFSJX2
+NswMHsiQltEc4jWiZcoXZCMqaJro
--- /dev/null
+gevdlQVLDIIu+a12k/Woet+0tMTOcN8t+E7UnATaWLpfwgoZ4abot6OQCyJ5bcToae5rQnktFajs
+61bAnGmRToE86o9pMeS47W9CGvKY1ZXJf0eJx8qmEsfvNgmEwhuT7cVAEGi1r0x4qHcbmE1TuOqK
+3y9qfUoLp2x14d2fZY8g3tSkYHHUbXeRtWgD2P6n8LD45Brj8JODpvlYX+d1Pqr/0r+UVjEIvuzC
+B7u1NfX8xwXw3en3CMYvSanJA3HT
--- /dev/null
+vMNflM3mbLETZiXWJblEMqNbIvPS+hGmE/8PylvVf4e5AszcHNCuvLBxXuhp0dH+OV9nkwA/XspG
+UFnIhmDURv9fCBhVICJVfjjAimfq2ZEmIlTxBoKXXsVjl3aFN/SXevbV9qrOt/sl3sWTcjAjH9iX
+ivSRGaKfKeQkq4JytHVieS1clPd0uIKdCw2fGoye3fN1dNX6JI7vqcUnH8XsJXnIG91htBD6Yf42
+5CQiHBE63bJ1ZkyAHTTKjGNR5KhY
--- /dev/null
+AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UARZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UARZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNffRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNffRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNffRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNffRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNffRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNffRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UARZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UARZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UARZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UARZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
\ No newline at end of file
--- /dev/null
+u\f@GõGèä\14\11\85e#)\8aɺâEï¯\13\97ûåo\9dÕ
\ No newline at end of file
--- /dev/null
+SæèÇ)ÖùÃ\19Ý1~t°Û\8eLÌ¢_<\83\ 5tn\13zÆ:cï79çµ\95«¹n\8dUåO{Ô\1a´37\8fû\91\1d
\ No newline at end of file
--- /dev/null
+¶²\8e¢\19\8d\f\10\b¼d
\ No newline at end of file
--- /dev/null
+\8bºkø*l\ f\86Õñun\97\95hp°\89S°kN²\ 5¼\16\94î
\ No newline at end of file
--- /dev/null
+æ\18\1f\ 5;X©\ 4òEu\107>W
\ No newline at end of file
--- /dev/null
+Q
+,ö\ e\86o¢4\ 5SÉN£\9f¼%c\11è>\94EKA$
\ No newline at end of file
--- /dev/null
+§Ýl}ÂKFùÝ_\1e\91¤Ã³ß\94~\87r2©
\ No newline at end of file
--- /dev/null
+êñ§:\e\fF S}æ\9cÙ"\8b¼û\9a\8c¨ÆÃï¯\ 5oä§ôcNÐ\v|9ìi"׸ê,\ 4ë¬
\ No newline at end of file
--- /dev/null
+ÙJà\83.dEÎB3\1c°mS\1a\82±ÛKªÓ\ ftmÉ\16ß$ÔãÂE\1fÿY¦B>°áÐ-OæFÏi\9dý\81\8cn\97°Q
\ No newline at end of file
--- /dev/null
+RæPÙ\8e\7f*\ 4\8bO\86\85!S¹~\ 1Ý1o4j\19öz\85
\ No newline at end of file
--- /dev/null
+\8d¨\9fÙåùt¢\9fïûF+I\18\ flùè\ 2
\ No newline at end of file
--- /dev/null
+&R\10P\84Bq
\ No newline at end of file
--- /dev/null
+÷5ýUº\92Y,;R¸ùÄö\9aª\1c¾øþ\88Ð\95YT\12F\7f\9côì\v\89lYí¡b\10çT\9c\8a»\10ͼ!¡.ɶµ¸ý/\109\9e¶
\ No newline at end of file
--- /dev/null
+\81¹\ 6`P\15¦:«ä-ß\11á\97\89\12õ@Ltt²mÎ>Ô\82¿\96\1eÌ\81\8bô ÅFY
\ No newline at end of file
--- /dev/null
+ý2d)ß\9b\89\ e µK\18¸óO\1e$
\ No newline at end of file
--- /dev/null
+ñE\9b_\f\92ð\1a\ fr:.VbHM\8f\8c
+ ü)ÚÖ¬Ô;µóïýôá¶>\aýþf(Ð×L¡\9bòÖ\9eJ
+¿\86Ò\93\92Zygrø\b\8e
\ No newline at end of file
--- /dev/null
+GLd26iEGnWl3ajPpa61I4d2gpe8=
--- /dev/null
+DMdCzkqbfzL5UbyyUe/ZJf5P418=
--- /dev/null
+/LxCFALp7KvGCCr6QLpfJlIshA4=
--- /dev/null
+I6reDh4Iu5uaeNIwKlL5whsuG6I=
--- /dev/null
+R+GrcRn+5WyV7l6q2G9A0KpjvTM=
--- /dev/null
+bRf1tMH/rDUdGVv3sJ0J8JpAec8=
--- /dev/null
+OFOHUU3szHx0DdjN+druSaHL/VQ=
--- /dev/null
+XKymoPdkFhqWhPhdkrbg7zfKi2U=
--- /dev/null
+lbyp44WYlLPdhp+n7NW7xkAb8+Q=
--- /dev/null
+n0fd9C6X7qhWqb28cU6zrCL26zI=
--- /dev/null
+JRTfRpV1WmeyiOr0kFw27sZv0v0=
--- /dev/null
+xENaPhoYpotoIENikKN877hds/s=
--- /dev/null
+sxjELfO+D4P+qCP1p7R+1eQlo7U=
--- /dev/null
+5OwJgsIzbzpnf2o1YXTrDOiHq8I=
--- /dev/null
+jsll8TSj7Jkx6SocoNyBadXqcFw=
--- /dev/null
+7LG4sl+lDNqwjlYEKGf0r1gm0Ww=
--- /dev/null
+6JuwMsbOYiy9tTvJRmAU6nf3d8A=
--- /dev/null
+YG87mcC5zNdx6qKeoOTIhPMYnMw=
--- /dev/null
+kHQwj7WY6XAbIpQ4jlL5cfqsK2ClFFrxhd9Sh7XtKIflfOf9RNyGNOQHyODkNgvCJvPsIn+dnlRj
+jo0x9QUSFd9uu5wvlXmqd1mKOPkUtbnBvYPE4vnzgqDQqjVC/+5lmEpgG8aeso3rJ9yhLILC1MP2
+bNUA8f8rmU2KTjDLszw=
--- /dev/null
+Pvf0boMb+SsyJ0FCpYX/zvvcp7Mq6Q0Q+w8McpmE8E7ymp3weAd1zkNzm5eDg5DbClUF5j3pJwKN
+nSmyGcosRReDJVilXWlKbSW52rZgA8TMzZB4Ahk75RcNJhR9N7k1kCQb5RwlBV9H72J1LPviFBj6
+/pjCLE1NR3JP21Zp6EM=
--- /dev/null
+ghAt+MuR5xeZGaBNJtM11k+8L4csRIM5QyQd6EVIECdM3z219C1CPbFSr3E19wFCDjm0lKZ8v9Gf
+kRnaIzoj2lxkObW6DSvDc+7jUHABN41KQHOFa3/iq6C17pOyf0r+x9TRIJIcg/YGdlsCwZ5Naho7
+lfpMQilRvk9SExB37xcXlynN3721aVDbrO7+eMsWZAoJnqVtJDie7xD4/ssxuj6jsifAqGaYu4nj
+6TY5Bb8id3sqOqUhtltM73bYO95M
--- /dev/null
+p/2w0lkWXKLIjQC78QKKhn0zdpnQYRk7F6lkjhTMu6rerKrN7IFedXEpTruKEXryBfoHi0ewcSwZ
+njrQUTXFBMJLgXBRFXQIAkh5kv/VEdSvxrhUSR6z8N1SMTlUL/FcMQHuhVQ1F8ajx5QXxn4t2ap0
+HpopsG3LWTwjNrNnCuOvusfD524hVHPoZuM4yiRN4AtiYk1rlCaCLOrp+MxGCJX0ElAHP9RcWh57
+QlwgSkI6aZFZ9pA+cQs3p7sryASf
--- /dev/null
+gsKxYAk7iqPA91IrGfhzVAZsd4R6vyqfzlQtDoTpIMWvtJ/9/azhZWDulKE2lgEUjrrXoOFRzxYz
+F5Glcn0F8h505+uBFEAgaTXXRHZaFeefAVy2bFMsh6agWWHIv610GppmVwIolDk+ciNzl5bAKndF
+XQ9VWw7AHd8lm2IH/Q/VdhTO8aVXO6r/TsAAaZUWWbhfJDAKJRYMqFItxuZyflfQGdfmNim4/l6J
+4lzBW+s6ZHV3VZKZKAubKPebBAkAC+JbvZZAi6O0PMSGGE3RyOYlU/oa9AQPYGY95/XknAQ4jiV/
+HOicldq0ijFdm2axt2KCM4dv8jhSMNBw0H4WZg==
--- /dev/null
+FK412d0GupL387iXl4rtfNS/X/C1haQL1GzhtCzScDBTu5BE1k6BPY+W2y3XAH0QEY9vj4SWCXrX
+Xh/2kjQbKJKtVaYzocVefwoK1ZoOIDpbgniuxU3YYi4oMdhxdPjK/0PubEZEU0XYSlllm/uS7NTI
+GGaGlfNHBvZoKKiZWWN/K/PjJRwkvbpNS3ZJ2gAiIYsRnITnmmUn7FuKX4YcFZlS4j7AXh5xc0b6
+7+ixaGglvSsmL7JTEGbA3gms3i5CMWkHKLXYXhFaL2uSt5wlq8m9k5n/i8+CWlLqH1bqdt0m9Duq
++hi/qSpQTL01aZ4m0dzFoohzhfPGMjLwbzJEww==
--- /dev/null
+bj5Ne2sV0vtGATuJAKpbuzk5zywJVxeYcEICbuYsdMVM/9XX1X77v5UKD1xXT6CdP8HJ9ROwW0/1
+Ddjfft+iAQKFTDXlkhgBGacM5bCFGCqgLZ6iqpDR3wPy2q6IW6L10Fr9rJdHbwa5O1vJShqAqpEW
+xNYV8zOwmIkrJf+s4mb121paO8wQqCTtVarTW3J4NPuMB9oo/PQWpdmyIk8fi0QrNvkeRW/eotfP
+4zZyaN4DB6THTpJBWe0zOT1eBlVTHHcye4mCG97fiAFhx4zUGWtUGfesw/E+Xr8WG258ZyRxbKM7
+hcLiVkAZKsKFllHVC95+uXblHOyCi5i2VjuGuw==
--- /dev/null
+NAR/+WxNwNyQstT/WaGjYaR1SyVdLuCvfYv4fJvJ593u3jOTTGPKHA49JiyxRe+TKh8sCpl6pqNP
+jq7nR32CzPCQlaa4rK041O7J+36retAtodEdjlTBgl5Vv1jCojI0uQK+Ek+ekDio9o+kXaty9m4J
+Rb8di6zJBExvBwmMn87FijqrEAyAUXgVXwMKEkxFDlrL2kfQ5PELgKI/gD53TQI7ABXCC5+bvnyR
+KWM41ey0ccr7AyAHtnpgvl9pUEqfAauzy0Z7Jg4rzoYL6Nlb+SwMjhSW7R5ShZOkq7bfRi3eiglo
+3/5GgxFoV6Iy9ev2yFviOHRa0POPdnpf2/SG+w==
--- /dev/null
+fgk16hj01sHRfOgusrODbFWzhFic4Z3+dDNjrJlI0fNGt7/d/pLv14rbIfrvyJreQrEPN0AD/hIu
+Z0KaHLjL0fjZAUVkxE0SARb0mQ8abjh3TBlL0bghMoawd7BJnS57P0NKsSKJxVZoTe7XgTGTS7Pd
+ZTcjb3xvPcsJ1Ha+B3IeN+HO7Zsve0Boh71TFXMF4ci0+E1zO8Hhhv4GzFm27bj0vX/+/fT3upz7
+nVcGibWhpBCadGppCJPbN5klWgy5IV0tHNSQWQ6VLoyHhqoAESZSUkcMBB37w+7Hw8v3HCSGnRFc
+DLSpVvVtUwuAq1iaz+/GkHUd3zbo04P4PO3SzA==
--- /dev/null
+bTtbh/Z+plevIfdUQZd9IYD5GyxfaS3oKVVpamhnMNm5d42XB1jMsmBxwiCf+9YSW+LpbqgbZ8ub
+kwgjn9oX97K2Ts2glra5NWQKWhy0KpFVscnvemM6AsWfDW7lm4UsQ7NQKec8lA/wQQ6PEU7tRrvQ
++uFl5CviUopAHDso/YGO8yMtyp9NKg9RZuxZxCOW1sEdvBIVpW+hcWnblXU0PvNPneMqSc3DF0ki
+8inCPhjkXfk1MRnsQxnO3OehfGQIjB9vUr4pY0EAs5GdOPPR7ZTmiR5mpzuPuEn1h031lFnimMe7
+zi7ueCoZWqZv4tBzKyXllfV9PgYbH8PkBjv5jw==
--- /dev/null
+ZmAm+6cb0+fPExV8wsUajkqmhK+XePkYSfNDNdFBwAFUxBl2IfliSmdbWrwi7n1bqv+q4cm6yizD
+c7PzPnjmFDw5WpGqf6ymZOtzOv0U2IJyWdmadVD6ylAe8rBOM8I6pR9LnoKC79tyjMCrCUBakWB8
+Y2mWG8gnDS1POfzmErE=
--- /dev/null
+Rgl5OyPp0JNi3CG7R9oLTzp2ImSaR9RkAZua6v5TNZwXjJHNWLpry3i+A0anvGN/S4c9S6s47mYf
+GZY0xUehrYRC4D2gFbE25UP3qwfAwT5CJbjejM4l1PbrhAD4H34YM7fubjNNNwlkynn9uHK011Ij
+te6wgQFZH7Uy0VWm3oc=
--- /dev/null
+HSqtIhyk0x3fE1CSOQGTmOPRSzLcNNxa9K6uo8CVr3NHnPCkXlYpY1pToBg3dhWxbLmxOz4J1nHr
+ceOHuFRcWWDaWmR3bnaOgrLJNYO/EEw/2yNRK3tOifYz3QBjpTDbRSSwHD84TAkxDjFaedzT1oQC
+Kn8xyGWmZOMWl4t1n60=
--- /dev/null
+KjT2El4fawv5cehPvUHGMr6PLCrOfei2km4x/5Ppr5h/vAblHpvhT1GY+R8/lTvWfaYKnfWXZMPc
+D+COHL7wt1+GjRCtP7p0n+9Z+22sRqDW5QQ2kzFYb1jkYo85qieJglQ7wO61N9xhlYAZs5T7Jz8h
+WFigoBrE1lC5VcZ/TFg=
--- /dev/null
+WGEHImw84BOnyPBNGmopWbtLjiBbpDontQ8SQRG8Ne9YmwOfWTIYfLaW19mjLAw4MApc3aSDS2LS
+6yQK8z950T378JW/WZ4NloaUjBlkdHtn6JyaulzYUBYjb1ZsxYAssT6tUbx8pr7zuU3L27HVcEaX
+cd8OALGooGd3Ry0jFiee2uhkdGaNTh7/+V8d5hxgINoyrpK78WUg/vPPTYj2ESHyS72f6RtZyvEj
+WyqT/4H8QDrd9OveqEk0qc2vjhqe
--- /dev/null
+gLbWQyVSCfCkVnY4l6ye0lnUWbScKIfliC7LRDTP1m3X4WmTdTgeUc1/VU8sJxcEs5nUK0viVAoO
+ymGVH1Umf3woeMEihC2tsosBvV+MAl9+IoQYpnPAPWvAxzbQopVGvWf3htnWkszqd41x2YwgY7en
+EJIYek01rxCBEdg+g+rkbEaqNCd+BgRFiZA3iPHV587iX7SF6SlJEYgU1vLD7jYUiQFvMn+1vFF+
+tQRwv/oa+l9M6aoM5bjuGb9VAblY
--- /dev/null
+SEQI84mM1fU0g/gIGe+/JwjDTSeosqb66LMi+SQCN/mBgXrKGEbxCE2qbXwHlfblvxr1nDjhhYQ3
+zh9+xBm5jIc2rfbdmgCxgG0r060Kc3deBfUt/vOlmrSwgUPw3wXNGtnQS+zsptqkohKYA+IAy8d3
+h8r0wdBmOmxZh7YFlSAZeCyvLsFCbWj7lO0dS+gWp+0IG3fmqzMLP/wHOCD+zeNyf8vile5hoFCj
+Q2WGN8P9ZZz7Y3Nt4y2fkNPC9j7K
--- /dev/null
+hOvrSBvlmEW0ZGi6+0ccARLgKyNdhLXZEcvRkm7lB0rgQkSVyyDoIwi467ZfQZoD+0DnK3iYHYiq
+0UMFNoUXLJeynIt78K5ztbImPEA9oO0vgP90UK94KOuLhvACi9KosXak0ijMzqGDlPI4sJ/3WMwA
+vAQwEVI1V0LygrVOZjqRnnCdjaJK3lUAp7mqUCJuDKUpI+bC2GDsUP9ID6V0d+grBWX0N595x3LV
+wtqAr5+/Ml7Ob8ILAJYWFL7omhg+
--- /dev/null
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
\ No newline at end of file
--- /dev/null
+AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
\ No newline at end of file
--- /dev/null
+zYtlOMuOjeVmtovQZ1advx7icY4=
--- /dev/null
+41vvwXodFguc41+9jrFufuSR0/0=
--- /dev/null
+altL5M02zJff3pmV77+PCXpKmRo=
--- /dev/null
+ud/R33akYcUeZXbGyO0Kkj0cUOc=
--- /dev/null
+lZa7Ywz2qNTqRgBCK566ixNnXdQ=
--- /dev/null
+tQMxk5knf9bByPEDPL8EGZ6iFxY=
--- /dev/null
+UKrt6FNrLDByCLJ1pnri3xlsdig=
--- /dev/null
+qgtyuLNx3dEMiuR0QlzMz4hCopQ=
--- /dev/null
++tOQLJdQYiorxnJiLEgnDMV9Pqg=
--- /dev/null
+EiGW3rXRIr2Mb8eB/2kk18aVqt4=
--- /dev/null
+BlLsZ7zuMPnSaZEiuRwZq9uon5E=
--- /dev/null
+OcIcTM7anBrfg5x0ThISpkN1dew=
--- /dev/null
+NtrpE7d70XyubnsJRT0kVEzrszw=
--- /dev/null
+Re7xkfT3nDH+XS7eflCYmU6SnS0=
--- /dev/null
+JxWkm4sAEs167oTBFkRubf4/rsA=
--- /dev/null
+LayVbVOWR0isNk0GWVgnxrTxQ80=
--- /dev/null
+KNmMRszK+9O8BOcvlnpUvT6hIpg=
--- /dev/null
+CGbS/1p58l72aM1vMbQt7kIeTA4=
--- /dev/null
+3ulZx+BkETYUIP+AGF7Vfz5ndq8=
--- /dev/null
+7yhp+kDDRssYPas9e//Jj9Vt9C0=
--- /dev/null
+1okleobv+mghLF4MYZ7KKV+5G2c=
--- /dev/null
+wl8Tv2fQgWcaBIGh8YINYTu6InY=
--- /dev/null
+BOIV7m/5NLnacNdzDIc0q/zs3ok=
--- /dev/null
+iyvdS0D69UXHeN35vBpJy1f5txs=
--- /dev/null
+Tpb8GzmPkrRGcQEMDcPv1uIMLXM=
--- /dev/null
+x81pjYS2USjYg146ix6w4By1Qew=
--- /dev/null
+76i/+WISsvSj83GhDVdBUmVfXfs=
--- /dev/null
+rYsVI3A2RiJLZgtVCIWRfKLR3yg=
--- /dev/null
+cQucR0fYANTeh/Eq/c5t8YEHzHc=
--- /dev/null
+BW8AmF3hTY71zqnoL4wnvvcgM14=
--- /dev/null
+gOcP+GoI3j7GCXKzm0+/3Opnro4=
--- /dev/null
+qKtp3YAfAHTCofxgZJg2xhbZloE=
--- /dev/null
+wKQlMT3411ZL0kNNMRUj1SV+7YA=
--- /dev/null
+swfEO0hQqNrC8V8y43g574xcDpE=
--- /dev/null
+misAfoCXi7sZLDVOt9qa7fx02/U=
--- /dev/null
+cPOCvd9NXS3YizvHtzCL5jK4QEU=
{
#define FPS fprintf(stderr,
FPS "Type %s -H for more detailed descriptions\n", progName);
- FPS "Usage: %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
+ FPS "Usage: %s -N [-d certdir] [-P dbprefix] [-f pwfile] [--empty-password]\n", progName);
FPS "Usage: %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
"\t\t [-f pwfile] [-0 SSO-password]\n", progName);
FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
+ FPS "%-20s use empty password when creating a new database\n",
+ " --empty-password");
FPS "\n");
}
opt_KeyOpFlagsOn,
opt_KeyOpFlagsOff,
opt_KeyAttrFlags,
+ opt_EmptyPassword,
opt_Help
};
"keyOpFlagsOff"},
{ /* opt_KeyAttrFlags */ 0, PR_TRUE, 0, PR_FALSE,
"keyAttrFlags"},
+ { /* opt_EmptyPassword */ 0, PR_FALSE, 0, PR_FALSE,
+ "empty-password"},
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
/* If creating new database, initialize the password. */
if (certutil.commands[cmd_NewDBs].activated) {
- SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
+ if(certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot)))
+ PK11_InitPin(slot, (char*)NULL, "");
+ else
+ SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
certutil.options[opt_NewPasswordFile].arg);
}
goto loser;
}
msg = PORT_ZAlloc(msgLen);
- memset(msg, 0, msgLen);
if (msg == NULL) {
goto loser;
}
keyLen = 0;
TLen = 0;
memset(key, 0, sizeof key);
- memset(msg, 0, sizeof msg);
+ memset(msg, 0, msgLen);
memset(HMAC, 0, sizeof HMAC);
continue;
}
#include "prnetdb.h"
#include "prclist.h"
#include "plgetopt.h"
+#include "pk11func.h"
+#include "nss.h"
+#include "nssb64.h"
+#include "sechash.h"
+#include "cert.h"
+#include "certdb.h"
+#include "ocsp.h"
+#include "ocspti.h"
+#include "ocspi.h"
#ifndef PORT_Sprintf
#define PORT_Sprintf sprintf
static int handle_connection( PRFileDesc *, PRFileDesc *, int );
-static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
-
-#define DEFAULT_BULK_TEST 16384
-#define MAX_BULK_TEST 1048576 /* 1 MB */
-static PRBool testBulk;
-
/* data and structures for shutdown */
static int stopping;
"Usage: %s -p port [-Dbv]\n"
" [-t threads] [-i pid_file]\n"
+" [-A nickname -C crl-filename]... [-O method]\n"
+" [-d dbdir] [-f password_file] [-w password] [-P dbprefix]\n"
"-D means disable Nagle delays in TCP\n"
"-b means try binding to the port and exit\n"
"-v means verbose output\n"
"-t threads -- specify the number of threads to use for connections.\n"
-"-i pid_file file to write the process id of selfserve\n"
+"-i pid_file file to write the process id of httpserv\n"
+"Parameters -A, -C and -O are used to provide an OCSP server at /ocsp?\n"
+"-A a nickname of a CA certificate\n"
+"-C a CRL filename corresponding to the preceding CA nickname\n"
+"-O allowed HTTP methods for OCSP requests: get, post, all, random, get-unknown\n"
+" random means: randomly fail if request method is GET, POST always works\n"
+" get-unknown means: status unknown for GET, correct status for POST\n"
+"Multiple pairs of parameters -A and -C are allowed.\n"
+"If status for a cert from an unknown CA is requested, the cert from the\n"
+"first -A parameter will be used to sign the unknown status response.\n"
+"NSS database parameters are used only if OCSP parameters are used.\n"
,progName);
}
PRErrorCode perr = PR_GetError();
const char * errString = SECU_Strerror(perr);
- fprintf(stderr, "selfserv: %s returned error %d:\n%s\n",
+ fprintf(stderr, "httpserv: %s returned error %d:\n%s\n",
funcString, perr, errString);
return errString;
}
exit(3);
}
-
#define MAX_VIRT_SERVER_NAME_ARRAY_INDEX 10
/**************************************************************************
(PR_TRUE==local)?PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
PR_UNJOINABLE_THREAD, 0);
if (slot->prThread == NULL) {
- printf("selfserv: Failed to launch thread!\n");
+ printf("httpserv: Failed to launch thread!\n");
slot->state = rs_idle;
rv = SECFailure;
break;
void
terminateWorkerThreads(void)
{
- VLOG(("selfserv: server_thead: waiting on stopping"));
+ VLOG(("httpserv: server_thead: waiting on stopping"));
PZ_Lock(qLock);
PZ_NotifyAllCondVar(jobQNotEmptyCv);
while (threadCount > 0) {
PRBool NoReuse = PR_FALSE;
PRBool disableLocking = PR_FALSE;
-PRBool failedToNegotiateName = PR_FALSE;
+static secuPWData pwdata = { PW_NONE, 0 };
+
+struct caRevoInfoStr
+{
+ PRCList link;
+ char *nickname;
+ char *crlFilename;
+ CERTCertificate *cert;
+ CERTOCSPCertID *id;
+ CERTSignedCrl *crl;
+};
+typedef struct caRevoInfoStr caRevoInfo;
+/* Created during app init. No locks necessary,
+ * because later on, only read access will occur. */
+static caRevoInfo *caRevoInfos = NULL;
+static enum {
+ ocspGetOnly, ocspPostOnly, ocspGetAndPost, ocspRandomGetFailure, ocspGetUnknown
+} ocspMethodsAllowed = ocspGetAndPost;
static const char stopCmd[] = { "GET /stop " };
static const char getCmd[] = { "GET " };
"Content-type: text/plain\r\n"
"\r\n"
};
+static const char outOcspHeader[] = {
+ "HTTP/1.0 200 OK\r\n"
+ "Server: Generic OCSP Server\r\n"
+ "Content-type: application/ocsp-response\r\n"
+ "\r\n"
+};
+static const char outBadRequestHeader[] = {
+ "HTTP/1.0 400 Bad Request\r\n"
+ "Server: Generic OCSP Server\r\n"
+ "\r\n"
+};
void stop_server()
{
PZ_TraceFlush();
}
+/* Will only work if the original input to url encoding was
+ * a base64 encoded buffer. Will only decode the sequences used
+ * for encoding the special base64 characters, and fail if any
+ * other encoded chars are found.
+ * Will return SECSuccess if input could be processed.
+ * Coversion is done in place.
+ */
+static SECStatus
+urldecode_base64chars_inplace(char *buf)
+{
+ char *walk;
+ size_t remaining_bytes;
+
+ if (!buf || !*buf)
+ return SECFailure;
+
+ walk = buf;
+ remaining_bytes = strlen(buf) + 1; /* include terminator */
+
+ while (*walk) {
+ if (*walk == '%') {
+ if (!PL_strncasecmp(walk, "%2B", 3)) {
+ *walk = '+';
+ } else if (!PL_strncasecmp(walk, "%2F", 3)) {
+ *walk = '/';
+ } else if (!PL_strncasecmp(walk, "%3D", 3)) {
+ *walk = '=';
+ } else {
+ return SECFailure;
+ }
+ remaining_bytes -= 3;
+ ++walk;
+ memmove(walk, walk+2, remaining_bytes);
+ } else {
+ ++walk;
+ --remaining_bytes;
+ }
+ }
+ return SECSuccess;
+}
+
int
handle_connection(
PRFileDesc *tcp_sock,
{
PRFileDesc * ssl_sock = NULL;
PRFileDesc * local_file_fd = NULL;
- char * post;
char * pBuf; /* unused space at end of buf */
const char * errString;
PRStatus status;
char msgBuf[160];
char buf[10240];
char fileName[513];
+ char *getData = NULL; /* inplace conversion */
+ SECItem postData;
+ PRBool isOcspRequest = PR_FALSE;
+ PRBool isPost;
+
+ postData.data = NULL;
+ postData.len = 0;
pBuf = buf;
bufRem = sizeof buf;
- VLOG(("selfserv: handle_connection: starting"));
+ VLOG(("httpserv: handle_connection: starting"));
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
PR_SetSocketOption(tcp_sock, &opt);
- VLOG(("selfserv: handle_connection: starting\n"));
+ VLOG(("httpserv: handle_connection: starting\n"));
ssl_sock = tcp_sock;
if (noDelay) {
}
while (1) {
+ const char *post;
+ const char *foundStr = NULL;
+ const char *tmp = NULL;
+
newln = 0;
- reqLen = 0;
+ reqLen = 0;
+
rv = PR_Read(ssl_sock, pBuf, bufRem - 1);
if (rv == 0 ||
(rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) {
if (!post || *post != 'P')
break;
- /* It's a post, so look for the next and final CR/LF. */
- /* We should parse content length here, but ... */
- while (reqLen < bufDat && newln < 3) {
- int octet = buf[reqLen++];
- if (octet == '\n') {
- newln++;
+ postData.data = (void*)(buf + reqLen);
+
+ tmp = "content-length: ";
+ foundStr = PL_strcasestr(buf, tmp);
+ if (foundStr) {
+ int expectedPostLen;
+ int havePostLen;
+
+ expectedPostLen = atoi(foundStr+strlen(tmp));
+ havePostLen = bufDat - reqLen;
+ if (havePostLen >= expectedPostLen) {
+ postData.len = expectedPostLen;
+ break;
+ }
+ } else {
+ /* use legacy hack */
+ /* It's a post, so look for the next and final CR/LF. */
+ while (reqLen < bufDat && newln < 3) {
+ int octet = buf[reqLen++];
+ if (octet == '\n') {
+ newln++;
+ }
}
+ if (newln == 3)
+ break;
}
- if (newln == 3)
- break;
} /* read loop */
bufDat = pBuf - buf;
if (bufDat) do { /* just close if no data */
/* Have either (a) a complete get, (b) a complete post, (c) EOF */
- if (reqLen > 0 && !strncmp(buf, getCmd, sizeof getCmd - 1)) {
- char * fnBegin = buf + 4;
- char * fnEnd;
- PRFileInfo info;
- /* try to open the file named.
- * If successful, then write it to the client.
- */
- fnEnd = strpbrk(fnBegin, " \r\n");
- if (fnEnd) {
- int fnLen = fnEnd - fnBegin;
- if (fnLen < sizeof fileName) {
- char *fnstart;
- strncpy(fileName, fnBegin, fnLen);
- fileName[fnLen] = 0; /* null terminate */
- fnstart = fileName;
- /* strip initial / because our root is the current directory*/
- while (*fnstart && *fnstart=='/')
- ++fnstart;
- status = PR_GetFileInfo(fnstart, &info);
- if (status == PR_SUCCESS &&
- info.type == PR_FILE_FILE &&
- info.size >= 0 ) {
- local_file_fd = PR_Open(fnstart, PR_RDONLY, 0);
+ if (reqLen > 0) {
+ PRBool isGetOrPost = PR_FALSE;
+ unsigned skipChars = 0;
+ isPost = PR_FALSE;
+
+ if (!strncmp(buf, getCmd, sizeof getCmd - 1)) {
+ isGetOrPost = PR_TRUE;
+ skipChars = 4;
+ }
+ else if (!strncmp(buf, "POST ", 5)) {
+ isGetOrPost = PR_TRUE;
+ isPost = PR_TRUE;
+ skipChars = 5;
+ }
+
+ if (isGetOrPost) {
+ char * fnBegin = buf;
+ char * fnEnd;
+ char * fnstart = NULL;
+ PRFileInfo info;
+
+ fnBegin += skipChars;
+
+ fnEnd = strpbrk(fnBegin, " \r\n");
+ if (fnEnd) {
+ int fnLen = fnEnd - fnBegin;
+ if (fnLen < sizeof fileName) {
+ strncpy(fileName, fnBegin, fnLen);
+ fileName[fnLen] = 0; /* null terminate */
+ fnstart = fileName;
+ /* strip initial / because our root is the current directory*/
+ while (*fnstart && *fnstart=='/')
+ ++fnstart;
+ }
+ }
+ if (fnstart) {
+ if (!strncmp(fnstart, "ocsp", 4)) {
+ if (isPost) {
+ if (postData.data) {
+ isOcspRequest = PR_TRUE;
+ }
+ } else {
+ if (!strncmp(fnstart, "ocsp/", 5)) {
+ isOcspRequest = PR_TRUE;
+ getData = fnstart + 5;
+ }
+ }
+ } else {
+ /* try to open the file named.
+ * If successful, then write it to the client.
+ */
+ status = PR_GetFileInfo(fnstart, &info);
+ if (status == PR_SUCCESS &&
+ info.type == PR_FILE_FILE &&
+ info.size >= 0 ) {
+ local_file_fd = PR_Open(fnstart, PR_RDONLY, 0);
+ }
}
}
}
}
numIOVs = 0;
-
+
iovs[numIOVs].iov_base = (char *)outHeader;
iovs[numIOVs].iov_len = (sizeof(outHeader)) - 1;
numIOVs++;
-
- if (local_file_fd) {
+
+ if (isOcspRequest && caRevoInfos) {
+ CERTOCSPRequest *request = NULL;
+ PRBool failThisRequest = PR_FALSE;
+
+ if (ocspMethodsAllowed == ocspGetOnly && postData.len) {
+ failThisRequest = PR_TRUE;
+ } else if (ocspMethodsAllowed == ocspPostOnly && getData) {
+ failThisRequest = PR_TRUE;
+ } else if (ocspMethodsAllowed == ocspRandomGetFailure && getData) {
+ if (!(rand() % 2)) {
+ failThisRequest = PR_TRUE;
+ }
+ }
+
+ if (failThisRequest) {
+ PR_Write(ssl_sock, outBadRequestHeader, strlen(outBadRequestHeader));
+ break;
+ }
+ /* get is base64, post is binary.
+ * If we have base64, convert into the (empty) postData array.
+ */
+ if (getData) {
+ if (urldecode_base64chars_inplace(getData) == SECSuccess) {
+ NSSBase64_DecodeBuffer(NULL, &postData, getData, strlen(getData));
+ }
+ }
+ if (postData.len) {
+ request = CERT_DecodeOCSPRequest(&postData);
+ }
+ if (!request || !request->tbsRequest ||
+ !request->tbsRequest->requestList ||
+ !request->tbsRequest->requestList[0]) {
+ PORT_Sprintf(msgBuf, "Cannot decode OCSP request.\r\n");
+
+ iovs[numIOVs].iov_base = msgBuf;
+ iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
+ numIOVs++;
+ } else {
+ /* TODO: support more than one request entry */
+ CERTOCSPCertID *reqid = request->tbsRequest->requestList[0]->reqCert;
+ const caRevoInfo *revoInfo = NULL;
+ PRBool unknown = PR_FALSE;
+ PRBool revoked = PR_FALSE;
+ PRTime nextUpdate = 0;
+ PRTime revoDate = 0;
+ PRCList *caRevoIter;
+
+ caRevoIter = &caRevoInfos->link;
+ do {
+ CERTOCSPCertID *caid;
+
+ revoInfo = (caRevoInfo*)caRevoIter;
+ caid = revoInfo->id;
+
+ if (SECOID_CompareAlgorithmID(&reqid->hashAlgorithm,
+ &caid->hashAlgorithm) == SECEqual
+ &&
+ SECITEM_CompareItem(&reqid->issuerNameHash,
+ &caid->issuerNameHash) == SECEqual
+ &&
+ SECITEM_CompareItem(&reqid->issuerKeyHash,
+ &caid->issuerKeyHash) == SECEqual) {
+ break;
+ }
+ revoInfo = NULL;
+ caRevoIter = PR_NEXT_LINK(caRevoIter);
+ } while (caRevoIter != &caRevoInfos->link);
+
+ if (!revoInfo) {
+ unknown = PR_TRUE;
+ revoInfo = caRevoInfos;
+ } else {
+ CERTCrl *crl = &revoInfo->crl->crl;
+ CERTCrlEntry *entry = NULL;
+ DER_DecodeTimeChoice(&nextUpdate, &crl->nextUpdate);
+ if (crl->entries) {
+ int iv = 0;
+ /* assign, not compare */
+ while ((entry = crl->entries[iv++])) {
+ if (SECITEM_CompareItem(&reqid->serialNumber,
+ &entry->serialNumber) == SECEqual) {
+ break;
+ }
+ }
+ }
+ if (entry) {
+ /* revoked status response */
+ revoked = PR_TRUE;
+ DER_DecodeTimeChoice(&revoDate, &entry->revocationDate);
+ } else {
+ /* else good status response */
+ if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
+ unknown = PR_TRUE;
+ nextUpdate = PR_Now() + 60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
+ revoDate = PR_Now() - 60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
+ }
+ }
+ }
+
+ {
+ PRTime now = PR_Now();
+ PLArenaPool *arena = NULL;
+ CERTOCSPSingleResponse *sr;
+ CERTOCSPSingleResponse **singleResponses;
+ SECItem *ocspResponse;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+ if (unknown) {
+ sr = CERT_CreateOCSPSingleResponseUnknown(arena, reqid, now,
+ &nextUpdate);
+ } else if (revoked) {
+ sr = CERT_CreateOCSPSingleResponseRevoked(arena, reqid, now,
+ &nextUpdate, revoDate, NULL);
+ } else {
+ sr = CERT_CreateOCSPSingleResponseGood(arena, reqid, now,
+ &nextUpdate);
+ }
+
+ /* meaning of value 2: one entry + one end marker */
+ singleResponses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
+ singleResponses[0] = sr;
+ singleResponses[1] = NULL;
+ ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena,
+ revoInfo->cert, ocspResponderID_byName, now,
+ singleResponses, &pwdata);
+
+ if (!ocspResponse) {
+ PORT_Sprintf(msgBuf, "Failed to encode response\r\n");
+ iovs[numIOVs].iov_base = msgBuf;
+ iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
+ numIOVs++;
+ } else {
+ PR_Write(ssl_sock, outOcspHeader, strlen(outOcspHeader));
+ PR_Write(ssl_sock, ocspResponse->data, ocspResponse->len);
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+ }
+ break;
+ }
+ } else if (local_file_fd) {
PRInt32 bytes;
int errLen;
bytes = PR_TransmitFile(ssl_sock, local_file_fd, outHeader,
if (bytes >= 0) {
bytes -= sizeof outHeader - 1;
FPRINTF(stderr,
- "selfserv: PR_TransmitFile wrote %d bytes from %s\n",
+ "httpserv: PR_TransmitFile wrote %d bytes from %s\n",
bytes, fileName);
break;
}
numIOVs++;
}
- /* Don't add the EOF if we want to test bulk encryption */
- if (!testBulk) {
- iovs[numIOVs].iov_base = (char *)EOFmsg;
- iovs[numIOVs].iov_len = sizeof EOFmsg - 1;
- numIOVs++;
- }
-
rv = PR_Writev(ssl_sock, iovs, numIOVs, PR_INTERVAL_NO_TIMEOUT);
if (rv < 0) {
errWarn("PR_Writev");
}
if (local_file_fd)
PR_Close(local_file_fd);
- VLOG(("selfserv: handle_connection: exiting\n"));
+ VLOG(("httpserv: handle_connection: exiting\n"));
/* do a nice shutdown if asked. */
if (!strncmp(buf, stopCmd, sizeof stopCmd - 1)) {
- VLOG(("selfserv: handle_connection: stop command"));
+ VLOG(("httpserv: handle_connection: stop command"));
stop_server();
}
- VLOG(("selfserv: handle_connection: exiting"));
+ VLOG(("httpserv: handle_connection: exiting"));
return SECSuccess; /* success */
}
void sigusr1_handler(int sig)
{
- VLOG(("selfserv: sigusr1_handler: stop server"));
+ VLOG(("httpserv: sigusr1_handler: stop server"));
stop_server();
}
struct sigaction act;
#endif
- VLOG(("selfserv: do_accepts: starting"));
+ VLOG(("httpserv: do_accepts: starting"));
PR_SetThreadPriority( PR_GetCurrentThread(), PR_PRIORITY_HIGH);
acceptorThread = PR_GetCurrentThread();
PRFileDesc *tcp_sock;
PRCList *myLink;
- FPRINTF(stderr, "\n\n\nselfserv: About to call accept.\n");
+ FPRINTF(stderr, "\n\n\nhttpserv: About to call accept.\n");
tcp_sock = PR_Accept(listen_sock, &addr, PR_INTERVAL_NO_TIMEOUT);
if (tcp_sock == NULL) {
perr = PR_GetError();
break;
}
- VLOG(("selfserv: do_accept: Got connection\n"));
+ VLOG(("httpserv: do_accept: Got connection\n"));
PZ_Lock(qLock);
while (PR_CLIST_IS_EMPTY(&freeJobs) && !stopping) {
PZ_Unlock(qLock);
}
- FPRINTF(stderr, "selfserv: Closing listen socket.\n");
- VLOG(("selfserv: do_accepts: exiting"));
+ FPRINTF(stderr, "httpserv: Closing listen socket.\n");
+ VLOG(("httpserv: do_accepts: exiting"));
if (listen_sock) {
PR_Close(listen_sock);
}
return newProcess;
}
+/* slightly adjusted version of ocsp_CreateCertID (not using issuer) */
+static CERTOCSPCertID *
+ocsp_CreateSelfCAID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
+{
+ CERTOCSPCertID *certID;
+ void *mark = PORT_ArenaMark(arena);
+ SECStatus rv;
+
+ PORT_Assert(arena != NULL);
+
+ certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
+ if (certID == NULL) {
+ goto loser;
+ }
+
+ rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
+ NULL);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_SHA1,
+ &(certID->issuerNameHash)) == NULL) {
+ goto loser;
+ }
+ certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
+ certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
+
+ if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD5,
+ &(certID->issuerMD5NameHash)) == NULL) {
+ goto loser;
+ }
+
+ if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD2,
+ &(certID->issuerMD2NameHash)) == NULL) {
+ goto loser;
+ }
+
+ if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_SHA1,
+ &certID->issuerKeyHash) == NULL) {
+ goto loser;
+ }
+ certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
+ certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
+ /* cache the other two hash algorithms as well */
+ if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD5,
+ &certID->issuerMD5KeyHash) == NULL) {
+ goto loser;
+ }
+ if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD2,
+ &certID->issuerMD2KeyHash) == NULL) {
+ goto loser;
+ }
+
+ PORT_ArenaUnmark(arena, mark);
+ return certID;
+
+loser:
+ PORT_ArenaRelease(arena, mark);
+ return NULL;
+}
+
+/* slightly adjusted version of CERT_CreateOCSPCertID */
+CERTOCSPCertID*
+cert_CreateSelfCAID(CERTCertificate *cert, PRTime time)
+{
+ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ CERTOCSPCertID *certID;
+ PORT_Assert(arena != NULL);
+ if (!arena)
+ return NULL;
+
+ certID = ocsp_CreateSelfCAID(arena, cert, time);
+ if (!certID) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+ certID->poolp = arena;
+ return certID;
+}
+
int
main(int argc, char **argv)
{
char * progName = NULL;
+ const char * dir = ".";
+ char * passwd = NULL;
+ char * pwfile = NULL;
const char * pidFile = NULL;
char * tmp;
PRFileDesc * listen_sock;
PRBool useLocalThreads = PR_FALSE;
PLOptState *optstate;
PLOptStatus status;
+ char emptyString[] = { "" };
+ char* certPrefix = emptyString;
+ caRevoInfo *revoInfo = NULL;
+ PRCList *caRevoIter = NULL;
+ PRBool provideOcsp = PR_FALSE;
tmp = strrchr(argv[0], '/');
tmp = tmp ? tmp + 1 : argv[0];
** numbers, then capital letters, then lower case, alphabetical.
*/
optstate = PL_CreateOptState(argc, argv,
- "Dbhi:p:t:v");
+ "A:C:DO:P:bd:f:hi:p:t:vw:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch(optstate->option) {
+ /* A first, must be followed by C. Any other order is an error.
+ * A creates the object. C completes and moves into list.
+ */
+ case 'A':
+ provideOcsp = PR_TRUE;
+ if (revoInfo) { Usage(progName); exit(0); }
+ revoInfo = PORT_New(caRevoInfo);
+ revoInfo->nickname = PORT_Strdup(optstate->value);
+ break;
+ case 'C':
+ if (!revoInfo) { Usage(progName); exit(0); }
+ revoInfo->crlFilename = PORT_Strdup(optstate->value);
+ if (!caRevoInfos) {
+ PR_INIT_CLIST(&revoInfo->link);
+ caRevoInfos = revoInfo;
+ } else {
+ PR_APPEND_LINK(&revoInfo->link, &caRevoInfos->link);
+ }
+ revoInfo = NULL;
+ break;
+
+ case 'O':
+ if (!PL_strcasecmp(optstate->value, "all")) {
+ ocspMethodsAllowed = ocspGetAndPost;
+ } else if (!PL_strcasecmp(optstate->value, "get")) {
+ ocspMethodsAllowed = ocspGetOnly;
+ } else if (!PL_strcasecmp(optstate->value, "post")) {
+ ocspMethodsAllowed = ocspPostOnly;
+ } else if (!PL_strcasecmp(optstate->value, "random")) {
+ ocspMethodsAllowed = ocspRandomGetFailure;
+ } else if (!PL_strcasecmp(optstate->value, "get-unknown")) {
+ ocspMethodsAllowed = ocspGetUnknown;
+ } else {
+ Usage(progName); exit(0);
+ }
+ break;
+
case 'D': noDelay = PR_TRUE; break;
+ case 'P': certPrefix = PORT_Strdup(optstate->value); break;
+
case 'b': bindOnly = PR_TRUE; break;
+ case 'd': dir = optstate->value; break;
+
+ case 'f':
+ pwdata.source = PW_FROMFILE;
+ pwdata.data = pwfile = PORT_Strdup(optstate->value);
+ break;
+
case 'h': Usage(progName); exit(0); break;
case 'i': pidFile = optstate->value; break;
case 'v': verbose++; break;
+ case 'w':
+ pwdata.source = PW_PLAINTEXT;
+ pwdata.data = passwd = PORT_Strdup(optstate->value);
+ break;
+
default:
case '?':
fprintf(stderr, "Unrecognized or bad option specified.\n");
}
/* The -b (bindOnly) option is only used by the ssl.sh test
- * script on Linux to determine whether a previous selfserv
+ * script on Linux to determine whether a previous httpserv
* process has fully died and freed the port. (Bug 129701)
*/
if (bindOnly) {
lm = PR_NewLogModule("TestCase");
+ /* set our password function */
+ PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+ if (provideOcsp) {
+ /* Call the NSS initialization routines */
+ rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
+ if (rv != SECSuccess) {
+ fputs("NSS_Init failed.\n", stderr);
+ exit(8);
+ }
+
+ if (caRevoInfos) {
+ caRevoIter = &caRevoInfos->link;
+ do {
+ PRFileDesc *inFile;
+ int rv = SECFailure;
+ SECItem crlDER;
+ crlDER.data = NULL;
+
+ revoInfo = (caRevoInfo*)caRevoIter;
+ revoInfo->cert = CERT_FindCertByNickname(
+ CERT_GetDefaultCertDB(), revoInfo->nickname);
+ if (!revoInfo->cert) {
+ fprintf(stderr, "cannot find cert with nickname %s\n",
+ revoInfo->nickname);
+ exit(1);
+ }
+ inFile = PR_Open(revoInfo->crlFilename, PR_RDONLY, 0);
+ if (inFile) {
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
+ }
+ if (!inFile || rv != SECSuccess) {
+ fprintf(stderr, "unable to read crl file %s\n",
+ revoInfo->crlFilename);
+ exit(1);
+ }
+ revoInfo->crl =
+ CERT_DecodeDERCrlWithFlags(NULL, &crlDER, SEC_CRL_TYPE,
+ CRL_DECODE_DEFAULT_OPTIONS);
+ if (!revoInfo->crl) {
+ fprintf(stderr, "unable to decode crl file %s\n",
+ revoInfo->crlFilename);
+ exit(1);
+ }
+ if (CERT_CompareName(&revoInfo->crl->crl.name,
+ &revoInfo->cert->subject) != SECEqual) {
+ fprintf(stderr, "CRL %s doesn't match cert identified by preceding nickname %s\n",
+ revoInfo->crlFilename, revoInfo->nickname);
+ exit(1);
+ }
+ revoInfo->id = cert_CreateSelfCAID(revoInfo->cert, PR_Now());
+ caRevoIter = PR_NEXT_LINK(caRevoIter);
+ } while (caRevoIter != &caRevoInfos->link);
+ }
+ }
+
/* allocate the array of thread slots, and launch the worker threads. */
rv = launch_threads(&jobLoop, 0, 0, 0, useLocalThreads);
0);
}
- VLOG(("selfserv: server_thread: exiting"));
-
- if (failedToNegotiateName) {
- fprintf(stderr, "selfserv: Failed properly negotiate server name\n");
- exit(1);
+ VLOG(("httpserv: server_thread: exiting"));
+
+ if (provideOcsp) {
+ if (caRevoInfos) {
+ PRCList *caRevoIter;
+
+ caRevoIter = &caRevoInfos->link;
+ do {
+ caRevoInfo *revoInfo = (caRevoInfo*)caRevoIter;
+ if (revoInfo->nickname)
+ PORT_Free(revoInfo->nickname);
+ if (revoInfo->crlFilename)
+ PORT_Free(revoInfo->crlFilename);
+ if (revoInfo->cert)
+ CERT_DestroyCertificate(revoInfo->cert);
+ if (revoInfo->id)
+ CERT_DestroyOCSPCertID(revoInfo->id);
+ if (revoInfo->crl)
+ SEC_DestroyCrl(revoInfo->crl);
+
+ caRevoIter = PR_NEXT_LINK(caRevoIter);
+ } while (caRevoIter != &caRevoInfos->link);
+
+ }
+ if (NSS_Shutdown() != SECSuccess) {
+ SECU_PrintError(progName, "NSS_Shutdown");
+ PR_Cleanup();
+ exit(1);
+ }
+ }
+ if (passwd) {
+ PORT_Free(passwd);
+ }
+ if (pwfile) {
+ PORT_Free(pwfile);
+ }
+ if (certPrefix && certPrefix != emptyString) {
+ PORT_Free(certPrefix);
}
-
PR_Cleanup();
- printf("selfserv: normal termination\n");
+ printf("httpserv: normal termination\n");
return 0;
}
}
}
+static void
+printStringWithoutCRLF(FILE *out, const char *str)
+{
+ const char *c = str;
+ while (*c) {
+ if (*c != '\r' && *c != '\n') {
+ fputc(*c, out);
+ }
+ ++c;
+ }
+}
+
int
SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
int level)
}
SECU_PrintName(out, &c->subject, "Subject", 0);
- fprintf(out, "\n");
+ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+ SECU_Newline(out);
SECU_PrintName(out, &c->issuer, "Issuer", 0);
- fprintf(out, "\n");
+ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+ SECU_Newline(out);
SECU_PrintInteger(out, &c->serialNumber, "Serial Number", 0);
derIssuerB64 = BTOA_ConvertItemToAscii(&c->derIssuer);
derSerialB64 = BTOA_ConvertItemToAscii(&c->serialNumber);
- fprintf(out, "Issuer DER Base64:\n%s\n", derIssuerB64);
- fprintf(out, "Serial DER Base64:\n%s\n", derSerialB64);
+
+ fprintf(out, "Issuer DER Base64:\n");
+ if (SECU_GetWrapEnabled()) {
+ fprintf(out, "%s\n", derIssuerB64);
+ } else {
+ printStringWithoutCRLF(out, derIssuerB64);
+ fputs("\n", out);
+ }
+
+ fprintf(out, "Serial DER Base64:\n");
+ if (SECU_GetWrapEnabled()) {
+ fprintf(out, "%s\n", derSerialB64);
+ } else {
+ printStringWithoutCRLF(out, derSerialB64);
+ fputs("\n", out);
+ }
+
PORT_Free(derIssuerB64);
PORT_Free(derSerialB64);
SECU_Indent(out, level); fprintf(out, "%s:\n", m);
SECU_PrintInteger(out, &cr->version, "Version", level+1);
SECU_PrintName(out, &cr->subject, "Subject", level+1);
+ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+ SECU_Newline(out);
secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo,
"Subject Public Key Info", level+1);
if (cr->attributes)
SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
SECU_PrintName(out, &c->issuer, "Issuer", level+1);
+ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+ SECU_Newline(out);
secu_PrintValidity(out, &c->validity, "Validity", level+1);
SECU_PrintName(out, &c->subject, "Subject", level+1);
+ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+ SECU_Newline(out);
secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo,
"Subject Public Key Info", level+1);
if (c->issuerID.data)
goto loser;
SECU_PrintName(out, name, m, level);
+ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+ SECU_Newline(out);
loser:
PORT_FreeArena(arena, PR_FALSE);
return rv;
FILE_PERMISSIONS_STRING)) {
subiter = Pk11Install_ListIter_new(subpair->list);
subval = subiter->current;
- if(!subval || (subval->type != STRING_VALUE)){
+ if(!subval || (subval->type != STRING_VALUE) ||
+ !subval->string || !subval->string[0]){
errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
_this->jarPath);
goto loser;
}
_this->permissions = (int) strtol(subval->string, &endp, 8);
- if(*endp != '\0' || subval->string == "\0") {
+ if(*endp != '\0') {
errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
_this->jarPath);
goto loser;
static void Usage(char *progName)
{
fprintf(stderr,
- "Usage: %s -t type [-a] [-i input] [-o output]\n",
+ "Usage: %s -t type [-a] [-i input] [-o output] [-w]\n",
progName);
fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
"-t type", SEC_CT_PRIVATE_KEY);
"-i input");
fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
"-o output");
+ fprintf(stderr, "%-20s Don't wrap long output lines\n",
+ "-w");
exit(-1);
}
SECItem der, data;
char *typeTag;
PLOptState *optstate;
+ PRBool wrap = PR_TRUE;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
inFile = 0;
outFile = 0;
typeTag = 0;
- optstate = PL_CreateOptState(argc, argv, "at:i:o:");
+ optstate = PL_CreateOptState(argc, argv, "at:i:o:w");
while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
switch (optstate->option) {
case '?':
case 't':
typeTag = strdup(optstate->value);
break;
+
+ case 'w':
+ wrap = PR_FALSE;
+ break;
}
}
PL_DestroyOptState(optstate);
data.data = der.data;
data.len = der.len;
+ SECU_EnableWrap(wrap);
+
/* Pretty print it */
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
SECU_PrintCertificate);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0) {
- PRBool saveWrapeState = SECU_GetWrapEnabled();
- SECU_EnableWrap(PR_FALSE);
rv = SECU_PrintSignedContent(outFile, &data, 0, 0,
SECU_PrintDumpDerIssuerAndSerial);
- SECU_EnableWrap(saveWrapeState);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
SECU_PrintCertificateRequest);
errWarn(char * funcString)
{
PRErrorCode perr = PR_GetError();
+ PRInt32 oserr = PR_GetOSError();
const char * errString = SECU_Strerror(perr);
- fprintf(stderr, "strsclnt: %s returned error %d:\n%s\n",
- funcString, perr, errString);
+ fprintf(stderr, "strsclnt: %s returned error %d, OS error %d: %s\n",
+ funcString, perr, oserr, errString);
}
static void
prStatus = PR_Connect(tcp_sock, addr, PR_INTERVAL_NO_TIMEOUT);
if (prStatus != PR_SUCCESS) {
PRErrorCode err = PR_GetError(); /* save error code */
+ PRInt32 oserr = PR_GetOSError();
if (ThrottleUp) {
PRTime now = PR_Now();
PR_Lock(threadLock);
lastConnectFailure = PR_MAX(now, lastConnectFailure);
PR_Unlock(threadLock);
+ PR_SetError(err, oserr); /* restore error code */
}
if ((err == PR_CONNECT_REFUSED_ERROR) ||
(err == PR_CONNECT_RESET_ERROR) ) {
csa = SSL_PeerStapledOCSPResponses(fd);
if (csa) {
for (i = 0; i < csa->len; ++i) {
- CERT_CacheOCSPResponseFromSideChannel(
- serverCertAuth->dbHandle,
- cert,
- PR_Now(),
- &csa->items[i],
- arg);
+ PORT_SetError(0);
+ if (CERT_CacheOCSPResponseFromSideChannel(
+ serverCertAuth->dbHandle, cert, PR_Now(),
+ &csa->items[i], arg) != SECSuccess) {
+ PRErrorCode error = PR_GetError();
+ PORT_Assert(error != 0);
+ }
}
}
PRBool override)
{
SECStatus rv;
- PRErrorCode status;
+ PRErrorCode error;
if (!serverCertAuth->isPaused)
return SECSuccess;
serverCertAuth->isPaused = PR_FALSE;
rv = SSL_AuthCertificate(serverCertAuth->dbHandle, fd, PR_TRUE, PR_FALSE);
if (rv != SECSuccess) {
- status = PR_GetError();
- if (status == 0) {
+ error = PR_GetError();
+ if (error == 0) {
PR_NOT_REACHED("SSL_AuthCertificate return SECFailure without "
"setting error code.");
- status = PR_INVALID_STATE_ERROR;
+ error = PR_INVALID_STATE_ERROR;
} else if (override) {
rv = ownBadCertHandler(NULL, fd);
}
}
if (rv == SECSuccess) {
- status = 0;
+ error = 0;
}
- if (SSL_AuthCertificateComplete(fd, status) != SECSuccess) {
+ if (SSL_AuthCertificateComplete(fd, error) != SECSuccess) {
rv = SECFailure;
}
CCC = cl
LINK = link
AR = lib
- AR += -NOLOGO -OUT:"$@"
+ AR += -NOLOGO -OUT:$@
RANLIB = echo
BSDECHO = echo
RC = rc.exe
OPTIMIZER += -O2
endif
DEFINES += -UDEBUG -U_DEBUG -DNDEBUG
- DLLFLAGS += -OUT:"$@"
+ DLLFLAGS += -OUT:$@
ifdef MOZ_DEBUG_SYMBOLS
ifdef MOZ_DEBUG_FLAGS
OPTIMIZER += $(MOZ_DEBUG_FLAGS) -Fd$(OBJDIR)/
USERNAME := $(subst $(SPACE),_,$(USERNAME))
USERNAME := $(subst -,_,$(USERNAME))
DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
- DLLFLAGS += -DEBUG -OUT:"$@"
+ DLLFLAGS += -DEBUG -OUT:$@
LDFLAGS += -DEBUG
ifeq ($(_MSC_VER),$(_MSC_VER_6))
ifndef MOZ_DEBUG_SYMBOLS
# uses fibers).
#
# If OS_TARGET is not specified, it defaults to $(OS_ARCH), i.e., no
-# cross-compilation.
+# cross-compilation, except on Windows, where it defaults to WIN95.
#
#
-# The following hack allows one to build on a WIN95 machine (as if
-# s/he were cross-compiling on a WINNT host for a WIN95 target).
-# It also accomodates for MKS's and Cygwin's uname.exe.
-#
-ifeq ($(OS_ARCH),WIN95)
- OS_ARCH = WINNT
- OS_TARGET = WIN95
-endif
-ifeq ($(OS_ARCH),Windows_95)
- OS_ARCH = Windows_NT
- OS_TARGET = WIN95
-endif
-ifeq ($(OS_ARCH),CYGWIN_95-4.0)
- OS_ARCH = CYGWIN_NT-4.0
- OS_TARGET = WIN95
-endif
-ifeq ($(OS_ARCH),CYGWIN_98-4.10)
- OS_ARCH = CYGWIN_NT-4.0
- OS_TARGET = WIN95
-endif
-ifeq ($(OS_ARCH),CYGWIN_ME-4.90)
- OS_ARCH = CYGWIN_NT-4.0
- OS_TARGET = WIN95
-endif
-
-#
# On WIN32, we also define the variable CPU_ARCH, if it isn't already.
#
ifndef CPU_ARCH
endif
endif
#
-# If uname -s returns "CYGWIN_NT-4.0", we assume that we are using
+# If uname -s returns "CYGWIN_NT-*", we assume that we are using
# the uname.exe in the Cygwin tools.
#
ifeq (CYGWIN_NT,$(findstring CYGWIN_NT,$(OS_ARCH)))
endif
endif
#
-# If uname -s returns "MINGW32_NT-5.1", we assume that we are using
+# If uname -s returns "MINGW32_NT-*", we assume that we are using
# the uname.exe in the MSYS toolkit.
#
ifeq (MINGW32_NT,$(findstring MINGW32_NT,$(OS_ARCH)))
endif
ifndef OS_TARGET
+ifeq ($(OS_ARCH), WINNT)
+ OS_TARGET = WIN95
+else
OS_TARGET = $(OS_ARCH)
endif
+endif
ifeq ($(OS_TARGET), WIN95)
OS_RELEASE = 4.0
if (rv < 0) {
perror(myPath);
} else if (S_ISLNK(sb.st_mode)) {
- rv = readlink(myPath, buf, sizeof buf);
+ rv = readlink(myPath, buf, sizeof(buf) - 1);
if (rv < 0) {
perror("readlink");
buf[0] = 0;
</varlistentry>
<varlistentry>
+ <term>--email email-address</term>
+ <listitem><para>Specify the email address of a certificate to list. Used with the -L command option.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-f password-file</term>
<listitem><para>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
</varlistentry>
<varlistentry>
+ <term>--empty-password</term>
+ <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>--keyAttrFlags attrflags</term>
<listitem><para>
PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
</varlistentry>
<varlistentry>
- <term>--keyFlagsOn opflags</term>
- <term>--keyFlagsOff opflags</term>
+ <term>--keyOpFlagsOn opflags</term>
+ <term>--keyOpFlagsOff opflags</term>
<listitem><para>
PKCS #11 key Operation Flags.
Comma separated list of one or more of the following:
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm2
07694846832"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm2
24672048528"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p>
</p><p>
If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity.
Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string
- with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: requests the legacy database</strong></span></p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
+ with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: requests the legacy database</strong></span></p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">-
-email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
The valid key type options are rsa, dsa, ec, or all. The default
msTrustListSign
</p></li><li class="listitem"><p>
critical
- </p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
-PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--key
FlagsOn opflags, </span><span class="term">--keyFlagsOff opflags</span></dt><dd><p>
+ </p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--
empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
+PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--key
OpFlagsOn opflags, </span><span class="term">--keyOpFlagsOff opflags</span></dt><dd><p>
PKCS #11 key Operation Flags.
Comma separated list of one or more of the following:
{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm2
07698456864"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm2
24666099264"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Security Module Database Tool, <span class="command"><strong>modutil</strong></span>, is a command-line utility for managing PKCS #11 module information both within <code class="filename">secmod.db</code> files and within hardware tokens. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><p>
Running <span class="command"><strong>modutil</strong></span> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.
</p><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-add modulename</span></dt><dd><p>Add the named PKCS #11 module to the database. Use this option with the <code class="option">-libfile</code>, <code class="option">-ciphers</code>, and <code class="option">-mechanisms</code> arguments.</p></dd><dt><span class="term">-changepw tokenname</span></dt><dd><p>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <code class="option">-pwfile</code> and <code class="option">-newpwfile</code> arguments. A <span class="emphasis"><em>password</em></span> is equivalent to a personal identification number (PIN).</p></dd><dt><span class="term">-chkfips</span></dt><dd><p>Verify whether the module is in the given FIPS mode. <span class="command"><strong>true</strong></span> means to verify that the module is in FIPS mode, while <span class="command"><strong>false</strong></span> means to verify that the module is not in FIPS mode.</p></dd><dt><span class="term">-create</span></dt><dd><p>Create new certificate, key, and module databases. Use the <code class="option">-dbdir</code> directory argument to specify a directory. If any of these databases already exist in a specified directory, <span class="command"><strong>modutil</strong></span> returns an error message.</p></dd><dt><span class="term">-default modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd><dt><span class="term">-delete modulename</span></dt><dd><p>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</p></dd><dt><span class="term">-disable modulename</span></dt><dd><p>Disable all slots on the named module. Use the <code class="option">-slot</code> argument to disable a specific slot.</p></dd><dt><span class="term">-enable modulename</span></dt><dd><p>Enable all slots on the named module. Use the <code class="option">-slot</code> argument to enable a specific slot.</p></dd><dt><span class="term">-fips [true | false]</span></dt><dd><p>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</p></dd><dt><span class="term">-force</span></dt><dd><p>Disable <span class="command"><strong>modutil</strong></span>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</p></dd><dt><span class="term">-jar JAR-file</span></dt><dd><p>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <code class="option">-installdir</code> and <code class="option">-tempdir</code> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <span class="command"><strong>modutil</strong></span>. </p></dd><dt><span class="term">-list [modulename]</span></dt><dd><p>Display basic information about the contents of the <code class="filename">secmod.db</code> file. Specifying a <span class="emphasis"><em>modulename</em></span> displays detailed information about a particular module and its slots and tokens.</p></dd><dt><span class="term">-rawadd</span></dt><dd><p>Add the module spec string to the <code class="filename">secmod.db</code> database.</p></dd><dt><span class="term">-rawlist</span></dt><dd><p>Display the module specs for a specified module or for all loadable modules.</p></dd><dt><span class="term">-undefault modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">MODULE</span></dt><dd><p>Give the security module to access.</p></dd><dt><span class="term">MODULESPEC</span></dt><dd><p>Give the security module spec to load into the security database.</p></dd><dt><span class="term">-ciphers cipher-enable-list</span></dt><dd><p>Enable specific ciphers in a module that is being added to the database. The <span class="emphasis"><em>cipher-enable-list</em></span> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</p></dd><dt><span class="term">-dbdir [sql:]directory</span></dt><dd><p>Specify the database directory in which to access or create security module database files.</p><p><span class="command"><strong>modutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">--dbprefix prefix</span></dt><dd><p>Specify the prefix used on the database files, such as <code class="filename">my_</code> for <code class="filename">my_cert8.db</code>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-installdir root-installation-directory</span></dt><dd><p>Specify the root installation directory relative to which files will be installed by the <code class="option">-jar</code> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</p></dd><dt><span class="term">-libfile library-file</span></dt><dd><p>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</p></dd><dt><span class="term">-mechanisms mechanism-list</span></dt><dd><p>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <span class="emphasis"><em>mechanism-list</em></span> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</p><p>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</p><p><span class="command"><strong>modutil</strong></span> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</p></dd><dt><span class="term">-newpwfile new-password-file</span></dt><dd><p>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <code class="option">-changepw</code> option.</p></dd><dt><span class="term">-nocertdb</span></dt><dd><p>Do not open the certificate or key databases. This has several effects:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>With the <code class="option">-create</code> command, only a module security file is created; certificate and key databases are not created.</p></li><li class="listitem"><p>With the <code class="option">-jar</code> command, signatures on the JAR file are not checked.</p></li><li class="listitem"><p>With the <code class="option">-changepw</code> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</p></li></ul></div></dd><dt><span class="term">-pwfile old-password-file</span></dt><dd><p>Specify a text file containing a token's existing password so that a password can be entered automatically when the <code class="option">-changepw</code> option is used to change passwords.</p></dd><dt><span class="term">-secmod secmodname</span></dt><dd><p>Give the name of the security module database (like <code class="filename">secmod.db</code>) to load.</p></dd><dt><span class="term">-slot slotname</span></dt><dd><p>Specify a particular slot to be enabled or disabled with the <code class="option">-enable</code> or <code class="option">-disable</code> options.</p></dd><dt><span class="term">-string CONFIG_STRING</span></dt><dd><p>Pass a configuration string for the module being added to the database.</p></dd><dt><span class="term">-tempdir temporary-directory</span></dt><dd><p>Give a directory location where temporary files are created during the installation by the <code class="option">-jar</code> option. If no temporary directory is specified, the current directory is used.</p></dd></dl></div></div><div class="refsection"><a name="usage-and-examples"></a><h2>Usage and Examples</h2><p><span class="command"><strong>Creating Database Files</strong></span></p><p>Before any operations can be performed, there must be a set of security databases available. <span class="command"><strong>modutil</strong></span> can be used to create these files. The only required argument is the database that where the databases will be located.</p><pre class="programlisting">modutil -create -dbdir [sql:]directory</pre><p><span class="command"><strong>Adding a Cryptographic Module</strong></span></p><p>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <span class="command"><strong>modutil</strong></span> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</p><pre class="programlisting">modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </pre><p>For example:
common-options are:
[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
- ]</p></div></div><div class="refsection"><a name="idm2
07680667808"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ ]</p></div></div><div class="refsection"><a name="idm2
24682436944"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
</p><pre class="programlisting">pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm2
07695084256"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
- </p></div><div class="refsection"><a name="idm2
07691286816"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm2
24681757664"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="idm2
24678000880"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
pkcs7 or crl files
- </p></div><div class="refsection"><a name="idm2
07691284880"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
+ </p></div><div class="refsection"><a name="idm2
24677998992"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</p></div></div><div class="navfooter"><hr></div></body></html>
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm2
07702595360"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm2
24666150896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p>
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm2
07691938384"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
- </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm2
07695803904"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm2
24680848704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm2
24681951616"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
-signatureValid=yes</pre></div><div class="refsection"><a name="idm2
07695800736"></a><h3>Printing Signature Data</h3><p>
+signatureValid=yes</pre></div><div class="refsection"><a name="idm2
24679496656"></a><h3>Printing Signature Data</h3><p>
The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout.
</p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm2
07705899984"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm2
24680842512"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-h </span></dt><dd><p>
Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
</p></dd><dt><span class="term">-f </span></dt><dd><p>
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm2
07689306736"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm2
24658292400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class="term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara"> * CERT_VerifyCertificate if specified once,</p><p class="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p>
0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
4=Email signer, 5=Email recipient, 6=Object signer,
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm2
07703284240"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm2
24662974480"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "CERTUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
Check a certificate\*(Aqs signature during the process of validating a certificate\&.
.RE
.PP
+\-\-email email\-address
+.RS 4
+Specify the email address of a certificate to list\&. Used with the \-L command option\&.
+.RE
+.PP
\-f password\-file
.RS 4
Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
Add a Name Constraint extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&.
.RE
.PP
+\-\-empty\-password
+.RS 4
+Use empty password when creating new certificate database with \-N\&.
+.RE
+.PP
\-\-keyAttrFlags attrflags
.RS 4
PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
.RE
.PP
-\-\-keyFlagsOn opflags, \-\-keyFlagsOff opflags
+\-\-keyOpFlagsOn opflags, \-\-keyOpFlagsOff opflags
.RS 4
PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
.RE
.\" Title: PK12UTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "PK12UTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "PK12UTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" Title: PP
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "PP" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "PP" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" Title: signtool
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "SIGNTOOL" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "SIGNTOOL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" Title: SIGNVER
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "SIGNVER" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "SIGNVER" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" Title: SSLTAP
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "SSLTAP" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "SSLTAP" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" Title: VFYCHAIN
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "VFYCHAIN" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "VFYCHAIN" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" Title: VFYSERV
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 19 July 2013
+.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "VFYSERV" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
+.TH "VFYSERV" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
CERTCertList *
CERT_NewCertList(void);
+/* free the cert list and all the certs in the list */
void
CERT_DestroyCertList(CERTCertList *certs);
void
CERT_RemoveCertListNode(CERTCertListNode *node);
+/* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */
SECStatus
CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
+/* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */
SECStatus
CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
+/*
+ * The new cert list node takes ownership of "cert". "cert" is freed
+ * when the list node is removed.
+ */
SECStatus
CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
void *appData);
+/*
+ * The new cert list node takes ownership of "cert". "cert" is freed
+ * when the list node is removed.
+ */
SECStatus
CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
void *appData);
/*
* Digest the cert's subject public key using the specified algorithm.
+ * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
+ * the tag, length, and number of unused bits) rather than the whole
+ * subjectPublicKeyInfo field.
+ *
* The necessary storage for the digest data is allocated. If "fill" is
* non-null, the data is put there, otherwise a SECItem is allocated.
* Allocation from "arena" if it is non-null, heap otherwise. Any problem
* results in a NULL being returned (and an appropriate error set).
*/
extern SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
- SECOidTag digestAlg, SECItem *fill);
+CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill);
+/*
+ * Digest the cert's subject name using the specified algorithm.
+ */
+extern SECItem *
+CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill);
SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
const SECItem* dp, PRTime t, void* wincx);
#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
+/* When this flag is used, libpkix will never attempt to use the GET HTTP
+ * method for OCSP requests; it will always use POST.
+ */
+#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
+
/*
* The following flags are supposed to be used to control bits in
* CERTRevocationTests.cert_rev_method_independent_flags
return(oidSeq);
loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
return(NULL);
}
#include "hasht.h"
#include "sechash.h"
#include "secasn1.h"
+#include "plbase64.h"
#include "keyhi.h"
#include "cryptohi.h"
#include "ocsp.h"
OCSPCacheData cache;
SEC_OcspFailureMode ocspFailureMode;
CERT_StringFromCertFcn alternateOCSPAIAFcn;
+ PRBool forcePost;
} OCSP_Global = { NULL,
NULL,
DEFAULT_OCSP_CACHE_SIZE,
DEFAULT_OSCP_TIMEOUT_SECONDS,
{NULL, 0, NULL, NULL},
ocspMode_FailureIsVerificationFailure,
- NULL
+ NULL,
+ PR_FALSE
};
static SECItem *
ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
- const char *location, PRTime time,
+ const char *location,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest);
SECStatus *rv_ocsp);
static SECStatus
-ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
- void *pwArg,
- const SECItem *encodedResponse,
- PRBool cacheInvalid,
- PRBool *certIDWasConsumed,
- SECStatus *rv_ocsp);
-
-static SECStatus
-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
- CERTOCSPSingleResponse **pSingleResponse);
+ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+ CERTOCSPResponse **pDecodedResponse,
+ CERTOCSPSingleResponse **pSingle);
static SECStatus
ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time);
ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
{
PRTime now;
- PRBool retval;
+ PRBool fresh;
- PR_EnterMonitor(OCSP_Global.monitor);
now = PR_Now();
- retval = (cacheItem->nextFetchAttemptTime > now);
- OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", retval));
- PR_ExitMonitor(OCSP_Global.monitor);
- return retval;
+
+ fresh = cacheItem->nextFetchAttemptTime > now;
+
+ /* Work around broken OCSP responders that return unknown responses for
+ * certificates, especially certificates that were just recently issued.
+ */
+ if (fresh && cacheItem->certStatusArena &&
+ cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) {
+ fresh = PR_FALSE;
+ }
+
+ OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh));
+
+ return fresh;
}
/*
PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
cacheItem = ocsp_FindCacheEntry(cache, certID);
+
+ /* Don't replace an unknown or revoked entry with an error entry, even if
+ * the existing entry is expired. Instead, we'll continue to use the
+ * existing (possibly expired) cache entry until we receive a valid signed
+ * response to replace it.
+ */
+ if (!single && cacheItem && cacheItem->certStatusArena &&
+ (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked ||
+ cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) {
+ PR_ExitMonitor(OCSP_Global.monitor);
+ return SECSuccess;
+ }
+
if (!cacheItem) {
CERTOCSPCertID *myCertID;
if (certIDWasConsumed) {
CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
void *pwArg)
{
- ocspTBSRequest *tbsRequest;
SECStatus rv;
/* XXX All of these should generate errors if they fail. */
PORT_Assert(request);
PORT_Assert(request->tbsRequest);
- tbsRequest = request->tbsRequest;
-
if (request->tbsRequest->extensionHandle != NULL) {
rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
request->tbsRequest->extensionHandle = NULL;
* results in a NULL being returned (and an appropriate error set).
*/
SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
- SECOidTag digestAlg, SECItem *fill)
+CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill)
{
SECItem spk;
/*
* Digest the cert's subject name using the specified algorithm.
*/
-static SECItem *
-cert_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
- SECOidTag digestAlg, SECItem *fill)
+SECItem *
+CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill)
{
SECItem name;
goto loser;
}
- if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
+ if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
&(certID->issuerNameHash)) == NULL) {
goto loser;
}
certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
- if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
+ if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
&(certID->issuerMD5NameHash)) == NULL) {
goto loser;
}
- if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
+ if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
&(certID->issuerMD2NameHash)) == NULL) {
goto loser;
}
- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1,
- &(certID->issuerKeyHash)) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
+ &certID->issuerKeyHash) == NULL) {
goto loser;
}
certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
/* cache the other two hash algorithms as well */
- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5,
- &(certID->issuerMD5KeyHash)) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
+ &certID->issuerMD5KeyHash) == NULL) {
goto loser;
}
- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2,
- &(certID->issuerMD2KeyHash)) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
+ &certID->issuerMD2KeyHash) == NULL) {
goto loser;
}
* SEC_ERROR_CERT_BAD_ACCESS_LOCATION. Other errors are likely problems
* connecting to it, or writing to it, or allocating memory, and the low-level
* errors appropriate to the problem will be set.
+ * if (encodedRequest == NULL)
+ * then location MUST already include the full request,
+ * including base64 and urlencode,
+ * and the request will be sent with GET
+ * if (encodedRequest != NULL)
+ * then the request will be sent with POST
*/
static PRFileDesc *
ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
PR_snprintf(portstr, sizeof(portstr), ":%d", port);
}
- header = PR_smprintf("POST %s HTTP/1.0\r\n"
- "Host: %s%s\r\n"
- "Content-Type: application/ocsp-request\r\n"
- "Content-Length: %u\r\n\r\n",
- path, hostname, portstr, encodedRequest->len);
- if (header == NULL)
- goto loser;
+ if (!encodedRequest) {
+ header = PR_smprintf("GET %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n\r\n",
+ path, hostname, portstr);
+ if (header == NULL)
+ goto loser;
- /*
- * The NSPR documentation promises that if it can, it will write the full
- * amount; this will not return a partial value expecting us to loop.
- */
- if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
- goto loser;
+ /*
+ * The NSPR documentation promises that if it can, it will write the full
+ * amount; this will not return a partial value expecting us to loop.
+ */
+ if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
+ goto loser;
+ }
+ else {
+ header = PR_smprintf("POST %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n"
+ "Content-Type: application/ocsp-request\r\n"
+ "Content-Length: %u\r\n\r\n",
+ path, hostname, portstr, encodedRequest->len);
+ if (header == NULL)
+ goto loser;
- if (PR_Write(sock, encodedRequest->data,
- (PRInt32) encodedRequest->len) < 0)
- goto loser;
+ /*
+ * The NSPR documentation promises that if it can, it will write the full
+ * amount; this will not return a partial value expecting us to loop.
+ */
+ if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
+ goto loser;
+
+ if (PR_Write(sock, encodedRequest->data,
+ (PRInt32) encodedRequest->len) < 0)
+ goto loser;
+ }
returnSock = sock;
sock = NULL;
*/
#define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
+/* if (encodedRequest == NULL)
+ * then location MUST already include the full request,
+ * including base64 and urlencode,
+ * and the request will be sent with GET
+ * if (encodedRequest != NULL)
+ * then the request will be sent with POST
+ */
static SECItem *
fetchOcspHttpClientV1(PLArenaPool *arena,
const SEC_HttpClientFcnV1 *hcv1,
pServerSession,
"http",
path,
- "POST",
+ encodedRequest ? "POST" : "GET",
PR_TicksPerSecond() * OCSP_Global.timeoutSeconds,
&pRequestSession) != SECSuccess) {
PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
goto loser;
}
- if ((*hcv1->setPostDataFcn)(
+ if (encodedRequest &&
+ (*hcv1->setPostDataFcn)(
pRequestSession,
(char*)encodedRequest->data,
encodedRequest->len,
}
/*
- * FUNCTION: CERT_GetEncodedOCSPResponse
+ * FUNCTION: CERT_GetEncodedOCSPResponseByMethod
* Creates and sends a request to an OCSP responder, then reads and
* returns the (encoded) response.
* INPUTS:
* sent and whether there are any trusted responders in place.
* const char *location
* The location of the OCSP responder (a URL).
+ * const char *method
+ * The protocol method used when retrieving the OCSP response.
+ * Currently support: "GET" (http GET) and "POST" (http POST).
+ * Additionals methods for http or other protocols might be added
+ * in the future.
* PRTime time
* Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* Other errors are low-level problems (no memory, bad database, etc.).
*/
SECItem *
-CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
- const char *location, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest)
+CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
+ const char *location, const char *method,
+ PRTime time, PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
signerCert);
if (!request)
return NULL;
- return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
- time, addServiceLocator,
+ return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+ method, time, addServiceLocator,
pwArg, pRequest);
}
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ * Creates and sends a request to an OCSP responder, then reads and
+ * returns the (encoded) response.
+ *
+ * This is a legacy API that behaves identically to
+ * CERT_GetEncodedOCSPResponseByMethod using the "POST" method.
+ */
+SECItem *
+CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
+ const char *location, PRTime time,
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
+{
+ return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
+ "POST", time, addServiceLocator,
+ signerCert, pwArg, pRequest);
+}
+
+/* URL encode a buffer that consists of base64-characters, only,
+ * which means we can use a simple encoding logic.
+ *
+ * No output buffer size checking is performed.
+ * You should call the function twice, to calculate the required buffer size.
+ *
+ * If the outpufBuf parameter is NULL, the function will calculate the
+ * required size, including the trailing zero termination char.
+ *
+ * The function returns the number of bytes calculated or produced.
+ */
+size_t
+ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
+{
+ const char *walkInput = NULL;
+ char *walkOutput = outputBuf;
+ size_t count = 0;
+
+ for (walkInput=base64Buf; *walkInput; ++walkInput) {
+ char c = *walkInput;
+ if (isspace(c))
+ continue;
+ switch (c) {
+ case '+':
+ if (outputBuf) {
+ strcpy(walkOutput, "%2B");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ case '/':
+ if (outputBuf) {
+ strcpy(walkOutput, "%2F");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ case '=':
+ if (outputBuf) {
+ strcpy(walkOutput, "%3D");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ default:
+ if (outputBuf) {
+ *walkOutput = *walkInput;
+ ++walkOutput;
+ }
+ ++count;
+ break;
+ }
+ }
+ if (outputBuf) {
+ *walkOutput = 0;
+ }
+ ++count;
+ return count;
+}
+
+enum { max_get_request_size = 255 }; /* defined by RFC2560 */
+
+static SECItem *
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
+ const SECItem *encodedRequest);
+
static SECItem *
ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
- const char *location, PRTime time,
+ const char *location,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
SECItem *encodedResponse = NULL;
SECStatus rv;
+ if (!location || !*location) /* location should be at least one byte */
+ goto loser;
+
rv = CERT_AddOCSPAcceptableResponses(request,
SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
if (rv != SECSuccess)
if (encodedRequest == NULL)
goto loser;
- encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
+ if (!strcmp(method, "GET")) {
+ encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
+ }
+ else if (!strcmp(method, "POST")) {
+ encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
+ }
+ else {
+ goto loser;
+ }
if (encodedResponse != NULL && pRequest != NULL) {
*pRequest = request;
CERT_DestroyOCSPRequest(request);
if (encodedRequest != NULL)
SECITEM_FreeItem(encodedRequest, PR_TRUE);
-
return encodedResponse;
}
+static SECItem *
+cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
+ const SECItem *encodedRequest);
+
+/* using HTTP GET method */
+static SECItem *
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
+ const SECItem *encodedRequest)
+{
+ char *walkOutput = NULL;
+ char *fullGetPath = NULL;
+ size_t pathLength;
+ PRInt32 urlEncodedBufLength;
+ size_t base64size;
+ char b64ReqBuf[max_get_request_size+1];
+ size_t slashLengthIfNeeded = 0;
+ size_t getURLLength;
+ SECItem *item;
+
+ if (!location || !*location) {
+ return NULL;
+ }
+
+ pathLength = strlen(location);
+ if (location[pathLength-1] != '/') {
+ slashLengthIfNeeded = 1;
+ }
+
+ /* Calculation as documented by PL_Base64Encode function.
+ * Use integer conversion to avoid having to use function ceil().
+ */
+ base64size = (((encodedRequest->len +2)/3) * 4);
+ if (base64size > max_get_request_size) {
+ return NULL;
+ }
+ memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
+ PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len,
+ b64ReqBuf);
+
+ urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
+ getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
+
+ /* urlEncodedBufLength already contains room for the zero terminator.
+ * Add another if we must add the '/' char.
+ */
+ if (arena) {
+ fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength);
+ } else {
+ fullGetPath = (char*)PORT_Alloc(getURLLength);
+ }
+ if (!fullGetPath) {
+ return NULL;
+ }
+
+ strcpy(fullGetPath, location);
+ walkOutput = fullGetPath + pathLength;
+
+ if (walkOutput > fullGetPath && slashLengthIfNeeded) {
+ strcpy(walkOutput, "/");
+ ++walkOutput;
+ }
+ ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
+
+ item = cert_FetchOCSPResponse(arena, fullGetPath, NULL);
+ if (!arena) {
+ PORT_Free(fullGetPath);
+ }
+ return item;
+}
+
SECItem *
CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
+ return cert_FetchOCSPResponse(arena, location, encodedRequest);
+}
+
+SECItem *
+cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
+ const SECItem *encodedRequest)
+{
const SEC_HttpClientFcn *registeredHttpClient;
SECItem *encodedResponse = NULL;
ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
CERTOCSPCertID *certID,
CERTCertificate *singleCert,
- const char *location, PRTime time,
+ const char *location,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
addServiceLocator, NULL);
if (!request)
return NULL;
- return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
- time, addServiceLocator,
+ return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+ method, time, addServiceLocator,
pwArg, pRequest);
}
item.data = buf;
item.len = SHA1_LENGTH;
- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
+ &item) == NULL) {
return PR_FALSE;
}
if (SECITEM_ItemsAreEqual(certIndex,&item)) {
return PR_TRUE;
}
- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
+ &item) == NULL) {
return PR_FALSE;
}
if (SECITEM_ItemsAreEqual(certIndex,&item)) {
return PR_TRUE;
}
- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
+ &item) == NULL) {
return PR_FALSE;
}
if (SECITEM_ItemsAreEqual(certIndex,&item)) {
signerCert = CERT_DupCertificate(certs[i]);
}
}
+ if (signerCert == NULL) {
+ PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
+ }
}
finish:
hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
- keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL);
+ keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL);
if (keyHash != NULL) {
keyHashEQ =
SECITEM_FreeItem(keyHash, PR_TRUE);
}
if (keyHashEQ &&
- (nameHash = cert_GetSubjectNameDigest(NULL, signerCert,
+ (nameHash = CERT_GetSubjectNameDigest(NULL, signerCert,
hashAlg, NULL))) {
nameHashEQ =
(SECITEM_CompareItem(nameHash,
return PR_FALSE;
}
- keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL);
- nameHash = cert_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
+ keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL);
+ nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
CERT_DestroyCertificate(issuerCert);
* See if the cert represented in the single response had a good status
* at the specified time.
*/
-static SECStatus
+SECStatus
ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time)
{
SECStatus rv;
return ocsp_CertHasGoodStatus(single->certStatus, time);
}
-/* Return value SECFailure means: not found or not fresh.
+/* SECFailure means the arguments were invalid.
* On SECSuccess, the out parameters contain the OCSP status.
* rvOcsp contains the overall result of the OCSP operation.
* Depending on input parameter ignoreGlobalOcspFailureSetting,
* If the cached attempt to obtain OCSP information had resulted
* in a failure, missingResponseError shows the error code of
* that failure.
+ * cacheFreshness is ocspMissing if no entry was found,
+ * ocspFresh if a fresh entry was found, or
+ * ocspStale if a stale entry was found.
*/
SECStatus
-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
- PRTime time,
- PRBool ignoreGlobalOcspFailureSetting,
- SECStatus *rvOcsp,
- SECErrorCodes *missingResponseError)
+ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+ PRTime time,
+ PRBool ignoreGlobalOcspFailureSetting,
+ SECStatus *rvOcsp,
+ SECErrorCodes *missingResponseError,
+ OCSPFreshness *cacheFreshness)
{
OCSPCacheItem *cacheItem = NULL;
- SECStatus rv = SECFailure;
- if (!certID || !missingResponseError || !rvOcsp) {
+ if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
*rvOcsp = SECFailure;
*missingResponseError = 0;
+ *cacheFreshness = ocspMissing;
PR_EnterMonitor(OCSP_Global.monitor);
cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
- if (cacheItem && ocsp_IsCacheItemFresh(cacheItem)) {
+ if (cacheItem) {
+ *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh
+ : ocspStale;
/* having an arena means, we have a cached certStatus */
if (cacheItem->certStatusArena) {
*rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
if (*rvOcsp != SECSuccess) {
*missingResponseError = PORT_GetError();
}
- rv = SECSuccess;
} else {
/*
* No status cached, the previous attempt failed.
* However, if OCSP is optional, a recent OCSP failure is
* an allowed good state.
*/
- if (!ignoreGlobalOcspFailureSetting &&
+ if (*cacheFreshness == ocspFresh &&
+ !ignoreGlobalOcspFailureSetting &&
OCSP_Global.ocspFailureMode ==
ocspMode_FailureIsNotAVerificationFailure) {
- rv = SECSuccess;
*rvOcsp = SECSuccess;
}
*missingResponseError = cacheItem->missingResponseError;
}
}
PR_ExitMonitor(OCSP_Global.monitor);
- return rv;
+ return SECSuccess;
}
PRBool
{
CERTOCSPCertID *certID;
PRBool certIDWasConsumed = PR_FALSE;
- SECStatus rv = SECFailure;
+ SECStatus rv;
SECStatus rvOcsp;
- SECErrorCodes dummy_error_code; /* we ignore this */
+ SECErrorCodes cachedErrorCode;
+ OCSPFreshness cachedResponseFreshness;
OCSP_TRACE_CERT(cert);
OCSP_TRACE_TIME("## requested validity time:", time);
certID = CERT_CreateOCSPCertID(cert, time);
if (!certID)
return SECFailure;
- rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+ rv = ocsp_GetCachedOCSPResponseStatus(
certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
- &rvOcsp, &dummy_error_code);
- if (rv == SECSuccess) {
+ &rvOcsp, &cachedErrorCode, &cachedResponseFreshness);
+ if (rv != SECSuccess) {
+ CERT_DestroyOCSPCertID(certID);
+ return SECFailure;
+ }
+ if (cachedResponseFreshness == ocspFresh) {
CERT_DestroyOCSPCertID(certID);
return rvOcsp;
}
- rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
+
+ rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
&certIDWasConsumed,
&rvOcsp);
if (rv != SECSuccess) {
- /* we were unable to obtain ocsp status. Check if we should
- * return cert status revoked. */
- rvOcsp = ocsp_FetchingFailureIsVerificationFailure() ?
- SECFailure : SECSuccess;
+ PRErrorCode err = PORT_GetError();
+ if (ocsp_FetchingFailureIsVerificationFailure()) {
+ PORT_SetError(err);
+ rvOcsp = SECFailure;
+ } else if (cachedResponseFreshness == ocspStale &&
+ (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
+ cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
+ /* If we couldn't get a response for a certificate that the OCSP
+ * responder previously told us was bad, then assume it is still
+ * bad until we hear otherwise, as it is very unlikely that the
+ * certificate status has changed from "revoked" to "good" and it
+ * is also unlikely that the certificate status has changed from
+ * "unknown" to "good", except for some buggy OCSP responders.
+ */
+ PORT_SetError(cachedErrorCode);
+ rvOcsp = SECFailure;
+ } else {
+ rvOcsp = SECSuccess;
+ }
}
if (!certIDWasConsumed) {
CERT_DestroyOCSPCertID(certID);
CERTOCSPCertID *certID = NULL;
PRBool certIDWasConsumed = PR_FALSE;
SECStatus rv = SECFailure;
- SECStatus rvOcsp;
+ SECStatus rvOcsp = SECFailure;
SECErrorCodes dummy_error_code; /* we ignore this */
+ CERTOCSPResponse *decodedResponse = NULL;
+ CERTOCSPSingleResponse *singleResponse = NULL;
+ OCSPFreshness freshness;
/* The OCSP cache can be in three states regarding this certificate:
* + Good (cached, timely, 'good' response, or revoked in the future)
* side channel.
*/
- if (!cert) {
+ if (!cert || !encodedResponse) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
certID = CERT_CreateOCSPCertID(cert, time);
if (!certID)
return SECFailure;
- rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
- certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
- &rvOcsp, &dummy_error_code);
- if (rv == SECSuccess && rvOcsp == SECSuccess) {
+
+ /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached
+ * error entry is not interpreted as being a 'Good' entry here.
+ */
+ rv = ocsp_GetCachedOCSPResponseStatus(
+ certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */
+ &rvOcsp, &dummy_error_code, &freshness);
+ if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) {
/* The cached value is good. We don't want to waste time validating
* this OCSP response. This is the first column in the table above. */
CERT_DestroyOCSPCertID(certID);
}
/* The logic for caching the more recent response is handled in
- * ocsp_CreateOrUpdateCacheEntry, which is called by this function. */
- rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time,
- pwArg, encodedResponse,
- PR_FALSE /* don't cache if invalid */,
- &certIDWasConsumed,
- &rvOcsp);
+ * ocsp_CacheSingleResponse. */
+
+ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
+ time, pwArg,
+ encodedResponse,
+ &decodedResponse,
+ &singleResponse);
+ if (rv == SECSuccess) {
+ rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+ /* Cache any valid singleResponse, regardless of status. */
+ ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
+ }
+ if (decodedResponse) {
+ CERT_DestroyOCSPResponse(decodedResponse);
+ }
if (!certIDWasConsumed) {
CERT_DestroyOCSPCertID(certID);
}
CERTOCSPRequest *request = NULL;
SECStatus rv = SECFailure;
+ CERTOCSPResponse *decodedResponse = NULL;
+ CERTOCSPSingleResponse *singleResponse = NULL;
+ enum { stageGET, stagePOST } currentStage;
+ PRBool retry = PR_FALSE;
+
if (!certIDWasConsumed || !rv_ocsp) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
*certIDWasConsumed = PR_FALSE;
*rv_ocsp = SECFailure;
+ if (!OCSP_Global.monitor) {
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return SECFailure;
+ }
+ PR_EnterMonitor(OCSP_Global.monitor);
+ if (OCSP_Global.forcePost) {
+ currentStage = stagePOST;
+ } else {
+ currentStage = stageGET;
+ }
+ PR_ExitMonitor(OCSP_Global.monitor);
+
/*
* The first thing we need to do is find the location of the responder.
* This will be the value of the default responder (if enabled), else
* should be passed into this function or retrieved via some operation
* on the handle/context.
*/
- encodedResponse =
- ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, location,
- time, locationIsDefault,
- pwArg, &request);
- if (encodedResponse == NULL) {
- goto loser;
- }
- rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time, pwArg,
- encodedResponse,
- PR_TRUE /* cache if invalid */,
- certIDWasConsumed, rv_ocsp);
+ do {
+ const char *method;
+ PRBool validResponseWithAccurateInfo = PR_FALSE;
+ retry = PR_FALSE;
+ *rv_ocsp = SECFailure;
-loser:
- if (request != NULL)
- CERT_DestroyOCSPRequest(request);
- if (encodedResponse != NULL)
- SECITEM_FreeItem(encodedResponse, PR_TRUE);
- if (location != NULL)
- PORT_Free(location);
+ if (currentStage == stageGET) {
+ method = "GET";
+ } else {
+ PORT_Assert(currentStage == stagePOST);
+ method = "POST";
+ }
+ encodedResponse =
+ ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
+ location, method,
+ time, locationIsDefault,
+ pwArg, &request);
+
+ if (encodedResponse) {
+ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
+ time, pwArg,
+ encodedResponse,
+ &decodedResponse,
+ &singleResponse);
+ if (rv == SECSuccess) {
+ switch (singleResponse->certStatus->certStatusType) {
+ case ocspCertStatus_good:
+ case ocspCertStatus_revoked:
+ validResponseWithAccurateInfo = PR_TRUE;
+ break;
+ default:
+ break;
+ }
+ *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+ }
+ }
+
+ if (currentStage == stageGET) {
+ /* only accept GET response if good or revoked */
+ if (validResponseWithAccurateInfo) {
+ ocsp_CacheSingleResponse(certID, singleResponse,
+ certIDWasConsumed);
+ } else {
+ retry = PR_TRUE;
+ currentStage = stagePOST;
+ }
+ } else {
+ /* cache the POST respone, regardless of status */
+ if (!singleResponse) {
+ cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
+ } else {
+ ocsp_CacheSingleResponse(certID, singleResponse,
+ certIDWasConsumed);
+ }
+ }
+
+ if (encodedResponse) {
+ SECITEM_FreeItem(encodedResponse, PR_TRUE);
+ encodedResponse = NULL;
+ }
+ if (request) {
+ CERT_DestroyOCSPRequest(request);
+ request = NULL;
+ }
+ if (decodedResponse) {
+ CERT_DestroyOCSPResponse(decodedResponse);
+ decodedResponse = NULL;
+ }
+ singleResponse = NULL;
+
+ } while (retry);
+
+ PORT_Free(location);
return rv;
}
/*
- * FUNCTION: ocsp_CacheEncodedOCSPResponse
+ * FUNCTION: ocsp_GetDecodedVerifiedSingleResponseForID
* This function decodes an OCSP response and checks for a valid response
- * concerning the given certificate. If such a response is not found
- * then nothing is cached. Otherwise, if it is a good response, or if
- * cacheNegative is true, the results are stored in the OCSP cache.
+ * concerning the given certificate.
*
* Note: a 'valid' response is one that parses successfully, is not an OCSP
* exception (see RFC 2560 Section 2.3), is correctly signed and is current.
* the opaque argument to the password prompting function.
* SECItem *encodedResponse
* the DER encoded bytes of the OCSP response
- * PRBool cacheInvalid
- * If true then invalid responses will cause a negative cache entry to be
- * created. (Invalid means bad syntax, bad signature etc)
- * PRBool *certIDWasConsumed
- * (output) on return, this is true iff |certID| was consumed by this
- * function.
- * SECStatus *rv_ocsp
- * (output) on return, this is SECSuccess iff the response is good (see
- * definition of 'good' above).
+ * CERTOCSPResponse **pDecodedResponse
+ * (output) The caller must ALWAYS check for this output parameter,
+ * and if it's non-null, must destroy it using CERT_DestroyOCSPResponse.
+ * CERTOCSPSingleResponse **pSingle
+ * (output) on success, this points to the single response that corresponds
+ * to the certID parameter. Points to the inside of pDecodedResponse.
+ * It isn't a copy, don't free it.
* RETURN:
* SECSuccess iff the response is valid.
*/
static SECStatus
-ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
- void *pwArg,
- const SECItem *encodedResponse,
- PRBool cacheInvalid,
- PRBool *certIDWasConsumed,
- SECStatus *rv_ocsp)
+ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+ CERTOCSPResponse **pDecodedResponse,
+ CERTOCSPSingleResponse **pSingle)
{
- CERTOCSPResponse *response = NULL;
CERTCertificate *signerCert = NULL;
CERTCertificate *issuerCert = NULL;
- CERTOCSPSingleResponse *single = NULL;
SECStatus rv = SECFailure;
- *certIDWasConsumed = PR_FALSE;
- *rv_ocsp = SECFailure;
-
- response = CERT_DecodeOCSPResponse(encodedResponse);
- if (response == NULL) {
- goto loser;
+ if (!pSingle || !pDecodedResponse) {
+ return SECFailure;
+ }
+ *pSingle = NULL;
+ *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse);
+ if (!*pDecodedResponse) {
+ return SECFailure;
}
/*
* Otherwise, we continue to find the actual per-cert status
* in the response.
*/
- if (CERT_GetOCSPResponseStatus(response) != SECSuccess) {
+ if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) {
goto loser;
}
* So, check for that.
*/
issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
- rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert,
- issuerCert);
- if (rv != SECSuccess)
+ rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg,
+ &signerCert, issuerCert);
+ if (rv != SECSuccess) {
goto loser;
+ }
PORT_Assert(signerCert != NULL); /* internal consistency check */
/* XXX probably should set error, return failure if signerCert is null */
-
/*
* Again, we are only doing one request for one cert.
* XXX When we handle cert chains, the following code will obviously
* have to be modified, in coordation with the code above that will
* have to determine how to make multiple requests, etc.
*/
-
- rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,
- signerCert, time, &single);
- if (rv != SECSuccess)
- goto loser;
-
- *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(single, time);
-
+ rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID,
+ signerCert, time, pSingle);
loser:
- /* If single == NULL here then the response was invalid. */
- if (single != NULL || cacheInvalid) {
+ if (issuerCert != NULL)
+ CERT_DestroyCertificate(issuerCert);
+ if (signerCert != NULL)
+ CERT_DestroyCertificate(signerCert);
+ return rv;
+}
+
+/*
+ * FUNCTION: ocsp_CacheSingleResponse
+ * This function requires that the caller has checked that the response
+ * is valid and verified.
+ * The (positive or negative) valid response will be used to update the cache.
+ * INPUTS:
+ * CERTOCSPCertID *certID
+ * the cert ID corresponding to |cert|
+ * PRBool *certIDWasConsumed
+ * (output) on return, this is true iff |certID| was consumed by this
+ * function.
+ */
+void
+ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
+ CERTOCSPSingleResponse *single,
+ PRBool *certIDWasConsumed)
+{
+ if (single != NULL) {
PR_EnterMonitor(OCSP_Global.monitor);
if (OCSP_Global.maxCacheEntries >= 0) {
- /* single == NULL means: remember response failure */
ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
certIDWasConsumed);
/* ignore cache update failures */
}
PR_ExitMonitor(OCSP_Global.monitor);
}
-
- /* 'single' points within the response so there's no need to free it. */
-
- if (issuerCert != NULL)
- CERT_DestroyCertificate(issuerCert);
- if (signerCert != NULL)
- CERT_DestroyCertificate(signerCert);
- if (response != NULL)
- CERT_DestroyOCSPResponse(response);
- return rv;
}
-static SECStatus
+SECStatus
ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
CERTOCSPResponse *response,
CERTOCSPCertID *certID,
return SECSuccess;
}
+SECStatus
+CERT_ForcePostMethodForOCSP(PRBool forcePost)
+{
+ if (!OCSP_Global.monitor) {
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return SECFailure;
+ }
+
+ PR_EnterMonitor(OCSP_Global.monitor);
+ OCSP_Global.forcePost = forcePost;
+ PR_ExitMonitor(OCSP_Global.monitor);
+
+ return SECSuccess;
+}
SECStatus
CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
extern SECStatus
CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
+/* If forcePost is set, OCSP requests will only be sent using the HTTP POST
+ * method. When forcePost is not set, OCSP requests will be sent using the
+ * HTTP GET method, with a fallback to POST when we fail to receive a response
+ * and/or when we receive an uncacheable response like "Unknown."
+ *
+ * The default is to use GET and fallback to POST.
+ */
+extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
+
/*
* -------------------------------------------------------
* The Functions above are those expected to be used by a client
PRBool addServiceLocator,
CERTCertificate *signerCert);
+typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
+
SECStatus
-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
- PRTime time,
- PRBool ignoreOcspFailureMode,
- SECStatus *rvOcsp,
- SECErrorCodes *missingResponseError);
+ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+ PRTime time,
+ PRBool ignoreOcspFailureMode,
+ SECStatus *rvOcsp,
+ SECErrorCodes *missingResponseError,
+ OCSPFreshness *freshness);
/*
* FUNCTION: cert_ProcessOCSPResponse
PRBool
ocsp_FetchingFailureIsVerificationFailure(void);
+size_t
+ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
+
+SECStatus
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ CERTOCSPSingleResponse **pSingleResponse);
+
+SECStatus
+ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
+
+void
+ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
+ CERTOCSPSingleResponse *single,
+ PRBool *certIDWasConsumed);
+
#endif /* _OCSPI_H_ */
}
else {
responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
- if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
- &rid->responderIDValue.keyHash))
+ if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
+ SEC_OID_SHA1, &rid->responderIDValue.keyHash))
goto done;
}
/* match a decoded serial number */
if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
int len;
- unsigned char *data;
+ unsigned char *data = NULL;
len = builtins_derUnwrapInt(b->data,b->size,&data);
- if ((len == a->ulValueLen) &&
- nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
+ if (data &&
+ (len == a->ulValueLen) &&
+ nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
return CK_TRUE;
}
}
#
# Certificate "GTE CyberTrust Global Root"
#
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GTE CyberTrust Global Root"
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Thawte Server CA"
#
+# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Serial Number: 1 (0x1)
+# Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Not Valid Before: Thu Aug 01 00:00:00 1996
+# Not Valid After : Thu Dec 31 23:59:59 2020
+# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
+# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Thawte Server CA"
+# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Serial Number: 1 (0x1)
+# Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Not Valid Before: Thu Aug 01 00:00:00 1996
+# Not Valid After : Thu Dec 31 23:59:59 2020
+# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
+# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Thawte Premium Server CA"
#
+# Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Serial Number: 1 (0x1)
+# Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Not Valid Before: Thu Aug 01 00:00:00 1996
+# Not Valid After : Thu Dec 31 23:59:59 2020
+# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
+# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Thawte Premium Server CA"
+# Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Serial Number: 1 (0x1)
+# Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
+# Not Valid Before: Thu Aug 01 00:00:00 1996
+# Not Valid After : Thu Dec 31 23:59:59 2020
+# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
+# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Equifax Secure CA"
#
+# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Serial Number: 903804111 (0x35def4cf)
+# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Not Valid Before: Sat Aug 22 16:41:51 1998
+# Not Valid After : Wed Aug 22 16:41:51 2018
+# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
+# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Equifax Secure CA"
+# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Serial Number: 903804111 (0x35def4cf)
+# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Not Valid Before: Sat Aug 22 16:41:51 1998
+# Not Valid After : Wed Aug 22 16:41:51 2018
+# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
+# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Digital Signature Trust Co. Global CA 1"
#
+# Issuer: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
+# Serial Number: 913315222 (0x36701596)
+# Subject: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
+# Not Valid Before: Thu Dec 10 18:10:23 1998
+# Not Valid After : Mon Dec 10 18:40:23 2018
+# Fingerprint (MD5): 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
+# Fingerprint (SHA1): 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Digital Signature Trust Co. Global CA 1"
+# Issuer: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
+# Serial Number: 913315222 (0x36701596)
+# Subject: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
+# Not Valid Before: Thu Dec 10 18:10:23 1998
+# Not Valid After : Mon Dec 10 18:40:23 2018
+# Fingerprint (MD5): 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
+# Fingerprint (SHA1): 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Digital Signature Trust Co. Global CA 3"
#
+# Issuer: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
+# Serial Number: 913232846 (0x366ed3ce)
+# Subject: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
+# Not Valid Before: Wed Dec 09 19:17:26 1998
+# Not Valid After : Sun Dec 09 19:47:26 2018
+# Fingerprint (MD5): 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
+# Fingerprint (SHA1): AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Digital Signature Trust Co. Global CA 3"
+# Issuer: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
+# Serial Number: 913232846 (0x366ed3ce)
+# Subject: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
+# Not Valid Before: Wed Dec 09 19:17:26 1998
+# Not Valid After : Sun Dec 09 19:47:26 2018
+# Fingerprint (MD5): 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
+# Fingerprint (SHA1): AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 3 Public Primary Certification Authority"
#
+# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
+# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Jan 29 00:00:00 1996
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
+# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
+# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
+# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Jan 29 00:00:00 1996
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
+# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
#
+# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Serial Number:4c:c7:ea:aa:98:3e:71:d3:93:10:f8:3d:3a:89:91:92
+# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon May 18 00:00:00 1998
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
+# Fingerprint (SHA1): 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
+# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Serial Number:4c:c7:ea:aa:98:3e:71:d3:93:10:f8:3d:3a:89:91:92
+# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon May 18 00:00:00 1998
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
+# Fingerprint (SHA1): 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
#
+# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
+# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon May 18 00:00:00 1998
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
+# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
+# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
+# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon May 18 00:00:00 1998
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
+# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
#
+# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
+# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon May 18 00:00:00 1998
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
+# Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
+# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
+# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon May 18 00:00:00 1998
+# Not Valid After : Tue Aug 01 23:59:59 2028
+# Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
+# Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GlobalSign Root CA"
#
+# Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
+# Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
+# Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
+# Not Valid Before: Tue Sep 01 12:00:00 1998
+# Not Valid After : Fri Jan 28 12:00:00 2028
+# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
+# Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GlobalSign Root CA"
+# Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
+# Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
+# Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
+# Not Valid Before: Tue Sep 01 12:00:00 1998
+# Not Valid After : Fri Jan 28 12:00:00 2028
+# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
+# Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GlobalSign Root CA - R2"
#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
+# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
+# Not Valid Before: Fri Dec 15 08:00:00 2006
+# Not Valid After : Wed Dec 15 08:00:00 2021
+# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
+# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GlobalSign Root CA - R2"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
+# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
+# Not Valid Before: Fri Dec 15 08:00:00 2006
+# Not Valid After : Wed Dec 15 08:00:00 2021
+# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
+# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ValiCert Class 1 VA"
#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Fri Jun 25 22:23:48 1999
+# Not Valid After : Tue Jun 25 22:23:48 2019
+# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ValiCert Class 1 VA"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Fri Jun 25 22:23:48 1999
+# Not Valid After : Tue Jun 25 22:23:48 2019
+# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ValiCert Class 2 VA"
#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:19:54 1999
+# Not Valid After : Wed Jun 26 00:19:54 2019
+# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ValiCert Class 2 VA"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:19:54 1999
+# Not Valid After : Wed Jun 26 00:19:54 2019
+# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "RSA Root Certificate 1"
#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:22:33 1999
+# Not Valid After : Wed Jun 26 00:22:33 2019
+# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "RSA Root Certificate 1"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:22:33 1999
+# Not Valid After : Wed Jun 26 00:22:33 2019
+# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
#
+# Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
+# Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
+# Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+# Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
+# Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
+# Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
#
+# Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
+# Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
+# Fingerprint (SHA1): 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+# Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
+# Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
+# Fingerprint (SHA1): 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
#
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
+# Fingerprint (SHA1): 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
+# Fingerprint (SHA1): 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
#
+# Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
+# Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF
+# Fingerprint (SHA1): C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
+# Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
+# Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Fri Oct 01 00:00:00 1999
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF
+# Fingerprint (SHA1): C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Entrust.net Secure Server CA"
#
+# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Serial Number: 927650371 (0x374ad243)
+# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Not Valid Before: Tue May 25 16:09:40 1999
+# Not Valid After : Sat May 25 16:39:40 2019
+# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
+# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Entrust.net Secure Server CA"
+# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Serial Number: 927650371 (0x374ad243)
+# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Not Valid Before: Tue May 25 16:09:40 1999
+# Not Valid After : Sat May 25 16:39:40 2019
+# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
+# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Baltimore CyberTrust Root"
#
+# Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
+# Serial Number: 33554617 (0x20000b9)
+# Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
+# Not Valid Before: Fri May 12 18:46:00 2000
+# Not Valid After : Mon May 12 23:59:00 2025
+# Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
+# Fingerprint (SHA1): D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Baltimore CyberTrust Root"
+# Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
+# Serial Number: 33554617 (0x20000b9)
+# Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
+# Not Valid Before: Fri May 12 18:46:00 2000
+# Not Valid After : Mon May 12 23:59:00 2025
+# Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
+# Fingerprint (SHA1): D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Equifax Secure Global eBusiness CA"
#
+# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Not Valid Before: Mon Jun 21 04:00:00 1999
+# Not Valid After : Sun Jun 21 04:00:00 2020
+# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
+# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Equifax Secure Global eBusiness CA"
+# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Not Valid Before: Mon Jun 21 04:00:00 1999
+# Not Valid After : Sun Jun 21 04:00:00 2020
+# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
+# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Equifax Secure eBusiness CA 1"
#
+# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Serial Number: 4 (0x4)
+# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Not Valid Before: Mon Jun 21 04:00:00 1999
+# Not Valid After : Sun Jun 21 04:00:00 2020
+# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
+# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Equifax Secure eBusiness CA 1"
+# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Serial Number: 4 (0x4)
+# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Not Valid Before: Mon Jun 21 04:00:00 1999
+# Not Valid After : Sun Jun 21 04:00:00 2020
+# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
+# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AddTrust Low-Value Services Root"
#
+# Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:38:31 2000
+# Not Valid After : Sat May 30 10:38:31 2020
+# Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
+# Fingerprint (SHA1): CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AddTrust Low-Value Services Root"
+# Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:38:31 2000
+# Not Valid After : Sat May 30 10:38:31 2020
+# Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
+# Fingerprint (SHA1): CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AddTrust External Root"
#
+# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:48:38 2000
+# Not Valid After : Sat May 30 10:48:38 2020
+# Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
+# Fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AddTrust External Root"
+# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:48:38 2000
+# Not Valid After : Sat May 30 10:48:38 2020
+# Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
+# Fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AddTrust Public Services Root"
#
+# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:41:50 2000
+# Not Valid After : Sat May 30 10:41:50 2020
+# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
+# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AddTrust Public Services Root"
+# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:41:50 2000
+# Not Valid After : Sat May 30 10:41:50 2020
+# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
+# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AddTrust Qualified Certificates Root"
#
+# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:44:50 2000
+# Not Valid After : Sat May 30 10:44:50 2020
+# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
+# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AddTrust Qualified Certificates Root"
+# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Serial Number: 1 (0x1)
+# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+# Not Valid Before: Tue May 30 10:44:50 2000
+# Not Valid After : Sat May 30 10:44:50 2020
+# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
+# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Entrust Root Certification Authority"
#
+# Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
+# Serial Number: 1164660820 (0x456b5054)
+# Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
+# Not Valid Before: Mon Nov 27 20:23:42 2006
+# Not Valid After : Fri Nov 27 20:53:42 2026
+# Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
+# Fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Entrust Root Certification Authority"
+# Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
+# Serial Number: 1164660820 (0x456b5054)
+# Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
+# Not Valid Before: Mon Nov 27 20:23:42 2006
+# Not Valid After : Fri Nov 27 20:53:42 2026
+# Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
+# Fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "RSA Security 2048 v3"
#
+# Issuer: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Serial Number:0a:01:01:01:00:00:02:7c:00:00:00:0a:00:00:00:02
+# Subject: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Not Valid Before: Thu Feb 22 20:39:23 2001
+# Not Valid After : Sun Feb 22 20:39:23 2026
+# Fingerprint (MD5): 77:0D:19:B1:21:FD:00:42:9C:3E:0C:A5:DD:0B:02:8E
+# Fingerprint (SHA1): 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "RSA Security 2048 v3"
+# Issuer: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Serial Number:0a:01:01:01:00:00:02:7c:00:00:00:0a:00:00:00:02
+# Subject: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Not Valid Before: Thu Feb 22 20:39:23 2001
+# Not Valid After : Sun Feb 22 20:39:23 2026
+# Fingerprint (MD5): 77:0D:19:B1:21:FD:00:42:9C:3E:0C:A5:DD:0B:02:8E
+# Fingerprint (SHA1): 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Global CA"
#
+# Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
+# Serial Number: 144470 (0x23456)
+# Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
+# Not Valid Before: Tue May 21 04:00:00 2002
+# Not Valid After : Sat May 21 04:00:00 2022
+# Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
+# Fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Global CA"
+# Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
+# Serial Number: 144470 (0x23456)
+# Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
+# Not Valid Before: Tue May 21 04:00:00 2002
+# Not Valid After : Sat May 21 04:00:00 2022
+# Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
+# Fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Global CA 2"
#
+# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
+# Not Valid Before: Thu Mar 04 05:00:00 2004
+# Not Valid After : Mon Mar 04 05:00:00 2019
+# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
+# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Global CA 2"
+# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
+# Not Valid Before: Thu Mar 04 05:00:00 2004
+# Not Valid After : Mon Mar 04 05:00:00 2019
+# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
+# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Universal CA"
#
+# Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
+# Not Valid Before: Thu Mar 04 05:00:00 2004
+# Not Valid After : Sun Mar 04 05:00:00 2029
+# Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
+# Fingerprint (SHA1): E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Universal CA"
+# Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
+# Not Valid Before: Thu Mar 04 05:00:00 2004
+# Not Valid After : Sun Mar 04 05:00:00 2029
+# Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
+# Fingerprint (SHA1): E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Universal CA 2"
#
+# Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
+# Not Valid Before: Thu Mar 04 05:00:00 2004
+# Not Valid After : Sun Mar 04 05:00:00 2029
+# Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
+# Fingerprint (SHA1): 37:9A:19:7B:41:85:45:35:0C:A6:03:69:F3:3C:2E:AF:47:4F:20:79
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Universal CA 2"
+# Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
+# Not Valid Before: Thu Mar 04 05:00:00 2004
+# Not Valid After : Sun Mar 04 05:00:00 2029
+# Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
+# Fingerprint (SHA1): 37:9A:19:7B:41:85:45:35:0C:A6:03:69:F3:3C:2E:AF:47:4F:20:79
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "UTN-USER First-Network Applications"
#
+# Issuer: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:30:4b:c0:33:77
+# Subject: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 18:48:39 1999
+# Not Valid After : Tue Jul 09 18:57:49 2019
+# Fingerprint (MD5): BF:60:59:A3:5B:BA:F6:A7:76:42:DA:6F:1A:7B:50:CF
+# Fingerprint (SHA1): 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "UTN-USER First-Network Applications"
+# Issuer: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:30:4b:c0:33:77
+# Subject: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 18:48:39 1999
+# Not Valid After : Tue Jul 09 18:57:49 2019
+# Fingerprint (MD5): BF:60:59:A3:5B:BA:F6:A7:76:42:DA:6F:1A:7B:50:CF
+# Fingerprint (SHA1): 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "America Online Root Certification Authority 1"
#
+# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
+# Not Valid Before: Tue May 28 06:00:00 2002
+# Not Valid After : Thu Nov 19 20:43:00 2037
+# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
+# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "America Online Root Certification Authority 1"
+# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
+# Not Valid Before: Tue May 28 06:00:00 2002
+# Not Valid After : Thu Nov 19 20:43:00 2037
+# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
+# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "America Online Root Certification Authority 2"
#
+# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
+# Not Valid Before: Tue May 28 06:00:00 2002
+# Not Valid After : Tue Sep 29 14:08:00 2037
+# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
+# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "America Online Root Certification Authority 2"
+# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
+# Not Valid Before: Tue May 28 06:00:00 2002
+# Not Valid After : Tue Sep 29 14:08:00 2037
+# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
+# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Visa eCommerce Root"
#
+# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
+# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
+# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
+# Not Valid Before: Wed Jun 26 02:18:36 2002
+# Not Valid After : Fri Jun 24 00:16:12 2022
+# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
+# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Visa eCommerce Root"
+# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
+# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
+# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
+# Not Valid Before: Wed Jun 26 02:18:36 2002
+# Not Valid After : Fri Jun 24 00:16:12 2022
+# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
+# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Certum Root CA"
#
+# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
+# Serial Number: 65568 (0x10020)
+# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
+# Not Valid Before: Tue Jun 11 10:46:39 2002
+# Not Valid After : Fri Jun 11 10:46:39 2027
+# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
+# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Certum Root CA"
+# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
+# Serial Number: 65568 (0x10020)
+# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
+# Not Valid Before: Tue Jun 11 10:46:39 2002
+# Not Valid After : Fri Jun 11 10:46:39 2027
+# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
+# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Comodo AAA Services root"
#
+# Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number: 1 (0x1)
+# Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Jan 01 00:00:00 2004
+# Not Valid After : Sun Dec 31 23:59:59 2028
+# Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
+# Fingerprint (SHA1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Comodo AAA Services root"
+# Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number: 1 (0x1)
+# Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Jan 01 00:00:00 2004
+# Not Valid After : Sun Dec 31 23:59:59 2028
+# Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
+# Fingerprint (SHA1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Comodo Secure Services root"
#
+# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number: 1 (0x1)
+# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Jan 01 00:00:00 2004
+# Not Valid After : Sun Dec 31 23:59:59 2028
+# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
+# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Comodo Secure Services root"
+# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number: 1 (0x1)
+# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Jan 01 00:00:00 2004
+# Not Valid After : Sun Dec 31 23:59:59 2028
+# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
+# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Comodo Trusted Services root"
#
+# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number: 1 (0x1)
+# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Jan 01 00:00:00 2004
+# Not Valid After : Sun Dec 31 23:59:59 2028
+# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
+# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Comodo Trusted Services root"
+# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number: 1 (0x1)
+# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Jan 01 00:00:00 2004
+# Not Valid After : Sun Dec 31 23:59:59 2028
+# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
+# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "QuoVadis Root CA"
#
+# Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
+# Serial Number: 985026699 (0x3ab6508b)
+# Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
+# Not Valid Before: Mon Mar 19 18:33:33 2001
+# Not Valid After : Wed Mar 17 18:33:33 2021
+# Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
+# Fingerprint (SHA1): DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "QuoVadis Root CA"
+# Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
+# Serial Number: 985026699 (0x3ab6508b)
+# Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
+# Not Valid Before: Mon Mar 19 18:33:33 2001
+# Not Valid After : Wed Mar 17 18:33:33 2021
+# Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
+# Fingerprint (SHA1): DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "QuoVadis Root CA 2"
#
+# Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
+# Serial Number: 1289 (0x509)
+# Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
+# Not Valid Before: Fri Nov 24 18:27:00 2006
+# Not Valid After : Mon Nov 24 18:23:33 2031
+# Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
+# Fingerprint (SHA1): CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "QuoVadis Root CA 2"
+# Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
+# Serial Number: 1289 (0x509)
+# Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
+# Not Valid Before: Fri Nov 24 18:27:00 2006
+# Not Valid After : Mon Nov 24 18:23:33 2031
+# Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
+# Fingerprint (SHA1): CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "QuoVadis Root CA 3"
#
+# Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
+# Serial Number: 1478 (0x5c6)
+# Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
+# Not Valid Before: Fri Nov 24 19:11:23 2006
+# Not Valid After : Mon Nov 24 19:06:44 2031
+# Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
+# Fingerprint (SHA1): 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "QuoVadis Root CA 3"
+# Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
+# Serial Number: 1478 (0x5c6)
+# Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
+# Not Valid Before: Fri Nov 24 19:11:23 2006
+# Not Valid After : Mon Nov 24 19:06:44 2031
+# Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
+# Fingerprint (SHA1): 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Security Communication Root CA"
#
+# Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
+# Serial Number: 0 (0x0)
+# Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
+# Not Valid Before: Tue Sep 30 04:20:49 2003
+# Not Valid After : Sat Sep 30 04:20:49 2023
+# Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
+# Fingerprint (SHA1): 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Security Communication Root CA"
+# Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
+# Serial Number: 0 (0x0)
+# Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
+# Not Valid Before: Tue Sep 30 04:20:49 2003
+# Not Valid After : Sat Sep 30 04:20:49 2023
+# Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
+# Fingerprint (SHA1): 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Sonera Class 1 Root CA"
#
+# Issuer: CN=Sonera Class1 CA,O=Sonera,C=FI
+# Serial Number: 36 (0x24)
+# Subject: CN=Sonera Class1 CA,O=Sonera,C=FI
+# Not Valid Before: Fri Apr 06 10:49:13 2001
+# Not Valid After : Tue Apr 06 10:49:13 2021
+# Fingerprint (MD5): 33:B7:84:F5:5F:27:D7:68:27:DE:14:DE:12:2A:ED:6F
+# Fingerprint (SHA1): 07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Sonera Class 1 Root CA"
+# Issuer: CN=Sonera Class1 CA,O=Sonera,C=FI
+# Serial Number: 36 (0x24)
+# Subject: CN=Sonera Class1 CA,O=Sonera,C=FI
+# Not Valid Before: Fri Apr 06 10:49:13 2001
+# Not Valid After : Tue Apr 06 10:49:13 2021
+# Fingerprint (MD5): 33:B7:84:F5:5F:27:D7:68:27:DE:14:DE:12:2A:ED:6F
+# Fingerprint (SHA1): 07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Sonera Class 2 Root CA"
#
+# Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
+# Serial Number: 29 (0x1d)
+# Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
+# Not Valid Before: Fri Apr 06 07:29:40 2001
+# Not Valid After : Tue Apr 06 07:29:40 2021
+# Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
+# Fingerprint (SHA1): 37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Sonera Class 2 Root CA"
+# Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
+# Serial Number: 29 (0x1d)
+# Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
+# Not Valid Before: Fri Apr 06 07:29:40 2001
+# Not Valid After : Tue Apr 06 07:29:40 2021
+# Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
+# Fingerprint (SHA1): 37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Staat der Nederlanden Root CA"
#
+# Issuer: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
+# Serial Number: 10000010 (0x98968a)
+# Subject: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Tue Dec 17 09:23:49 2002
+# Not Valid After : Wed Dec 16 09:15:38 2015
+# Fingerprint (MD5): 60:84:7C:5A:CE:DB:0C:D4:CB:A7:E9:FE:02:C6:A9:C0
+# Fingerprint (SHA1): 10:1D:FA:3F:D5:0B:CB:BB:9B:B5:60:0C:19:55:A4:1A:F4:73:3A:04
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Staat der Nederlanden Root CA"
+# Issuer: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
+# Serial Number: 10000010 (0x98968a)
+# Subject: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Tue Dec 17 09:23:49 2002
+# Not Valid After : Wed Dec 16 09:15:38 2015
+# Fingerprint (MD5): 60:84:7C:5A:CE:DB:0C:D4:CB:A7:E9:FE:02:C6:A9:C0
+# Fingerprint (SHA1): 10:1D:FA:3F:D5:0B:CB:BB:9B:B5:60:0C:19:55:A4:1A:F4:73:3A:04
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TDC Internet Root CA"
#
+# Issuer: OU=TDC Internet Root CA,O=TDC Internet,C=DK
+# Serial Number: 986490188 (0x3acca54c)
+# Subject: OU=TDC Internet Root CA,O=TDC Internet,C=DK
+# Not Valid Before: Thu Apr 05 16:33:17 2001
+# Not Valid After : Mon Apr 05 17:03:17 2021
+# Fingerprint (MD5): 91:F4:03:55:20:A1:F8:63:2C:62:DE:AC:FB:61:1C:8E
+# Fingerprint (SHA1): 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TDC Internet Root CA"
+# Issuer: OU=TDC Internet Root CA,O=TDC Internet,C=DK
+# Serial Number: 986490188 (0x3acca54c)
+# Subject: OU=TDC Internet Root CA,O=TDC Internet,C=DK
+# Not Valid Before: Thu Apr 05 16:33:17 2001
+# Not Valid After : Mon Apr 05 17:03:17 2021
+# Fingerprint (MD5): 91:F4:03:55:20:A1:F8:63:2C:62:DE:AC:FB:61:1C:8E
+# Fingerprint (SHA1): 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TDC OCES Root CA"
#
+# Issuer: CN=TDC OCES CA,O=TDC,C=DK
+# Serial Number: 1044954564 (0x3e48bdc4)
+# Subject: CN=TDC OCES CA,O=TDC,C=DK
+# Not Valid Before: Tue Feb 11 08:39:30 2003
+# Not Valid After : Wed Feb 11 09:09:30 2037
+# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
+# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TDC OCES Root CA"
+# Issuer: CN=TDC OCES CA,O=TDC,C=DK
+# Serial Number: 1044954564 (0x3e48bdc4)
+# Subject: CN=TDC OCES CA,O=TDC,C=DK
+# Not Valid Before: Tue Feb 11 08:39:30 2003
+# Not Valid After : Wed Feb 11 09:09:30 2037
+# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
+# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "UTN DATACorp SGC Root CA"
#
+# Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:21:b4:11:d3:2a:68:06:a9:ad:69
+# Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Thu Jun 24 18:57:21 1999
+# Not Valid After : Mon Jun 24 19:06:30 2019
+# Fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
+# Fingerprint (SHA1): 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "UTN DATACorp SGC Root CA"
+# Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:21:b4:11:d3:2a:68:06:a9:ad:69
+# Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Thu Jun 24 18:57:21 1999
+# Not Valid After : Mon Jun 24 19:06:30 2019
+# Fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
+# Fingerprint (SHA1): 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "UTN USERFirst Email Root CA"
#
+# Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
+# Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 17:28:50 1999
+# Not Valid After : Tue Jul 09 17:36:58 2019
+# Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
+# Fingerprint (SHA1): B1:72:B1:A5:6D:95:F9:1F:E5:02:87:E1:4D:37:EA:6A:44:63:76:8A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "UTN USERFirst Email Root CA"
+# Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
+# Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 17:28:50 1999
+# Not Valid After : Tue Jul 09 17:36:58 2019
+# Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
+# Fingerprint (SHA1): B1:72:B1:A5:6D:95:F9:1F:E5:02:87:E1:4D:37:EA:6A:44:63:76:8A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "UTN USERFirst Hardware Root CA"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
+# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 18:10:42 1999
+# Not Valid After : Tue Jul 09 18:19:22 2019
+# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
+# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "UTN USERFirst Hardware Root CA"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
+# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 18:10:42 1999
+# Not Valid After : Tue Jul 09 18:19:22 2019
+# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
+# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "UTN USERFirst Object Root CA"
#
+# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
+# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 18:31:20 1999
+# Not Valid After : Tue Jul 09 18:40:36 2019
+# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
+# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "UTN USERFirst Object Root CA"
+# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
+# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Fri Jul 09 18:31:20 1999
+# Not Valid After : Tue Jul 09 18:40:36 2019
+# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
+# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Camerfirma Chambers of Commerce Root"
#
+# Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Serial Number: 0 (0x0)
+# Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Not Valid Before: Tue Sep 30 16:13:43 2003
+# Not Valid After : Wed Sep 30 16:13:44 2037
+# Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
+# Fingerprint (SHA1): 6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Camerfirma Chambers of Commerce Root"
+# Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Serial Number: 0 (0x0)
+# Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Not Valid Before: Tue Sep 30 16:13:43 2003
+# Not Valid After : Wed Sep 30 16:13:44 2037
+# Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
+# Fingerprint (SHA1): 6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Camerfirma Global Chambersign Root"
#
+# Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Serial Number: 0 (0x0)
+# Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Not Valid Before: Tue Sep 30 16:14:18 2003
+# Not Valid After : Wed Sep 30 16:14:18 2037
+# Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
+# Fingerprint (SHA1): 33:9B:6B:14:50:24:9B:55:7A:01:87:72:84:D9:E0:2F:C3:D2:D8:E9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Camerfirma Global Chambersign Root"
+# Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Serial Number: 0 (0x0)
+# Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+# Not Valid Before: Tue Sep 30 16:14:18 2003
+# Not Valid After : Wed Sep 30 16:14:18 2037
+# Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
+# Fingerprint (SHA1): 33:9B:6B:14:50:24:9B:55:7A:01:87:72:84:D9:E0:2F:C3:D2:D8:E9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "NetLock Qualified (Class QA) Root"
#
+# Issuer: E=info@netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Serial Number: 123 (0x7b)
+# Subject: E=info@netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Not Valid Before: Sun Mar 30 01:47:11 2003
+# Not Valid After : Thu Dec 15 01:47:11 2022
+# Fingerprint (MD5): D4:80:65:68:24:F9:89:22:28:DB:F5:A4:9A:17:8F:14
+# Fingerprint (SHA1): 01:68:97:E1:A0:B8:F2:C3:B1:34:66:5C:20:A7:27:B7:A1:58:E2:8F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "NetLock Qualified (Class QA) Root"
+# Issuer: E=info@netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Serial Number: 123 (0x7b)
+# Subject: E=info@netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Not Valid Before: Sun Mar 30 01:47:11 2003
+# Not Valid After : Thu Dec 15 01:47:11 2022
+# Fingerprint (MD5): D4:80:65:68:24:F9:89:22:28:DB:F5:A4:9A:17:8F:14
+# Fingerprint (SHA1): 01:68:97:E1:A0:B8:F2:C3:B1:34:66:5C:20:A7:27:B7:A1:58:E2:8F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "NetLock Notary (Class A) Root"
#
+# Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
+# Serial Number: 259 (0x103)
+# Subject: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
+# Not Valid Before: Wed Feb 24 23:14:47 1999
+# Not Valid After : Tue Feb 19 23:14:47 2019
+# Fingerprint (MD5): 86:38:6D:5E:49:63:6C:85:5C:DB:6D:DC:94:B7:D0:F7
+# Fingerprint (SHA1): AC:ED:5F:65:53:FD:25:CE:01:5F:1F:7A:48:3B:6A:74:9F:61:78:C6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "NetLock Notary (Class A) Root"
+# Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
+# Serial Number: 259 (0x103)
+# Subject: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
+# Not Valid Before: Wed Feb 24 23:14:47 1999
+# Not Valid After : Tue Feb 19 23:14:47 2019
+# Fingerprint (MD5): 86:38:6D:5E:49:63:6C:85:5C:DB:6D:DC:94:B7:D0:F7
+# Fingerprint (SHA1): AC:ED:5F:65:53:FD:25:CE:01:5F:1F:7A:48:3B:6A:74:9F:61:78:C6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "NetLock Business (Class B) Root"
#
+# Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Serial Number: 105 (0x69)
+# Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Not Valid Before: Thu Feb 25 14:10:22 1999
+# Not Valid After : Wed Feb 20 14:10:22 2019
+# Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
+# Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "NetLock Business (Class B) Root"
+# Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Serial Number: 105 (0x69)
+# Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Not Valid Before: Thu Feb 25 14:10:22 1999
+# Not Valid After : Wed Feb 20 14:10:22 2019
+# Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
+# Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "NetLock Express (Class C) Root"
#
+# Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Serial Number: 104 (0x68)
+# Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Not Valid Before: Thu Feb 25 14:08:11 1999
+# Not Valid After : Wed Feb 20 14:08:11 2019
+# Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
+# Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "NetLock Express (Class C) Root"
+# Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Serial Number: 104 (0x68)
+# Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
+# Not Valid Before: Thu Feb 25 14:08:11 1999
+# Not Valid After : Wed Feb 20 14:08:11 2019
+# Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
+# Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "XRamp Global CA Root"
#
+# Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
+# Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
+# Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
+# Not Valid Before: Mon Nov 01 17:14:04 2004
+# Not Valid After : Mon Jan 01 05:37:19 2035
+# Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
+# Fingerprint (SHA1): B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "XRamp Global CA Root"
+# Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
+# Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
+# Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
+# Not Valid Before: Mon Nov 01 17:14:04 2004
+# Not Valid After : Mon Jan 01 05:37:19 2035
+# Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
+# Fingerprint (SHA1): B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Go Daddy Class 2 CA"
#
+# Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
+# Serial Number: 0 (0x0)
+# Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
+# Not Valid Before: Tue Jun 29 17:06:20 2004
+# Not Valid After : Thu Jun 29 17:06:20 2034
+# Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
+# Fingerprint (SHA1): 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Go Daddy Class 2 CA"
+# Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
+# Serial Number: 0 (0x0)
+# Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
+# Not Valid Before: Tue Jun 29 17:06:20 2004
+# Not Valid After : Thu Jun 29 17:06:20 2034
+# Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
+# Fingerprint (SHA1): 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Starfield Class 2 CA"
#
+# Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
+# Serial Number: 0 (0x0)
+# Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
+# Not Valid Before: Tue Jun 29 17:39:16 2004
+# Not Valid After : Thu Jun 29 17:39:16 2034
+# Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
+# Fingerprint (SHA1): AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Starfield Class 2 CA"
+# Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
+# Serial Number: 0 (0x0)
+# Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
+# Not Valid Before: Tue Jun 29 17:39:16 2004
+# Not Valid After : Thu Jun 29 17:39:16 2034
+# Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
+# Fingerprint (SHA1): AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "StartCom Certification Authority"
#
+# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+# Serial Number: 1 (0x1)
+# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+# Not Valid Before: Sun Sep 17 19:46:36 2006
+# Not Valid After : Wed Sep 17 19:46:36 2036
+# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
+# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "StartCom Certification Authority"
+# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+# Serial Number: 1 (0x1)
+# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+# Not Valid Before: Sun Sep 17 19:46:36 2006
+# Not Valid After : Wed Sep 17 19:46:36 2036
+# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
+# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Taiwan GRCA"
#
+# Issuer: O=Government Root Certification Authority,C=TW
+# Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
+# Subject: O=Government Root Certification Authority,C=TW
+# Not Valid Before: Thu Dec 05 13:23:33 2002
+# Not Valid After : Sun Dec 05 13:23:33 2032
+# Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
+# Fingerprint (SHA1): F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Taiwan GRCA"
+# Issuer: O=Government Root Certification Authority,C=TW
+# Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
+# Subject: O=Government Root Certification Authority,C=TW
+# Not Valid Before: Thu Dec 05 13:23:33 2002
+# Not Valid After : Sun Dec 05 13:23:33 2032
+# Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
+# Fingerprint (SHA1): F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Firmaprofesional Root CA"
#
+# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
+# Serial Number: 1 (0x1)
+# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
+# Not Valid Before: Wed Oct 24 22:00:00 2001
+# Not Valid After : Thu Oct 24 22:00:00 2013
+# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
+# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Firmaprofesional Root CA"
+# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
+# Serial Number: 1 (0x1)
+# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
+# Not Valid Before: Wed Oct 24 22:00:00 2001
+# Not Valid After : Thu Oct 24 22:00:00 2013
+# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
+# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
-# Certificate "Wells Fargo Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Wells Fargo Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
-\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
-\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
-\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
-\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
-\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
-\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\071\344\227\236
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\345\060\202\002\315\240\003\002\001\002\002\004\071
-\344\227\236\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\202\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\024\060\022\006\003\125\004\012\023\013\127\145\154
-\154\163\040\106\141\162\147\157\061\054\060\052\006\003\125\004
-\013\023\043\127\145\154\154\163\040\106\141\162\147\157\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023
-\046\127\145\154\154\163\040\106\141\162\147\157\040\122\157\157
-\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
-\164\150\157\162\151\164\171\060\036\027\015\060\060\061\060\061
-\061\061\066\064\061\062\070\132\027\015\062\061\060\061\061\064
-\061\066\064\061\062\070\132\060\201\202\061\013\060\011\006\003
-\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012
-\023\013\127\145\154\154\163\040\106\141\162\147\157\061\054\060
-\052\006\003\125\004\013\023\043\127\145\154\154\163\040\106\141
-\162\147\157\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\057\060\055\006
-\003\125\004\003\023\046\127\145\154\154\163\040\106\141\162\147
-\157\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
-\164\145\040\101\165\164\150\157\162\151\164\171\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\325\250\063
-\073\046\371\064\377\315\233\176\345\004\107\316\000\342\175\167
-\347\061\302\056\047\245\115\150\271\061\272\215\103\131\227\307
-\163\252\177\075\134\100\236\005\345\241\342\211\331\114\270\077
-\233\371\014\264\310\142\031\054\105\256\221\036\163\161\101\304
-\113\023\375\160\302\045\254\042\365\165\013\267\123\344\245\053
-\335\316\275\034\072\172\303\367\023\217\046\124\234\026\153\153
-\257\373\330\226\261\140\232\110\340\045\042\044\171\064\316\016
-\046\000\013\116\253\375\213\316\202\327\057\010\160\150\301\250
-\012\371\164\117\007\253\244\371\342\203\176\047\163\164\076\270
-\371\070\102\374\245\250\133\110\043\263\353\343\045\262\200\256
-\226\324\012\234\302\170\232\306\150\030\256\067\142\067\136\121
-\165\250\130\143\300\121\356\100\170\176\250\257\032\240\341\260
-\170\235\120\214\173\347\263\374\216\043\260\333\145\000\160\204
-\001\010\000\024\156\124\206\232\272\314\371\067\020\366\340\336
-\204\055\235\244\205\067\323\207\343\025\320\301\027\220\176\031
-\041\152\022\251\166\375\022\002\351\117\041\136\027\002\003\001
-\000\001\243\141\060\137\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\114\006\003\125\035\040\004\105
-\060\103\060\101\006\013\140\206\110\001\206\373\173\207\007\001
-\013\060\062\060\060\006\010\053\006\001\005\005\007\002\001\026
-\044\150\164\164\160\072\057\057\167\167\167\056\167\145\154\154
-\163\146\141\162\147\157\056\143\157\155\057\143\145\162\164\160
-\157\154\151\143\171\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\322\047\335\234\012\167\053
-\273\042\362\002\265\112\112\221\371\321\055\276\344\273\032\150
-\357\016\244\000\351\356\347\357\356\366\371\345\164\244\302\330
-\122\130\304\164\373\316\153\265\073\051\171\030\132\357\233\355
-\037\153\066\356\110\045\045\024\266\126\242\020\350\356\247\177
-\320\077\243\320\303\135\046\356\007\314\303\301\044\041\207\036
-\337\052\022\123\157\101\026\347\355\256\224\372\214\162\372\023
-\107\360\074\176\256\175\021\072\023\354\355\372\157\162\144\173
-\235\175\177\046\375\172\373\045\255\352\076\051\177\114\343\000
-\127\062\260\263\351\355\123\027\331\213\262\024\016\060\350\345
-\325\023\306\144\257\304\000\325\330\130\044\374\365\217\354\361
-\307\175\245\333\017\047\321\306\362\100\210\346\037\366\141\250
-\364\102\310\271\067\323\251\276\054\126\170\302\162\233\131\135
-\065\100\212\350\116\143\032\266\351\040\152\121\342\316\244\220
-\337\166\160\231\134\160\103\115\267\266\247\031\144\116\222\267
-\305\221\074\177\110\026\145\173\026\375\313\374\373\331\325\326
-\117\041\145\073\112\177\107\243\373
-END
-
-# Trust for Certificate "Wells Fargo Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Wells Fargo Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\223\346\253\042\003\003\265\043\050\334\332\126\236\272\344\321
-\321\314\373\145
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\040\013\112\172\210\247\251\102\206\212\137\164\126\173\210\005
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
-\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
-\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
-\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\071\344\227\236
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
# Certificate "Swisscom Root CA 1"
#
+# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
+# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Not Valid Before: Thu Aug 18 12:06:20 2005
+# Not Valid After : Mon Aug 18 22:06:20 2025
+# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
+# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Swisscom Root CA 1"
+# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
+# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Not Valid Before: Thu Aug 18 12:06:20 2005
+# Not Valid After : Mon Aug 18 22:06:20 2025
+# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
+# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "DigiCert Assured ID Root CA"
#
+# Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
+# Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Not Valid Before: Fri Nov 10 00:00:00 2006
+# Not Valid After : Mon Nov 10 00:00:00 2031
+# Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
+# Fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "DigiCert Assured ID Root CA"
+# Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
+# Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Not Valid Before: Fri Nov 10 00:00:00 2006
+# Not Valid After : Mon Nov 10 00:00:00 2031
+# Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
+# Fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "DigiCert Global Root CA"
#
+# Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
+# Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Not Valid Before: Fri Nov 10 00:00:00 2006
+# Not Valid After : Mon Nov 10 00:00:00 2031
+# Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
+# Fingerprint (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "DigiCert Global Root CA"
+# Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
+# Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Not Valid Before: Fri Nov 10 00:00:00 2006
+# Not Valid After : Mon Nov 10 00:00:00 2031
+# Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
+# Fingerprint (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "DigiCert High Assurance EV Root CA"
#
+# Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
+# Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Not Valid Before: Fri Nov 10 00:00:00 2006
+# Not Valid After : Mon Nov 10 00:00:00 2031
+# Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
+# Fingerprint (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "DigiCert High Assurance EV Root CA"
+# Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
+# Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+# Not Valid Before: Fri Nov 10 00:00:00 2006
+# Not Valid After : Mon Nov 10 00:00:00 2031
+# Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
+# Fingerprint (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Certplus Class 2 Primary CA"
#
+# Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
+# Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
+# Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
+# Not Valid Before: Wed Jul 07 17:05:00 1999
+# Not Valid After : Sat Jul 06 23:59:59 2019
+# Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
+# Fingerprint (SHA1): 74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Certplus Class 2 Primary CA"
+# Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
+# Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
+# Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
+# Not Valid Before: Wed Jul 07 17:05:00 1999
+# Not Valid After : Sat Jul 06 23:59:59 2019
+# Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
+# Fingerprint (SHA1): 74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "DST Root CA X3"
#
+# Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
+# Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
+# Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
+# Not Valid Before: Sat Sep 30 21:12:19 2000
+# Not Valid After : Thu Sep 30 14:01:15 2021
+# Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
+# Fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "DST Root CA X3"
+# Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
+# Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
+# Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
+# Not Valid Before: Sat Sep 30 21:12:19 2000
+# Not Valid After : Thu Sep 30 14:01:15 2021
+# Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
+# Fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "DST ACES CA X6"
#
+# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
+# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
+# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
+# Not Valid Before: Thu Nov 20 21:19:58 2003
+# Not Valid After : Mon Nov 20 21:19:58 2017
+# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
+# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "DST ACES CA X6"
+# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
+# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
+# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
+# Not Valid Before: Thu Nov 20 21:19:58 2003
+# Not Valid After : Mon Nov 20 21:19:58 2017
+# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
+# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TURKTRUST Certificate Services Provider Root 1"
#
+# Issuer: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number: 1 (0x1)
+# Subject: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Fri May 13 10:27:17 2005
+# Not Valid After : Sun Mar 22 10:27:17 2015
+# Fingerprint (MD5): F1:6A:22:18:C9:CD:DF:CE:82:1D:1D:B7:78:5C:A9:A5
+# Fingerprint (SHA1): 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TURKTRUST Certificate Services Provider Root 1"
+# Issuer: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number: 1 (0x1)
+# Subject: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Fri May 13 10:27:17 2005
+# Not Valid After : Sun Mar 22 10:27:17 2015
+# Fingerprint (MD5): F1:6A:22:18:C9:CD:DF:CE:82:1D:1D:B7:78:5C:A9:A5
+# Fingerprint (SHA1): 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TURKTRUST Certificate Services Provider Root 2"
#
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number: 1 (0x1)
+# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Mon Nov 07 10:07:57 2005
+# Not Valid After : Wed Sep 16 10:07:57 2015
+# Fingerprint (MD5): 37:A5:6E:D4:B1:25:84:97:B7:FD:56:15:7A:F9:A2:00
+# Fingerprint (SHA1): B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TURKTRUST Certificate Services Provider Root 2"
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number: 1 (0x1)
+# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Mon Nov 07 10:07:57 2005
+# Not Valid After : Wed Sep 16 10:07:57 2015
+# Fingerprint (MD5): 37:A5:6E:D4:B1:25:84:97:B7:FD:56:15:7A:F9:A2:00
+# Fingerprint (SHA1): B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "SwissSign Platinum CA - G2"
#
+# Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
+# Serial Number:4e:b2:00:67:0c:03:5d:4f
+# Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
+# Not Valid Before: Wed Oct 25 08:36:00 2006
+# Not Valid After : Sat Oct 25 08:36:00 2036
+# Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
+# Fingerprint (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "SwissSign Platinum CA - G2"
+# Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
+# Serial Number:4e:b2:00:67:0c:03:5d:4f
+# Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
+# Not Valid Before: Wed Oct 25 08:36:00 2006
+# Not Valid After : Sat Oct 25 08:36:00 2036
+# Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
+# Fingerprint (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "SwissSign Gold CA - G2"
#
+# Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
+# Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
+# Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
+# Not Valid Before: Wed Oct 25 08:30:35 2006
+# Not Valid After : Sat Oct 25 08:30:35 2036
+# Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
+# Fingerprint (SHA1): D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "SwissSign Gold CA - G2"
+# Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
+# Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
+# Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
+# Not Valid Before: Wed Oct 25 08:30:35 2006
+# Not Valid After : Sat Oct 25 08:30:35 2036
+# Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
+# Fingerprint (SHA1): D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "SwissSign Silver CA - G2"
#
+# Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
+# Serial Number:4f:1b:d4:2f:54:bb:2f:4b
+# Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
+# Not Valid Before: Wed Oct 25 08:32:46 2006
+# Not Valid After : Sat Oct 25 08:32:46 2036
+# Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
+# Fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "SwissSign Silver CA - G2"
+# Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
+# Serial Number:4f:1b:d4:2f:54:bb:2f:4b
+# Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
+# Not Valid Before: Wed Oct 25 08:32:46 2006
+# Not Valid After : Sat Oct 25 08:32:46 2036
+# Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
+# Fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Primary Certification Authority"
#
+# Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
+# Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
+# Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
+# Not Valid Before: Mon Nov 27 00:00:00 2006
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
+# Fingerprint (SHA1): 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Primary Certification Authority"
+# Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
+# Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
+# Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
+# Not Valid Before: Mon Nov 27 00:00:00 2006
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
+# Fingerprint (SHA1): 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "thawte Primary Root CA"
#
+# Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
+# Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Not Valid Before: Fri Nov 17 00:00:00 2006
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
+# Fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "thawte Primary Root CA"
+# Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
+# Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Not Valid Before: Fri Nov 17 00:00:00 2006
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
+# Fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
#
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Wed Nov 08 00:00:00 2006
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
+# Fingerprint (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Wed Nov 08 00:00:00 2006
+# Not Valid After : Wed Jul 16 23:59:59 2036
+# Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
+# Fingerprint (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "SecureTrust CA"
#
+# Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
+# Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
+# Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
+# Not Valid Before: Tue Nov 07 19:31:18 2006
+# Not Valid After : Mon Dec 31 19:40:55 2029
+# Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
+# Fingerprint (SHA1): 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "SecureTrust CA"
+# Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
+# Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
+# Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
+# Not Valid Before: Tue Nov 07 19:31:18 2006
+# Not Valid After : Mon Dec 31 19:40:55 2029
+# Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
+# Fingerprint (SHA1): 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Secure Global CA"
#
+# Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
+# Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
+# Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
+# Not Valid Before: Tue Nov 07 19:42:28 2006
+# Not Valid After : Mon Dec 31 19:52:06 2029
+# Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
+# Fingerprint (SHA1): 3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Secure Global CA"
+# Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
+# Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
+# Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
+# Not Valid Before: Tue Nov 07 19:42:28 2006
+# Not Valid After : Mon Dec 31 19:52:06 2029
+# Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
+# Fingerprint (SHA1): 3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "COMODO Certification Authority"
#
+# Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
+# Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Fri Dec 01 00:00:00 2006
+# Not Valid After : Mon Dec 31 23:59:59 2029
+# Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
+# Fingerprint (SHA1): 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "COMODO Certification Authority"
+# Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
+# Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Fri Dec 01 00:00:00 2006
+# Not Valid After : Mon Dec 31 23:59:59 2029
+# Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
+# Fingerprint (SHA1): 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Network Solutions Certificate Authority"
#
+# Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
+# Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
+# Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
+# Not Valid Before: Fri Dec 01 00:00:00 2006
+# Not Valid After : Mon Dec 31 23:59:59 2029
+# Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
+# Fingerprint (SHA1): 74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Network Solutions Certificate Authority"
+# Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
+# Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
+# Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
+# Not Valid Before: Fri Dec 01 00:00:00 2006
+# Not Valid After : Mon Dec 31 23:59:59 2029
+# Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
+# Fingerprint (SHA1): 74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "WellsSecure Public Root Certificate Authority"
#
+# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+# Not Valid Before: Thu Dec 13 17:07:54 2007
+# Not Valid After : Wed Dec 14 00:07:54 2022
+# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
+# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "WellsSecure Public Root Certificate Authority"
+# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+# Serial Number: 1 (0x1)
+# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+# Not Valid Before: Thu Dec 13 17:07:54 2007
+# Not Valid After : Wed Dec 14 00:07:54 2022
+# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
+# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "COMODO ECC Certification Authority"
#
+# Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
+# Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Mar 06 00:00:00 2008
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
+# Fingerprint (SHA1): 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "COMODO ECC Certification Authority"
+# Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
+# Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Thu Mar 06 00:00:00 2008
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
+# Fingerprint (SHA1): 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "MD5 Collisions Forged Rogue CA 25c3"
#
+# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Serial Number: 66 (0x42)
+# Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
+# Not Valid Before: Sat Jul 31 00:00:01 2004
+# Not Valid After : Thu Sep 02 00:00:01 2004
+# Fingerprint (MD5): 16:7A:13:15:B9:17:39:A3:F1:05:6A:E6:3E:D9:3A:38
+# Fingerprint (SHA1): 64:23:13:7E:5C:53:D6:4A:A6:64:85:ED:36:54:F5:AB:05:5A:8B:8A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "MD5 Collisions Forged Rogue CA 25c3"
+# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
+# Serial Number: 66 (0x42)
+# Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
+# Not Valid Before: Sat Jul 31 00:00:01 2004
+# Not Valid After : Thu Sep 02 00:00:01 2004
+# Fingerprint (MD5): 16:7A:13:15:B9:17:39:A3:F1:05:6A:E6:3E:D9:3A:38
+# Fingerprint (SHA1): 64:23:13:7E:5C:53:D6:4A:A6:64:85:ED:36:54:F5:AB:05:5A:8B:8A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "IGC/A"
#
+# Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+# Serial Number:39:11:45:10:94
+# Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+# Not Valid Before: Fri Dec 13 14:29:23 2002
+# Not Valid After : Sat Oct 17 14:29:22 2020
+# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37
+# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "IGC/A"
+# Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+# Serial Number:39:11:45:10:94
+# Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+# Not Valid Before: Fri Dec 13 14:29:23 2002
+# Not Valid After : Sat Oct 17 14:29:22 2020
+# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37
+# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Security Communication EV RootCA1"
#
+# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Serial Number: 0 (0x0)
+# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Not Valid Before: Wed Jun 06 02:12:32 2007
+# Not Valid After : Sat Jun 06 02:12:32 2037
+# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
+# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Security Communication EV RootCA1"
+# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Serial Number: 0 (0x0)
+# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Not Valid Before: Wed Jun 06 02:12:32 2007
+# Not Valid After : Sat Jun 06 02:12:32 2037
+# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
+# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "OISTE WISeKey Global Root GA CA"
#
+# Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
+# Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
+# Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
+# Not Valid Before: Sun Dec 11 16:03:44 2005
+# Not Valid After : Fri Dec 11 16:09:51 2037
+# Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
+# Fingerprint (SHA1): 59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "OISTE WISeKey Global Root GA CA"
+# Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
+# Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
+# Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
+# Not Valid Before: Sun Dec 11 16:03:44 2005
+# Not Valid After : Fri Dec 11 16:09:51 2037
+# Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
+# Fingerprint (SHA1): 59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
#
+# Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
+# Serial Number:37:19:18:e6:53:54:7c:1a:b5:b8:cb:59:5a:db:35:b7
+# Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
+# Not Valid Before: Wed Jun 22 00:00:00 2005
+# Not Valid After : Fri Jun 21 23:59:59 2030
+# Fingerprint (MD5): 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64
+# Fingerprint (SHA1): BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
+# Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
+# Serial Number:37:19:18:e6:53:54:7c:1a:b5:b8:cb:59:5a:db:35:b7
+# Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
+# Not Valid Before: Wed Jun 22 00:00:00 2005
+# Not Valid After : Fri Jun 21 23:59:59 2030
+# Fingerprint (MD5): 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64
+# Fingerprint (SHA1): BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Microsec e-Szigno Root CA"
#
+# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
+# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+# Not Valid Before: Wed Apr 06 12:28:44 2005
+# Not Valid After : Thu Apr 06 12:28:44 2017
+# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
+# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Microsec e-Szigno Root CA"
+# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
+# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+# Not Valid Before: Wed Apr 06 12:28:44 2005
+# Not Valid After : Thu Apr 06 12:28:44 2017
+# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
+# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Certigna"
#
+# Issuer: CN=Certigna,O=Dhimyotis,C=FR
+# Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
+# Subject: CN=Certigna,O=Dhimyotis,C=FR
+# Not Valid Before: Fri Jun 29 15:13:05 2007
+# Not Valid After : Tue Jun 29 15:13:05 2027
+# Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
+# Fingerprint (SHA1): B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Certigna"
+# Issuer: CN=Certigna,O=Dhimyotis,C=FR
+# Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
+# Subject: CN=Certigna,O=Dhimyotis,C=FR
+# Not Valid Before: Fri Jun 29 15:13:05 2007
+# Not Valid After : Tue Jun 29 15:13:05 2027
+# Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
+# Fingerprint (SHA1): B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AC Raiz Certicamara S.A."
#
+# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
+# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
+# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
+# Not Valid Before: Mon Nov 27 20:46:29 2006
+# Not Valid After : Tue Apr 02 21:42:02 2030
+# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
+# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AC Raiz Certicamara S.A."
+# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
+# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
+# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
+# Not Valid Before: Mon Nov 27 20:46:29 2006
+# Not Valid After : Tue Apr 02 21:42:02 2030
+# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
+# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TC TrustCenter Class 2 CA II"
#
+# Issuer: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:2e:6a:00:01:00:02:1f:d7:52:21:2c:11:5c:3b
+# Subject: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Thu Jan 12 14:38:43 2006
+# Not Valid After : Wed Dec 31 22:59:59 2025
+# Fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23
+# Fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TC TrustCenter Class 2 CA II"
+# Issuer: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:2e:6a:00:01:00:02:1f:d7:52:21:2c:11:5c:3b
+# Subject: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Thu Jan 12 14:38:43 2006
+# Not Valid After : Wed Dec 31 22:59:59 2025
+# Fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23
+# Fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TC TrustCenter Class 3 CA II"
#
+# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
+# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Thu Jan 12 14:41:57 2006
+# Not Valid After : Wed Dec 31 22:59:59 2025
+# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
+# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TC TrustCenter Class 3 CA II"
+# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
+# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Thu Jan 12 14:41:57 2006
+# Not Valid After : Wed Dec 31 22:59:59 2025
+# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
+# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TC TrustCenter Universal CA I"
#
+# Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
+# Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Wed Mar 22 15:54:28 2006
+# Not Valid After : Wed Dec 31 22:59:59 2025
+# Fingerprint (MD5): 45:E1:A5:72:C5:A9:36:64:40:9E:F5:E4:58:84:67:8C
+# Fingerprint (SHA1): 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TC TrustCenter Universal CA I"
+# Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
+# Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Wed Mar 22 15:54:28 2006
+# Not Valid After : Wed Dec 31 22:59:59 2025
+# Fingerprint (MD5): 45:E1:A5:72:C5:A9:36:64:40:9E:F5:E4:58:84:67:8C
+# Fingerprint (SHA1): 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Deutsche Telekom Root CA 2"
#
+# Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
+# Serial Number: 38 (0x26)
+# Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
+# Not Valid Before: Fri Jul 09 12:11:00 1999
+# Not Valid After : Tue Jul 09 23:59:00 2019
+# Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
+# Fingerprint (SHA1): 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Deutsche Telekom Root CA 2"
+# Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
+# Serial Number: 38 (0x26)
+# Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
+# Not Valid Before: Fri Jul 09 12:11:00 1999
+# Not Valid After : Tue Jul 09 23:59:00 2019
+# Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
+# Fingerprint (SHA1): 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ComSign CA"
#
+# Issuer: C=IL,O=ComSign,CN=ComSign CA
+# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
+# Subject: C=IL,O=ComSign,CN=ComSign CA
+# Not Valid Before: Wed Mar 24 11:32:18 2004
+# Not Valid After : Mon Mar 19 15:02:18 2029
+# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
+# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ComSign CA"
+# Issuer: C=IL,O=ComSign,CN=ComSign CA
+# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
+# Subject: C=IL,O=ComSign,CN=ComSign CA
+# Not Valid Before: Wed Mar 24 11:32:18 2004
+# Not Valid After : Mon Mar 19 15:02:18 2029
+# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
+# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ComSign Secured CA"
#
+# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
+# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
+# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
+# Not Valid Before: Wed Mar 24 11:37:20 2004
+# Not Valid After : Fri Mar 16 15:04:56 2029
+# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
+# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ComSign Secured CA"
+# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
+# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
+# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
+# Not Valid Before: Wed Mar 24 11:37:20 2004
+# Not Valid After : Fri Mar 16 15:04:56 2029
+# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
+# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Cybertrust Global Root"
#
+# Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
+# Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
+# Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
+# Not Valid Before: Fri Dec 15 08:00:00 2006
+# Not Valid After : Wed Dec 15 08:00:00 2021
+# Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
+# Fingerprint (SHA1): 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Cybertrust Global Root"
+# Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
+# Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
+# Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
+# Not Valid Before: Fri Dec 15 08:00:00 2006
+# Not Valid After : Wed Dec 15 08:00:00 2021
+# Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
+# Fingerprint (SHA1): 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ePKI Root Certification Authority"
#
+# Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
+# Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
+# Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
+# Not Valid Before: Mon Dec 20 02:31:27 2004
+# Not Valid After : Wed Dec 20 02:31:27 2034
+# Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
+# Fingerprint (SHA1): 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ePKI Root Certification Authority"
+# Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
+# Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
+# Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
+# Not Valid Before: Mon Dec 20 02:31:27 2004
+# Not Valid After : Wed Dec 20 02:31:27 2034
+# Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
+# Fingerprint (SHA1): 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
#
+# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
+# Serial Number: 17 (0x11)
+# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
+# Not Valid Before: Fri Aug 24 11:37:07 2007
+# Not Valid After : Mon Aug 21 11:37:07 2017
+# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
+# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
+# Serial Number: 17 (0x11)
+# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
+# Not Valid Before: Fri Aug 24 11:37:07 2007
+# Not Valid After : Mon Aug 21 11:37:07 2017
+# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
+# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Buypass Class 2 CA 1"
#
+# Issuer: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Serial Number: 1 (0x1)
+# Subject: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Not Valid Before: Fri Oct 13 10:25:09 2006
+# Not Valid After : Thu Oct 13 10:25:09 2016
+# Fingerprint (MD5): B8:08:9A:F0:03:CC:1B:0D:C8:6C:0B:76:A1:75:64:23
+# Fingerprint (SHA1): A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Buypass Class 2 CA 1"
+# Issuer: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Serial Number: 1 (0x1)
+# Subject: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Not Valid Before: Fri Oct 13 10:25:09 2006
+# Not Valid After : Thu Oct 13 10:25:09 2016
+# Fingerprint (MD5): B8:08:9A:F0:03:CC:1B:0D:C8:6C:0B:76:A1:75:64:23
+# Fingerprint (SHA1): A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Buypass Class 3 CA 1"
#
+# Issuer: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
+# Serial Number: 2 (0x2)
+# Subject: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
+# Not Valid Before: Mon May 09 14:13:03 2005
+# Not Valid After : Sat May 09 14:13:03 2015
+# Fingerprint (MD5): DF:3C:73:59:81:E7:39:50:81:04:4C:34:A2:CB:B3:7B
+# Fingerprint (SHA1): 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Buypass Class 3 CA 1"
+# Issuer: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
+# Serial Number: 2 (0x2)
+# Subject: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
+# Not Valid Before: Mon May 09 14:13:03 2005
+# Not Valid After : Sat May 09 14:13:03 2015
+# Fingerprint (MD5): DF:3C:73:59:81:E7:39:50:81:04:4C:34:A2:CB:B3:7B
+# Fingerprint (SHA1): 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
#
+# Issuer: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number:4c:af:73:42:1c:8e:74:02
+# Subject: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Thu Aug 17 00:21:09 2006
+# Not Valid After : Sun Aug 14 00:31:09 2016
+# Fingerprint (MD5): 2C:20:26:9D:CB:1A:4A:00:85:B5:B7:5A:AE:C2:01:37
+# Fingerprint (SHA1): 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
+# Issuer: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number:4c:af:73:42:1c:8e:74:02
+# Subject: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Thu Aug 17 00:21:09 2006
+# Not Valid After : Sun Aug 14 00:31:09 2016
+# Fingerprint (MD5): 2C:20:26:9D:CB:1A:4A:00:85:B5:B7:5A:AE:C2:01:37
+# Fingerprint (SHA1): 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "certSIGN ROOT CA"
#
+# Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
+# Serial Number:20:06:05:16:70:02
+# Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
+# Not Valid Before: Tue Jul 04 17:20:04 2006
+# Not Valid After : Fri Jul 04 17:20:04 2031
+# Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
+# Fingerprint (SHA1): FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "certSIGN ROOT CA"
+# Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
+# Serial Number:20:06:05:16:70:02
+# Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
+# Not Valid Before: Tue Jul 04 17:20:04 2006
+# Not Valid After : Fri Jul 04 17:20:04 2031
+# Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
+# Fingerprint (SHA1): FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "CNNIC ROOT"
#
+# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
+# Serial Number: 1228079105 (0x49330001)
+# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
+# Not Valid Before: Mon Apr 16 07:09:14 2007
+# Not Valid After : Fri Apr 16 07:09:14 2027
+# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
+# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "CNNIC ROOT"
+# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
+# Serial Number: 1228079105 (0x49330001)
+# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
+# Not Valid Before: Mon Apr 16 07:09:14 2007
+# Not Valid After : Fri Apr 16 07:09:14 2027
+# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
+# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ApplicationCA - Japanese Government"
#
+# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
+# Serial Number: 49 (0x31)
+# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
+# Not Valid Before: Wed Dec 12 15:00:00 2007
+# Not Valid After : Tue Dec 12 15:00:00 2017
+# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
+# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ApplicationCA - Japanese Government"
+# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
+# Serial Number: 49 (0x31)
+# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
+# Not Valid Before: Wed Dec 12 15:00:00 2007
+# Not Valid After : Tue Dec 12 15:00:00 2017
+# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
+# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Primary Certification Authority - G3"
#
+# Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
+# Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Not Valid Before: Wed Apr 02 00:00:00 2008
+# Not Valid After : Tue Dec 01 23:59:59 2037
+# Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
+# Fingerprint (SHA1): 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Primary Certification Authority - G3"
+# Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
+# Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Not Valid Before: Wed Apr 02 00:00:00 2008
+# Not Valid After : Tue Dec 01 23:59:59 2037
+# Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
+# Fingerprint (SHA1): 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "thawte Primary Root CA - G2"
#
+# Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
+# Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
+# Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
+# Not Valid Before: Mon Nov 05 00:00:00 2007
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
+# Fingerprint (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "thawte Primary Root CA - G2"
+# Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
+# Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
+# Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
+# Not Valid Before: Mon Nov 05 00:00:00 2007
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
+# Fingerprint (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "thawte Primary Root CA - G3"
#
+# Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
+# Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Not Valid Before: Wed Apr 02 00:00:00 2008
+# Not Valid After : Tue Dec 01 23:59:59 2037
+# Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
+# Fingerprint (SHA1): F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "thawte Primary Root CA - G3"
+# Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
+# Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+# Not Valid Before: Wed Apr 02 00:00:00 2008
+# Not Valid After : Tue Dec 01 23:59:59 2037
+# Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
+# Fingerprint (SHA1): F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GeoTrust Primary Certification Authority - G2"
#
+# Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
+# Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Not Valid Before: Mon Nov 05 00:00:00 2007
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
+# Fingerprint (SHA1): 8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GeoTrust Primary Certification Authority - G2"
+# Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
+# Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+# Not Valid Before: Mon Nov 05 00:00:00 2007
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
+# Fingerprint (SHA1): 8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "VeriSign Universal Root Certification Authority"
#
+# Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
+# Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Wed Apr 02 00:00:00 2008
+# Not Valid After : Tue Dec 01 23:59:59 2037
+# Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
+# Fingerprint (SHA1): 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "VeriSign Universal Root Certification Authority"
+# Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
+# Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Wed Apr 02 00:00:00 2008
+# Not Valid After : Tue Dec 01 23:59:59 2037
+# Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
+# Fingerprint (SHA1): 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
#
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Nov 05 00:00:00 2007
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
+# Fingerprint (SHA1): 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Nov 05 00:00:00 2007
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
+# Fingerprint (SHA1): 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
#
+# Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
+# Serial Number:49:41:2c:e4:00:10
+# Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
+# Not Valid Before: Thu Dec 11 15:08:21 2008
+# Not Valid After : Wed Dec 06 15:08:21 2028
+# Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
+# Fingerprint (SHA1): 06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
+# Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
+# Serial Number:49:41:2c:e4:00:10
+# Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
+# Not Valid Before: Thu Dec 11 15:08:21 2008
+# Not Valid After : Wed Dec 06 15:08:21 2028
+# Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
+# Fingerprint (SHA1): 06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Staat der Nederlanden Root CA - G2"
#
+# Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
+# Serial Number: 10000012 (0x98968c)
+# Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Wed Mar 26 11:18:17 2008
+# Not Valid After : Wed Mar 25 11:03:10 2020
+# Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
+# Fingerprint (SHA1): 59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Staat der Nederlanden Root CA - G2"
+# Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
+# Serial Number: 10000012 (0x98968c)
+# Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Wed Mar 26 11:18:17 2008
+# Not Valid After : Wed Mar 25 11:03:10 2020
+# Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
+# Fingerprint (SHA1): 59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "CA Disig"
#
+# Issuer: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
+# Serial Number: 1 (0x1)
+# Subject: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
+# Not Valid Before: Wed Mar 22 01:39:34 2006
+# Not Valid After : Tue Mar 22 01:39:34 2016
+# Fingerprint (MD5): 3F:45:96:39:E2:50:87:F7:BB:FE:98:0C:3C:20:98:E6
+# Fingerprint (SHA1): 2A:C8:D5:8B:57:CE:BF:2F:49:AF:F2:FC:76:8F:51:14:62:90:7A:41
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "CA Disig"
+# Issuer: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
+# Serial Number: 1 (0x1)
+# Subject: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
+# Not Valid Before: Wed Mar 22 01:39:34 2006
+# Not Valid After : Tue Mar 22 01:39:34 2016
+# Fingerprint (MD5): 3F:45:96:39:E2:50:87:F7:BB:FE:98:0C:3C:20:98:E6
+# Fingerprint (SHA1): 2A:C8:D5:8B:57:CE:BF:2F:49:AF:F2:FC:76:8F:51:14:62:90:7A:41
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Juur-SK"
#
+# Issuer: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
+# Serial Number: 999181308 (0x3b8e4bfc)
+# Subject: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
+# Not Valid Before: Thu Aug 30 14:23:01 2001
+# Not Valid After : Fri Aug 26 14:23:01 2016
+# Fingerprint (MD5): AA:8E:5D:D9:F8:DB:0A:58:B7:8D:26:87:6C:82:35:55
+# Fingerprint (SHA1): 40:9D:4B:D9:17:B5:5C:27:B6:9B:64:CB:98:22:44:0D:CD:09:B8:89
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Juur-SK"
+# Issuer: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
+# Serial Number: 999181308 (0x3b8e4bfc)
+# Subject: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
+# Not Valid Before: Thu Aug 30 14:23:01 2001
+# Not Valid After : Fri Aug 26 14:23:01 2016
+# Fingerprint (MD5): AA:8E:5D:D9:F8:DB:0A:58:B7:8D:26:87:6C:82:35:55
+# Fingerprint (SHA1): 40:9D:4B:D9:17:B5:5C:27:B6:9B:64:CB:98:22:44:0D:CD:09:B8:89
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Hongkong Post Root CA 1"
#
+# Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
+# Serial Number: 1000 (0x3e8)
+# Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
+# Not Valid Before: Thu May 15 05:13:14 2003
+# Not Valid After : Mon May 15 04:52:29 2023
+# Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
+# Fingerprint (SHA1): D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Hongkong Post Root CA 1"
+# Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
+# Serial Number: 1000 (0x3e8)
+# Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
+# Not Valid Before: Thu May 15 05:13:14 2003
+# Not Valid After : Mon May 15 04:52:29 2023
+# Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
+# Fingerprint (SHA1): D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "SecureSign RootCA11"
#
+# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
+# Serial Number: 1 (0x1)
+# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
+# Not Valid Before: Wed Apr 08 04:56:47 2009
+# Not Valid After : Sun Apr 08 04:56:47 2029
+# Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
+# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "SecureSign RootCA11"
+# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
+# Serial Number: 1 (0x1)
+# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
+# Not Valid Before: Wed Apr 08 04:56:47 2009
+# Not Valid After : Sun Apr 08 04:56:47 2029
+# Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
+# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "ACEDICOM Root"
#
+# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
+# Serial Number:61:8d:c7:86:3b:01:82:05
+# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
+# Not Valid Before: Fri Apr 18 16:24:22 2008
+# Not Valid After : Thu Apr 13 16:24:22 2028
+# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
+# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "ACEDICOM Root"
+# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
+# Serial Number:61:8d:c7:86:3b:01:82:05
+# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
+# Not Valid Before: Fri Apr 18 16:24:22 2008
+# Not Valid After : Thu Apr 13 16:24:22 2028
+# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
+# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 1 Public Primary Certification Authority"
#
+# Issuer: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Serial Number:3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
+# Subject: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Jan 29 00:00:00 1996
+# Not Valid After : Wed Aug 02 23:59:59 2028
+# Fingerprint (MD5): 86:AC:DE:2B:C5:6D:C3:D9:8C:28:88:D3:8D:16:13:1E
+# Fingerprint (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
+# Issuer: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Serial Number:3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
+# Subject: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Jan 29 00:00:00 1996
+# Not Valid After : Wed Aug 02 23:59:59 2028
+# Fingerprint (MD5): 86:AC:DE:2B:C5:6D:C3:D9:8C:28:88:D3:8D:16:13:1E
+# Fingerprint (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Verisign Class 3 Public Primary Certification Authority"
#
+# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
+# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Jan 29 00:00:00 1996
+# Not Valid After : Wed Aug 02 23:59:59 2028
+# Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
+# Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
+# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
+# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+# Not Valid Before: Mon Jan 29 00:00:00 1996
+# Not Valid After : Wed Aug 02 23:59:59 2028
+# Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
+# Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Microsec e-Szigno Root CA 2009"
#
+# Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
+# Serial Number:00:c2:7e:43:04:4e:47:3f:19
+# Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
+# Not Valid Before: Tue Jun 16 11:30:18 2009
+# Not Valid After : Sun Dec 30 11:30:18 2029
+# Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
+# Fingerprint (SHA1): 89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Microsec e-Szigno Root CA 2009"
+# Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
+# Serial Number:00:c2:7e:43:04:4e:47:3f:19
+# Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
+# Not Valid Before: Tue Jun 16 11:30:18 2009
+# Not Valid After : Sun Dec 30 11:30:18 2029
+# Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
+# Fingerprint (SHA1): 89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
#
+# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
+# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+# Not Valid Before: Thu Jan 04 11:32:48 2007
+# Not Valid After : Wed Jan 04 11:32:48 2017
+# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
+# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
+# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+# Not Valid Before: Thu Jan 04 11:32:48 2007
+# Not Valid After : Wed Jan 04 11:32:48 2017
+# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
+# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "GlobalSign Root CA - R3"
#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+# Serial Number:04:00:00:00:00:01:21:58:53:08:a2
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+# Not Valid Before: Wed Mar 18 10:00:00 2009
+# Not Valid After : Sun Mar 18 10:00:00 2029
+# Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
+# Fingerprint (SHA1): D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "GlobalSign Root CA - R3"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+# Serial Number:04:00:00:00:00:01:21:58:53:08:a2
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+# Not Valid Before: Wed Mar 18 10:00:00 2009
+# Not Valid After : Sun Mar 18 10:00:00 2029
+# Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
+# Fingerprint (SHA1): D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TC TrustCenter Universal CA III"
#
+# Issuer: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:63:25:00:01:00:02:14:8d:33:15:02:e4:6c:f4
+# Subject: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Wed Sep 09 08:15:27 2009
+# Not Valid After : Mon Dec 31 23:59:59 2029
+# Fingerprint (MD5): 9F:DD:DB:AB:FF:8E:FF:45:21:5F:F0:6C:9D:8F:FE:2B
+# Fingerprint (SHA1): 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TC TrustCenter Universal CA III"
+# Issuer: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Serial Number:63:25:00:01:00:02:14:8d:33:15:02:e4:6c:f4
+# Subject: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+# Not Valid Before: Wed Sep 09 08:15:27 2009
+# Not Valid After : Mon Dec 31 23:59:59 2029
+# Fingerprint (MD5): 9F:DD:DB:AB:FF:8E:FF:45:21:5F:F0:6C:9D:8F:FE:2B
+# Fingerprint (SHA1): 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
#
+# Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
+# Serial Number:53:ec:3b:ee:fb:b2:48:5f
+# Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
+# Not Valid Before: Wed May 20 08:38:15 2009
+# Not Valid After : Tue Dec 31 08:38:15 2030
+# Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
+# Fingerprint (SHA1): AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+# Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
+# Serial Number:53:ec:3b:ee:fb:b2:48:5f
+# Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
+# Not Valid Before: Wed May 20 08:38:15 2009
+# Not Valid After : Tue Dec 31 08:38:15 2030
+# Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
+# Fingerprint (SHA1): AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Izenpe.com"
#
+# Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
+# Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
+# Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
+# Not Valid Before: Thu Dec 13 13:08:28 2007
+# Not Valid After : Sun Dec 13 08:27:25 2037
+# Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
+# Fingerprint (SHA1): 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Izenpe.com"
+# Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
+# Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
+# Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
+# Not Valid Before: Thu Dec 13 13:08:28 2007
+# Not Valid After : Sun Dec 13 08:27:25 2037
+# Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
+# Fingerprint (SHA1): 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Chambers of Commerce Root - 2008"
#
+# Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Serial Number:00:a3:da:42:7e:a4:b1:ae:da
+# Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Not Valid Before: Fri Aug 01 12:29:50 2008
+# Not Valid After : Sat Jul 31 12:29:50 2038
+# Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
+# Fingerprint (SHA1): 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Chambers of Commerce Root - 2008"
+# Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Serial Number:00:a3:da:42:7e:a4:b1:ae:da
+# Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Not Valid Before: Fri Aug 01 12:29:50 2008
+# Not Valid After : Sat Jul 31 12:29:50 2038
+# Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
+# Fingerprint (SHA1): 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Global Chambersign Root - 2008"
#
+# Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
+# Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Not Valid Before: Fri Aug 01 12:31:40 2008
+# Not Valid After : Sat Jul 31 12:31:40 2038
+# Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
+# Fingerprint (SHA1): 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Global Chambersign Root - 2008"
+# Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
+# Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+# Not Valid Before: Fri Aug 01 12:31:40 2008
+# Not Valid After : Sat Jul 31 12:31:40 2038
+# Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
+# Fingerprint (SHA1): 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Mozilla Addons"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43
+# Subject: CN=addons.mozilla.org,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 84:C5:18:67:1F:2A:1A:90:BE:E2:B1:18:4F:03:00:32
+# Fingerprint (SHA1): 30:5F:8B:D1:7A:A2:CB:C4:83:A4:C4:1B:19:A3:9A:0C:75:DA:39:D6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Mozilla Addons"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43
+# Subject: CN=addons.mozilla.org,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 84:C5:18:67:1F:2A:1A:90:BE:E2:B1:18:4F:03:00:32
+# Fingerprint (SHA1): 30:5F:8B:D1:7A:A2:CB:C4:83:A4:C4:1B:19:A3:9A:0C:75:DA:39:D6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Global Trustee"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0
+# Subject: CN=global trustee,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Global Trustee,O=Global Trustee,STREET=Sea Village 10,L=Tampa,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): FE:0D:01:6E:71:CB:8C:D8:3F:0E:0C:CD:49:35:B8:57
+# Fingerprint (SHA1): 61:79:3F:CB:FA:4F:90:08:30:9B:BA:5F:F1:2D:2C:B2:9C:D4:15:1A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Global Trustee"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0
+# Subject: CN=global trustee,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Global Trustee,O=Global Trustee,STREET=Sea Village 10,L=Tampa,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): FE:0D:01:6E:71:CB:8C:D8:3F:0E:0C:CD:49:35:B8:57
+# Fingerprint (SHA1): 61:79:3F:CB:FA:4F:90:08:30:9B:BA:5F:F1:2D:2C:B2:9C:D4:15:1A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus GMail"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e
+# Subject: CN=mail.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 4C:77:1F:EB:CA:31:C1:29:98:E9:2C:10:B3:AF:49:1C
+# Fingerprint (SHA1): 64:31:72:30:36:FD:26:DE:A5:02:79:2F:A5:95:92:24:93:03:0F:97
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus GMail"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e
+# Subject: CN=mail.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 4C:77:1F:EB:CA:31:C1:29:98:E9:2C:10:B3:AF:49:1C
+# Fingerprint (SHA1): 64:31:72:30:36:FD:26:DE:A5:02:79:2F:A5:95:92:24:93:03:0F:97
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Google"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06
+# Subject: CN=www.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 01:73:A9:58:F0:BC:C9:BE:94:2B:1A:4C:98:24:E3:B8
+# Fingerprint (SHA1): 19:16:A2:AF:34:6D:39:9F:50:31:3C:39:32:00:F1:41:40:45:66:16
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Google"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06
+# Subject: CN=www.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 01:73:A9:58:F0:BC:C9:BE:94:2B:1A:4C:98:24:E3:B8
+# Fingerprint (SHA1): 19:16:A2:AF:34:6D:39:9F:50:31:3C:39:32:00:F1:41:40:45:66:16
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Skype"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47
+# Subject: CN=login.skype.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 85:A4:B4:C4:69:21:DF:A1:6A:0D:58:56:58:4B:33:44
+# Fingerprint (SHA1): 47:1C:94:9A:81:43:DB:5A:D5:CD:F1:C9:72:86:4A:25:04:FA:23:C9
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Skype"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47
+# Subject: CN=login.skype.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 85:A4:B4:C4:69:21:DF:A1:6A:0D:58:56:58:4B:33:44
+# Fingerprint (SHA1): 47:1C:94:9A:81:43:DB:5A:D5:CD:F1:C9:72:86:4A:25:04:FA:23:C9
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Yahoo 1"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3
+# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 0C:1F:BE:D3:FC:09:6E:E6:6E:C2:66:39:75:86:6B:EB
+# Fingerprint (SHA1): 63:FE:AE:96:0B:AA:91:E3:43:CE:2B:D8:B7:17:98:C7:6B:DB:77:D0
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Yahoo 1"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3
+# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 0C:1F:BE:D3:FC:09:6E:E6:6E:C2:66:39:75:86:6B:EB
+# Fingerprint (SHA1): 63:FE:AE:96:0B:AA:91:E3:43:CE:2B:D8:B7:17:98:C7:6B:DB:77:D0
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Yahoo 2"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29
+# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 72:DC:C8:72:6C:53:3B:B2:FD:CC:5D:19:BD:AF:A6:31
+# Fingerprint (SHA1): D0:18:B6:2D:C5:18:90:72:47:DF:50:92:5B:B0:9A:CF:4A:5C:B3:AD
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Yahoo 2"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29
+# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 72:DC:C8:72:6C:53:3B:B2:FD:CC:5D:19:BD:AF:A6:31
+# Fingerprint (SHA1): D0:18:B6:2D:C5:18:90:72:47:DF:50:92:5B:B0:9A:CF:4A:5C:B3:AD
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus Yahoo 3"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71
+# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 4A:DC:3C:67:ED:21:CD:5B:CE:5D:C8:11:E4:9E:CF:3D
+# Fingerprint (SHA1): 80:96:2A:E4:D6:C5:B4:42:89:4E:95:A1:3E:4A:69:9E:07:D6:94:CF
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus Yahoo 3"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71
+# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): 4A:DC:3C:67:ED:21:CD:5B:CE:5D:C8:11:E4:9E:CF:3D
+# Fingerprint (SHA1): 80:96:2A:E4:D6:C5:B4:42:89:4E:95:A1:3E:4A:69:9E:07:D6:94:CF
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus live.com"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0
+# Subject: CN=login.live.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): D0:D4:39:E3:CC:5C:52:DD:08:CD:E9:AB:E8:11:59:D4
+# Fingerprint (SHA1): CE:A5:86:B2:CE:59:3E:C7:D9:39:89:83:37:C5:78:14:70:8A:B2:BE
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus live.com"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:00:b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0
+# Subject: CN=login.live.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
+# Not Valid Before: Tue Mar 15 00:00:00 2011
+# Not Valid After : Fri Mar 14 23:59:59 2014
+# Fingerprint (MD5): D0:D4:39:E3:CC:5C:52:DD:08:CD:E9:AB:E8:11:59:D4
+# Fingerprint (SHA1): CE:A5:86:B2:CE:59:3E:C7:D9:39:89:83:37:C5:78:14:70:8A:B2:BE
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Bogus kuix.de"
#
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
+# Subject: CN=kuix.de,OU=Comodo Trial SSL,OU=TEST USE ONLY - NO WARRANTY ATTACHED,OU=For Testing Purposes Only,O=Kai Engert,STREET=Test Street,L=Test City,ST=Test State,postalCode=12345,C=DE
+# Not Valid Before: Thu Mar 17 00:00:00 2011
+# Not Valid After : Sat Apr 16 23:59:59 2011
+# Fingerprint (MD5): F7:5F:98:BC:D8:64:0C:16:E5:AE:EE:AA:00:F6:1F:07
+# Fingerprint (SHA1): 82:61:4B:EC:97:48:15:DE:CC:9A:CC:6E:84:21:71:79:B2:64:20:40
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Bogus kuix.de"
+# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Serial Number:72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
+# Subject: CN=kuix.de,OU=Comodo Trial SSL,OU=TEST USE ONLY - NO WARRANTY ATTACHED,OU=For Testing Purposes Only,O=Kai Engert,STREET=Test Street,L=Test City,ST=Test State,postalCode=12345,C=DE
+# Not Valid Before: Thu Mar 17 00:00:00 2011
+# Not Valid After : Sat Apr 16 23:59:59 2011
+# Fingerprint (MD5): F7:5F:98:BC:D8:64:0C:16:E5:AE:EE:AA:00:F6:1F:07
+# Fingerprint (SHA1): 82:61:4B:EC:97:48:15:DE:CC:9A:CC:6E:84:21:71:79:B2:64:20:40
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Go Daddy Root Certificate Authority - G2"
#
+# Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Serial Number: 0 (0x0)
+# Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Not Valid Before: Tue Sep 01 00:00:00 2009
+# Not Valid After : Thu Dec 31 23:59:59 2037
+# Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
+# Fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Go Daddy Root Certificate Authority - G2"
+# Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Serial Number: 0 (0x0)
+# Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Not Valid Before: Tue Sep 01 00:00:00 2009
+# Not Valid After : Thu Dec 31 23:59:59 2037
+# Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
+# Fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Starfield Root Certificate Authority - G2"
#
+# Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Serial Number: 0 (0x0)
+# Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Not Valid Before: Tue Sep 01 00:00:00 2009
+# Not Valid After : Thu Dec 31 23:59:59 2037
+# Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
+# Fingerprint (SHA1): B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Starfield Root Certificate Authority - G2"
+# Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Serial Number: 0 (0x0)
+# Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Not Valid Before: Tue Sep 01 00:00:00 2009
+# Not Valid After : Thu Dec 31 23:59:59 2037
+# Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
+# Fingerprint (SHA1): B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Starfield Services Root Certificate Authority - G2"
#
+# Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Serial Number: 0 (0x0)
+# Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Not Valid Before: Tue Sep 01 00:00:00 2009
+# Not Valid After : Thu Dec 31 23:59:59 2037
+# Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
+# Fingerprint (SHA1): 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Starfield Services Root Certificate Authority - G2"
+# Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Serial Number: 0 (0x0)
+# Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+# Not Valid Before: Tue Sep 01 00:00:00 2009
+# Not Valid After : Thu Dec 31 23:59:59 2037
+# Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
+# Fingerprint (SHA1): 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AffirmTrust Commercial"
#
+# Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
+# Serial Number:77:77:06:27:26:a9:b1:7c
+# Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:06:06 2010
+# Not Valid After : Tue Dec 31 14:06:06 2030
+# Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
+# Fingerprint (SHA1): F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AffirmTrust Commercial"
+# Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
+# Serial Number:77:77:06:27:26:a9:b1:7c
+# Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:06:06 2010
+# Not Valid After : Tue Dec 31 14:06:06 2030
+# Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
+# Fingerprint (SHA1): F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AffirmTrust Networking"
#
+# Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
+# Serial Number:7c:4f:04:39:1c:d4:99:2d
+# Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:08:24 2010
+# Not Valid After : Tue Dec 31 14:08:24 2030
+# Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
+# Fingerprint (SHA1): 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AffirmTrust Networking"
+# Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
+# Serial Number:7c:4f:04:39:1c:d4:99:2d
+# Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:08:24 2010
+# Not Valid After : Tue Dec 31 14:08:24 2030
+# Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
+# Fingerprint (SHA1): 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AffirmTrust Premium"
#
+# Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
+# Serial Number:6d:8c:14:46:b1:a6:0a:ee
+# Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:10:36 2010
+# Not Valid After : Mon Dec 31 14:10:36 2040
+# Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
+# Fingerprint (SHA1): D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AffirmTrust Premium"
+# Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
+# Serial Number:6d:8c:14:46:b1:a6:0a:ee
+# Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:10:36 2010
+# Not Valid After : Mon Dec 31 14:10:36 2040
+# Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
+# Fingerprint (SHA1): D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "AffirmTrust Premium ECC"
#
+# Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
+# Serial Number:74:97:25:8a:c7:3f:7a:54
+# Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:20:24 2010
+# Not Valid After : Mon Dec 31 14:20:24 2040
+# Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
+# Fingerprint (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "AffirmTrust Premium ECC"
+# Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
+# Serial Number:74:97:25:8a:c7:3f:7a:54
+# Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
+# Not Valid Before: Fri Jan 29 14:20:24 2010
+# Not Valid After : Mon Dec 31 14:20:24 2040
+# Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
+# Fingerprint (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Certum Trusted Network CA"
#
+# Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+# Serial Number: 279744 (0x444c0)
+# Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+# Not Valid Before: Wed Oct 22 12:07:37 2008
+# Not Valid After : Mon Dec 31 12:07:37 2029
+# Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
+# Fingerprint (SHA1): 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Certum Trusted Network CA"
+# Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+# Serial Number: 279744 (0x444c0)
+# Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+# Not Valid Before: Wed Oct 22 12:07:37 2008
+# Not Valid After : Mon Dec 31 12:07:37 2029
+# Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
+# Fingerprint (SHA1): 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Certinomis - Autorité Racine"
#
+# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
+# Serial Number: 1 (0x1)
+# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
+# Not Valid Before: Wed Sep 17 08:28:59 2008
+# Not Valid After : Sun Sep 17 08:28:59 2028
+# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
+# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Certinomis - Autorité Racine"
+# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
+# Serial Number: 1 (0x1)
+# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
+# Not Valid Before: Wed Sep 17 08:28:59 2008
+# Not Valid After : Sun Sep 17 08:28:59 2028
+# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
+# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Root CA Generalitat Valenciana"
#
+# Issuer: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Serial Number: 994436456 (0x3b45e568)
+# Subject: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Not Valid Before: Fri Jul 06 16:22:47 2001
+# Not Valid After : Thu Jul 01 15:22:47 2021
+# Fingerprint (MD5): 2C:8C:17:5E:B1:54:AB:93:17:B5:36:5A:DB:D1:C6:F2
+# Fingerprint (SHA1): A0:73:E5:C5:BD:43:61:0D:86:4C:21:13:0A:85:58:57:CC:9C:EA:46
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Root CA Generalitat Valenciana"
+# Issuer: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Serial Number: 994436456 (0x3b45e568)
+# Subject: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Not Valid Before: Fri Jul 06 16:22:47 2001
+# Not Valid After : Thu Jul 01 15:22:47 2021
+# Fingerprint (MD5): 2C:8C:17:5E:B1:54:AB:93:17:B5:36:5A:DB:D1:C6:F2
+# Fingerprint (SHA1): A0:73:E5:C5:BD:43:61:0D:86:4C:21:13:0A:85:58:57:CC:9C:EA:46
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "A-Trust-nQual-03"
#
+# Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
+# Serial Number: 93214 (0x16c1e)
+# Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
+# Not Valid Before: Wed Aug 17 22:00:00 2005
+# Not Valid After : Mon Aug 17 22:00:00 2015
+# Fingerprint (MD5): 49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
+# Fingerprint (SHA1): D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "A-Trust-nQual-03"
+# Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
+# Serial Number: 93214 (0x16c1e)
+# Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
+# Not Valid Before: Wed Aug 17 22:00:00 2005
+# Not Valid After : Mon Aug 17 22:00:00 2015
+# Fingerprint (MD5): 49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
+# Fingerprint (SHA1): D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "TWCA Root Certification Authority"
#
+# Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
+# Serial Number: 1 (0x1)
+# Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
+# Not Valid Before: Thu Aug 28 07:24:33 2008
+# Not Valid After : Tue Dec 31 15:59:59 2030
+# Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
+# Fingerprint (SHA1): CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "TWCA Root Certification Authority"
+# Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
+# Serial Number: 1 (0x1)
+# Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
+# Not Valid Before: Thu Aug 28 07:24:33 2008
+# Not Valid After : Tue Dec 31 15:59:59 2030
+# Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
+# Fingerprint (SHA1): CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrust DigiNotar Root CA"
#
+# Issuer: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
+# Serial Number:0f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff
+# Subject: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
+# Not Valid Before: Fri Jul 27 17:19:37 2007
+# Not Valid After : Mon Mar 31 18:19:22 2025
+# Fingerprint (MD5): 0A:A4:D5:CC:BA:B4:FB:A3:59:E3:E6:01:DD:53:D9:4E
+# Fingerprint (SHA1): C1:77:CB:4B:E0:B4:26:8E:F5:C7:CF:45:99:22:B9:B0:CE:BA:21:2F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrust DigiNotar Root CA"
+# Issuer: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
+# Serial Number:0f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff
+# Subject: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
+# Not Valid Before: Fri Jul 27 17:19:37 2007
+# Not Valid After : Mon Mar 31 18:19:22 2025
+# Fingerprint (MD5): 0A:A4:D5:CC:BA:B4:FB:A3:59:E3:E6:01:DD:53:D9:4E
+# Fingerprint (SHA1): C1:77:CB:4B:E0:B4:26:8E:F5:C7:CF:45:99:22:B9:B0:CE:BA:21:2F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrust DigiNotar Services 1024 CA"
#
+# Issuer: E=info@diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: E=info@diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
+# Not Valid Before: Thu Jul 26 15:59:01 2007
+# Not Valid After : Mon Aug 26 16:29:01 2013
+# Fingerprint (MD5): 2F:16:68:97:4C:68:4F:CE:52:8A:EC:53:8F:93:49:F8
+# Fingerprint (SHA1): 12:3B:EA:CA:66:67:77:61:E0:EB:68:F2:FE:ED:A2:0F:20:05:55:70
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrust DigiNotar Services 1024 CA"
+# Issuer: E=info@diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: E=info@diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
+# Not Valid Before: Thu Jul 26 15:59:01 2007
+# Not Valid After : Mon Aug 26 16:29:01 2013
+# Fingerprint (MD5): 2F:16:68:97:4C:68:4F:CE:52:8A:EC:53:8F:93:49:F8
+# Fingerprint (SHA1): 12:3B:EA:CA:66:67:77:61:E0:EB:68:F2:FE:ED:A2:0F:20:05:55:70
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrust DigiNotar Cyber CA"
#
+# Issuer: E=info@diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: E=info@diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Not Valid Before: Wed Oct 04 10:54:12 2006
+# Not Valid After : Tue Oct 04 10:53:12 2011
+# Fingerprint (MD5): BC:BD:89:12:B4:FF:E5:F9:26:47:C8:60:36:5B:D9:54
+# Fingerprint (SHA1): A5:8E:A0:EC:F6:44:56:35:19:1D:68:5B:C7:A0:E4:1C:B0:4D:79:2E
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrust DigiNotar Cyber CA"
+# Issuer: E=info@diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: E=info@diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Not Valid Before: Wed Oct 04 10:54:12 2006
+# Not Valid After : Tue Oct 04 10:53:12 2011
+# Fingerprint (MD5): BC:BD:89:12:B4:FF:E5:F9:26:47:C8:60:36:5B:D9:54
+# Fingerprint (SHA1): A5:8E:A0:EC:F6:44:56:35:19:1D:68:5B:C7:A0:E4:1C:B0:4D:79:2E
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrust DigiNotar Cyber CA 2nd"
#
+# Issuer: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Not Valid Before: Wed Sep 27 10:53:53 2006
+# Not Valid After : Fri Sep 20 09:44:07 2013
+# Fingerprint (MD5): F0:AE:A9:3D:F2:2C:88:DC:7C:85:1B:96:7D:5A:1C:11
+# Fingerprint (SHA1): 88:1E:45:05:0F:98:D9:59:FB:0A:35:F9:4C:0E:28:97:55:16:29:B3
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrust DigiNotar Cyber CA 2nd"
+# Issuer: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
+# Not Valid Before: Wed Sep 27 10:53:53 2006
+# Not Valid After : Fri Sep 20 09:44:07 2013
+# Fingerprint (MD5): F0:AE:A9:3D:F2:2C:88:DC:7C:85:1B:96:7D:5A:1C:11
+# Fingerprint (SHA1): 88:1E:45:05:0F:98:D9:59:FB:0A:35:F9:4C:0E:28:97:55:16:29:B3
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrusted DigiNotar PKIoverheid"
#
+# Issuer: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
+# Not Valid Before: Thu Jul 05 08:42:08 2007
+# Not Valid After : Mon Jul 27 08:39:47 2015
+# Fingerprint (MD5): A3:CF:B3:FF:F9:4F:A7:B1:EB:3A:75:58:4E:2E:9F:EA
+# Fingerprint (SHA1): A7:A8:C9:AC:F4:5F:90:92:76:86:B8:C0:A2:0E:93:58:7D:DE:30:E4
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid"
+# Issuer: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
+# Not Valid Before: Thu Jul 05 08:42:08 2007
+# Not Valid After : Mon Jul 27 08:39:47 2015
+# Fingerprint (MD5): A3:CF:B3:FF:F9:4F:A7:B1:EB:3A:75:58:4E:2E:9F:EA
+# Fingerprint (SHA1): A7:A8:C9:AC:F4:5F:90:92:76:86:B8:C0:A2:0E:93:58:7D:DE:30:E4
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
#
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Not Valid Before: Wed May 12 08:51:39 2010
+# Not Valid After : Mon Mar 23 09:50:05 2020
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Not Valid Before: Wed May 12 08:51:39 2010
+# Not Valid After : Mon Mar 23 09:50:05 2020
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
#
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number:07:ff:ff:ff:ff:ff
+# Subject: CN=Digisign Server ID (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
+# Not Valid Before: Tue Jul 17 15:17:49 2007
+# Not Valid After : Tue Jul 17 15:16:55 2012
+# Fingerprint (MD5): D2:DE:AE:50:A4:98:2D:6F:37:B7:86:52:C8:2D:4B:6A
+# Fingerprint (SHA1): 55:50:AF:EC:BF:E8:C3:AD:C4:0B:E3:AD:0C:A7:E4:15:8C:39:59:4F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number:07:ff:ff:ff:ff:ff
+# Subject: CN=Digisign Server ID (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
+# Not Valid Before: Tue Jul 17 15:17:49 2007
+# Not Valid After : Tue Jul 17 15:16:55 2012
+# Fingerprint (MD5): D2:DE:AE:50:A4:98:2D:6F:37:B7:86:52:C8:2D:4B:6A
+# Fingerprint (SHA1): 55:50:AF:EC:BF:E8:C3:AD:C4:0B:E3:AD:0C:A7:E4:15:8C:39:59:4F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
#
+# Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+# Serial Number:07:ff:ff:ff:ff:ff
+# Subject: CN=Digisign Server ID - (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
+# Not Valid Before: Fri Jul 16 17:23:38 2010
+# Not Valid After : Thu Jul 16 17:53:38 2015
+# Fingerprint (MD5): D7:69:61:7F:35:0F:9C:46:A3:AA:EB:F8:55:FC:84:F2
+# Fingerprint (SHA1): 6B:3C:3B:80:AD:CA:A6:BA:8A:9F:54:A6:7A:ED:12:69:05:6D:31:26
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
+# Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+# Serial Number:07:ff:ff:ff:ff:ff
+# Subject: CN=Digisign Server ID - (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
+# Not Valid Before: Fri Jul 16 17:23:38 2010
+# Not Valid After : Thu Jul 16 17:53:38 2015
+# Fingerprint (MD5): D7:69:61:7F:35:0F:9C:46:A3:AA:EB:F8:55:FC:84:F2
+# Fingerprint (SHA1): 6B:3C:3B:80:AD:CA:A6:BA:8A:9F:54:A6:7A:ED:12:69:05:6D:31:26
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Security Communication RootCA2"
#
+# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Serial Number: 0 (0x0)
+# Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Not Valid Before: Fri May 29 05:00:39 2009
+# Not Valid After : Tue May 29 05:00:39 2029
+# Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
+# Fingerprint (SHA1): 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Security Communication RootCA2"
+# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Serial Number: 0 (0x0)
+# Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+# Not Valid Before: Fri May 29 05:00:39 2009
+# Not Valid After : Tue May 29 05:00:39 2029
+# Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
+# Fingerprint (SHA1): 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "EC-ACC"
#
+# Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
+# Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
+# Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
+# Not Valid Before: Tue Jan 07 23:00:00 2003
+# Not Valid After : Tue Jan 07 22:59:59 2031
+# Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
+# Fingerprint (SHA1): 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "EC-ACC"
+# Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
+# Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
+# Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
+# Not Valid Before: Tue Jan 07 23:00:00 2003
+# Not Valid After : Tue Jan 07 22:59:59 2031
+# Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
+# Fingerprint (SHA1): 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
#
# Certificate "Hellenic Academic and Research Institutions RootCA 2011"
#
+# Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
+# Serial Number: 0 (0x0)
+# Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
+# Not Valid Before: Tue Dec 06 13:49:52 2011
+# Not Valid After : Mon Dec 01 13:49:52 2031
+# Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
+# Fingerprint (SHA1): FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
END
# Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011"
+# Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
+# Serial Number: 0 (0x0)
+# Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
+# Not Valid Before: Tue Dec 06 13:49:52 2011
+# Not Valid After : Mon Dec 01 13:49:52 2031
+# Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
+# Fingerprint (SHA1): FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "SG TRUST SERVICES RACINE"
+#
+# Issuer: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
+# Serial Number:3e:d5:51:19:e6:4d:ce:7e
+# Subject: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
+# Not Valid Before: Mon Sep 06 12:53:42 2010
+# Not Valid After : Thu Sep 05 12:53:42 2030
+# Fingerprint (MD5): 25:EF:CF:48:4A:84:B7:30:9F:60:D3:1D:56:91:2F:E1
+# Fingerprint (SHA1): 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SG TRUST SERVICES RACINE"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
+\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
+\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
+\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
+\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
+\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
+\013\060\011\006\003\125\004\006\023\002\106\122
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
+\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
+\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
+\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
+\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
+\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
+\013\060\011\006\003\125\004\006\023\002\106\122
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\076\325\121\031\346\115\316\176
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\031\060\202\004\001\240\003\002\001\002\002\010\076
+\325\121\031\346\115\316\176\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\152\061\041\060\037\006\003\125\004
+\003\023\030\123\107\040\124\122\125\123\124\040\123\105\122\126
+\111\103\105\123\040\122\101\103\111\116\105\061\034\060\032\006
+\003\125\004\013\023\023\060\060\060\062\040\064\063\065\062\065
+\062\070\071\065\060\060\060\062\062\061\032\060\030\006\003\125
+\004\012\023\021\123\107\040\124\122\125\123\124\040\123\105\122
+\126\111\103\105\123\061\013\060\011\006\003\125\004\006\023\002
+\106\122\060\036\027\015\061\060\060\071\060\066\061\062\065\063
+\064\062\132\027\015\063\060\060\071\060\065\061\062\065\063\064
+\062\132\060\152\061\041\060\037\006\003\125\004\003\023\030\123
+\107\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123
+\040\122\101\103\111\116\105\061\034\060\032\006\003\125\004\013
+\023\023\060\060\060\062\040\064\063\065\062\065\062\070\071\065
+\060\060\060\062\062\061\032\060\030\006\003\125\004\012\023\021
+\123\107\040\124\122\125\123\124\040\123\105\122\126\111\103\105
+\123\061\013\060\011\006\003\125\004\006\023\002\106\122\060\202
+\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\332
+\250\126\002\354\174\225\360\116\351\012\322\267\007\243\042\213
+\120\263\271\056\031\075\127\333\031\252\322\053\344\316\102\342
+\154\241\344\135\045\036\063\035\266\105\321\264\372\131\212\126
+\160\311\155\010\166\151\160\232\346\307\234\010\060\023\376\346
+\321\222\150\141\076\114\021\362\156\362\261\173\127\126\113\011
+\275\334\017\331\161\014\350\232\067\336\042\020\034\231\136\326
+\261\027\007\323\244\071\055\302\032\163\375\312\113\051\007\302
+\171\051\310\310\046\256\054\304\374\043\310\113\342\206\126\017
+\050\375\266\207\033\150\137\071\144\105\375\150\203\154\165\044
+\036\074\165\231\141\372\322\024\370\251\113\261\330\175\247\170
+\322\023\142\145\265\326\276\176\152\003\274\265\262\374\144\060
+\303\320\302\231\075\231\244\323\315\321\261\304\123\207\173\114
+\023\023\146\177\277\325\145\123\150\371\134\036\345\264\377\066
+\231\105\243\237\142\300\177\021\202\001\124\336\017\145\245\071
+\256\235\110\114\211\243\020\073\340\346\203\365\260\332\054\036
+\172\034\134\037\000\254\314\253\247\140\144\263\306\305\173\307
+\125\106\164\074\220\201\016\112\216\131\235\124\260\110\261\122
+\114\073\230\356\253\332\064\267\123\315\111\332\057\353\225\276
+\014\127\021\366\226\114\004\171\134\231\325\345\344\276\157\352
+\107\356\121\113\357\042\046\256\265\330\021\252\103\273\170\277
+\013\176\264\335\317\164\035\045\251\211\143\261\342\064\201\304
+\210\065\070\342\002\015\017\023\311\325\052\202\025\360\212\304
+\103\062\126\344\123\035\035\254\266\317\175\233\226\135\036\144
+\351\164\163\304\126\344\026\112\122\155\222\071\323\341\115\016
+\077\142\271\336\255\265\035\145\271\135\122\376\135\011\251\234
+\264\244\014\331\057\105\166\245\317\216\152\232\236\252\260\021
+\241\353\141\306\353\077\036\374\146\264\022\235\106\177\062\026
+\211\276\161\105\257\221\041\331\375\223\277\264\002\221\102\377
+\111\037\355\213\025\150\335\037\216\254\233\335\202\005\234\104
+\151\026\144\027\126\137\101\017\112\117\004\017\145\120\206\223
+\227\354\105\277\135\302\034\334\317\304\330\072\346\170\005\320
+\305\125\125\251\136\376\253\072\041\273\345\162\024\367\013\002
+\003\001\000\001\243\201\302\060\201\277\060\035\006\003\125\035
+\016\004\026\004\024\051\040\313\361\303\017\332\006\216\023\223
+\207\376\137\140\032\051\273\363\266\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125\035
+\043\004\030\060\026\200\024\051\040\313\361\303\017\332\006\216
+\023\223\207\376\137\140\032\051\273\363\266\060\021\006\003\125
+\035\040\004\012\060\010\060\006\006\004\125\035\040\000\060\111
+\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206
+\070\150\164\164\160\072\057\057\143\162\154\056\163\147\164\162
+\165\163\164\163\145\162\166\151\143\145\163\056\143\157\155\057
+\162\141\143\151\156\145\055\107\162\157\165\160\145\123\107\057
+\114\141\164\145\163\164\103\122\114\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\015\006\011\052\206\110
+\206\367\015\001\001\013\005\000\003\202\002\001\000\114\106\147
+\340\104\120\365\305\266\272\262\121\012\045\023\035\267\307\210
+\056\037\271\053\144\240\313\223\210\122\131\252\140\365\314\051
+\122\027\377\004\347\067\264\061\021\106\176\053\036\154\247\213
+\074\107\232\136\364\252\135\220\073\105\075\237\112\311\212\173
+\216\300\356\076\171\213\222\243\310\224\112\270\050\021\153\246
+\045\137\135\275\307\310\373\203\117\125\061\346\134\360\023\174
+\343\275\177\052\054\067\067\224\111\257\204\037\024\047\242\130
+\020\217\012\071\067\032\022\040\101\217\031\366\251\037\031\355
+\262\064\262\255\175\063\104\213\137\012\007\103\362\166\105\105
+\055\255\344\215\016\000\375\004\010\252\347\153\373\027\275\260
+\010\126\016\065\052\162\360\263\347\115\072\117\015\334\363\140
+\022\263\070\144\214\333\371\341\046\215\057\357\116\350\044\107
+\076\066\064\212\151\017\050\153\213\207\306\275\205\046\371\323
+\353\151\041\126\140\221\326\367\340\142\302\250\161\256\056\336
+\146\043\265\122\106\246\244\110\067\054\177\001\026\127\021\367
+\047\015\016\345\017\326\220\105\341\036\077\041\334\322\374\026
+\030\023\076\115\152\262\046\152\100\136\045\170\375\070\364\254
+\130\172\067\033\230\100\004\307\216\311\324\304\147\141\261\230
+\256\360\315\016\334\271\257\145\203\173\012\004\212\077\141\252
+\367\135\101\206\346\306\114\302\117\072\134\126\352\050\073\247
+\104\317\310\112\144\365\162\140\055\343\103\270\112\340\165\074
+\062\344\252\026\327\021\271\301\105\331\233\146\143\146\345\042
+\267\064\356\272\325\164\057\045\144\363\201\124\313\167\336\127
+\324\223\343\254\007\061\072\076\134\003\203\127\123\307\360\376
+\150\330\045\120\115\022\310\346\341\225\215\147\253\074\223\077
+\027\002\272\070\327\236\367\060\245\075\075\104\001\063\032\232
+\237\216\320\237\361\356\060\210\163\357\256\044\031\272\227\163
+\025\301\354\161\014\204\144\265\173\354\274\151\076\244\155\011
+\026\066\312\112\071\212\313\247\173\306\035\176\347\063\210\311
+\276\060\155\234\205\225\041\351\107\073\006\176\201\342\352\106
+\346\160\130\200\346\250\362\235\013\151\321\063\211\131\060\363
+\144\323\013\366\316\053\011\373\175\020\166\056\020
+END
+
+# Trust for "SG TRUST SERVICES RACINE"
+# Issuer: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
+# Serial Number:3e:d5:51:19:e6:4d:ce:7e
+# Subject: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
+# Not Valid Before: Mon Sep 06 12:53:42 2010
+# Not Valid After : Thu Sep 05 12:53:42 2030
+# Fingerprint (MD5): 25:EF:CF:48:4A:84:B7:30:9F:60:D3:1D:56:91:2F:E1
+# Fingerprint (SHA1): 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SG TRUST SERVICES RACINE"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\014\142\217\134\125\160\261\311\127\372\375\070\077\260\075\173
+\175\327\271\306
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\045\357\317\110\112\204\267\060\237\140\323\035\126\221\057\341
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
+\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
+\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
+\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
+\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
+\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
+\013\060\011\006\003\125\004\006\023\002\106\122
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\076\325\121\031\346\115\316\176
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "ACCVRAIZ1"
+#
+# Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
+# Serial Number:5e:c3:b7:a6:43:7f:a4:e0
+# Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
+# Not Valid Before: Thu May 05 09:37:37 2011
+# Not Valid After : Tue Dec 31 09:37:37 2030
+# Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
+# Fingerprint (SHA1): 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ACCVRAIZ1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
+\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
+\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
+\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
+\023\002\105\123
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
+\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
+\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
+\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
+\023\002\105\123
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\136\303\267\246\103\177\244\340
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\007\323\060\202\005\273\240\003\002\001\002\002\010\136
+\303\267\246\103\177\244\340\060\015\006\011\052\206\110\206\367
+\015\001\001\005\005\000\060\102\061\022\060\020\006\003\125\004
+\003\014\011\101\103\103\126\122\101\111\132\061\061\020\060\016
+\006\003\125\004\013\014\007\120\113\111\101\103\103\126\061\015
+\060\013\006\003\125\004\012\014\004\101\103\103\126\061\013\060
+\011\006\003\125\004\006\023\002\105\123\060\036\027\015\061\061
+\060\065\060\065\060\071\063\067\063\067\132\027\015\063\060\061
+\062\063\061\060\071\063\067\063\067\132\060\102\061\022\060\020
+\006\003\125\004\003\014\011\101\103\103\126\122\101\111\132\061
+\061\020\060\016\006\003\125\004\013\014\007\120\113\111\101\103
+\103\126\061\015\060\013\006\003\125\004\012\014\004\101\103\103
+\126\061\013\060\011\006\003\125\004\006\023\002\105\123\060\202
+\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\233
+\251\253\277\141\112\227\257\057\227\146\232\164\137\320\331\226
+\375\317\342\344\146\357\037\037\107\063\302\104\243\337\232\336
+\037\265\124\335\025\174\151\065\021\157\273\310\014\216\152\030
+\036\330\217\331\026\274\020\110\066\134\360\143\263\220\132\134
+\044\067\327\243\326\313\011\161\271\361\001\162\204\260\175\333
+\115\200\315\374\323\157\311\370\332\266\016\202\322\105\205\250
+\033\150\250\075\350\364\104\154\275\241\302\313\003\276\214\076
+\023\000\204\337\112\110\300\343\042\012\350\351\067\247\030\114
+\261\011\015\043\126\177\004\115\331\027\204\030\245\310\332\100
+\224\163\353\316\016\127\074\003\201\072\235\012\241\127\103\151
+\254\127\155\171\220\170\345\265\264\073\330\274\114\215\050\241
+\247\243\247\272\002\116\045\321\052\256\355\256\003\042\270\153
+\040\017\060\050\124\225\177\340\356\316\012\146\235\321\100\055
+\156\042\257\235\032\301\005\031\322\157\300\362\237\370\173\263
+\002\102\373\120\251\035\055\223\017\043\253\306\301\017\222\377
+\320\242\025\365\123\011\161\034\377\105\023\204\346\046\136\370
+\340\210\034\012\374\026\266\250\163\006\270\360\143\204\002\240
+\306\132\354\347\164\337\160\256\243\203\045\352\326\307\227\207
+\223\247\306\212\212\063\227\140\067\020\076\227\076\156\051\025
+\326\241\017\321\210\054\022\237\157\252\244\306\102\353\101\242
+\343\225\103\323\001\205\155\216\273\073\363\043\066\307\376\073
+\340\241\045\007\110\253\311\211\164\377\010\217\200\277\300\226
+\145\363\356\354\113\150\275\235\210\303\061\263\100\361\350\317
+\366\070\273\234\344\321\177\324\345\130\233\174\372\324\363\016
+\233\165\221\344\272\122\056\031\176\321\365\315\132\031\374\272
+\006\366\373\122\250\113\231\004\335\370\371\264\213\120\243\116
+\142\211\360\207\044\372\203\102\301\207\372\325\055\051\052\132
+\161\172\144\152\327\047\140\143\015\333\316\111\365\215\037\220
+\211\062\027\370\163\103\270\322\132\223\206\141\326\341\165\012
+\352\171\146\166\210\117\161\353\004\045\326\012\132\172\223\345
+\271\113\027\100\017\261\266\271\365\336\117\334\340\263\254\073
+\021\160\140\204\112\103\156\231\040\300\051\161\012\300\145\002
+\003\001\000\001\243\202\002\313\060\202\002\307\060\175\006\010
+\053\006\001\005\005\007\001\001\004\161\060\157\060\114\006\010
+\053\006\001\005\005\007\060\002\206\100\150\164\164\160\072\057
+\057\167\167\167\056\141\143\143\166\056\145\163\057\146\151\154
+\145\141\144\155\151\156\057\101\162\143\150\151\166\157\163\057
+\143\145\162\164\151\146\151\143\141\144\157\163\057\162\141\151
+\172\141\143\143\166\061\056\143\162\164\060\037\006\010\053\006
+\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157
+\143\163\160\056\141\143\143\166\056\145\163\060\035\006\003\125
+\035\016\004\026\004\024\322\207\264\343\337\067\047\223\125\366
+\126\352\201\345\066\314\214\036\077\275\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125
+\035\043\004\030\060\026\200\024\322\207\264\343\337\067\047\223
+\125\366\126\352\201\345\066\314\214\036\077\275\060\202\001\163
+\006\003\125\035\040\004\202\001\152\060\202\001\146\060\202\001
+\142\006\004\125\035\040\000\060\202\001\130\060\202\001\042\006
+\010\053\006\001\005\005\007\002\002\060\202\001\024\036\202\001
+\020\000\101\000\165\000\164\000\157\000\162\000\151\000\144\000
+\141\000\144\000\040\000\144\000\145\000\040\000\103\000\145\000
+\162\000\164\000\151\000\146\000\151\000\143\000\141\000\143\000
+\151\000\363\000\156\000\040\000\122\000\141\000\355\000\172\000
+\040\000\144\000\145\000\040\000\154\000\141\000\040\000\101\000
+\103\000\103\000\126\000\040\000\050\000\101\000\147\000\145\000
+\156\000\143\000\151\000\141\000\040\000\144\000\145\000\040\000
+\124\000\145\000\143\000\156\000\157\000\154\000\157\000\147\000
+\355\000\141\000\040\000\171\000\040\000\103\000\145\000\162\000
+\164\000\151\000\146\000\151\000\143\000\141\000\143\000\151\000
+\363\000\156\000\040\000\105\000\154\000\145\000\143\000\164\000
+\162\000\363\000\156\000\151\000\143\000\141\000\054\000\040\000
+\103\000\111\000\106\000\040\000\121\000\064\000\066\000\060\000
+\061\000\061\000\065\000\066\000\105\000\051\000\056\000\040\000
+\103\000\120\000\123\000\040\000\145\000\156\000\040\000\150\000
+\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167\000
+\167\000\056\000\141\000\143\000\143\000\166\000\056\000\145\000
+\163\060\060\006\010\053\006\001\005\005\007\002\001\026\044\150
+\164\164\160\072\057\057\167\167\167\056\141\143\143\166\056\145
+\163\057\154\145\147\151\163\154\141\143\151\157\156\137\143\056
+\150\164\155\060\125\006\003\125\035\037\004\116\060\114\060\112
+\240\110\240\106\206\104\150\164\164\160\072\057\057\167\167\167
+\056\141\143\143\166\056\145\163\057\146\151\154\145\141\144\155
+\151\156\057\101\162\143\150\151\166\157\163\057\143\145\162\164
+\151\146\151\143\141\144\157\163\057\162\141\151\172\141\143\143
+\166\061\137\144\145\162\056\143\162\154\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\027\006\003\125\035
+\021\004\020\060\016\201\014\141\143\143\166\100\141\143\143\166
+\056\145\163\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\202\002\001\000\227\061\002\237\347\375\103\147\110
+\104\024\344\051\207\355\114\050\146\320\217\065\332\115\141\267
+\112\227\115\265\333\220\340\005\056\016\306\171\320\362\227\151
+\017\275\004\107\331\276\333\265\051\332\233\331\256\251\231\325
+\323\074\060\223\365\215\241\250\374\006\215\104\364\312\026\225
+\174\063\334\142\213\250\067\370\047\330\011\055\033\357\310\024
+\047\040\251\144\104\377\056\326\165\252\154\115\140\100\031\111
+\103\124\143\332\342\314\272\146\345\117\104\172\133\331\152\201
+\053\100\325\177\371\001\047\130\054\310\355\110\221\174\077\246
+\000\317\304\051\163\021\066\336\206\031\076\235\356\031\212\033
+\325\260\355\216\075\234\052\300\015\330\075\146\343\074\015\275
+\325\224\134\342\342\247\065\033\004\000\366\077\132\215\352\103
+\275\137\211\035\251\301\260\314\231\342\115\000\012\332\311\047
+\133\347\023\220\134\344\365\063\242\125\155\334\340\011\115\057
+\261\046\133\047\165\000\011\304\142\167\051\010\137\236\131\254
+\266\176\255\237\124\060\042\003\301\036\161\144\376\371\070\012
+\226\030\335\002\024\254\043\313\006\034\036\244\175\215\015\336
+\047\101\350\255\332\025\267\260\043\335\053\250\323\332\045\207
+\355\350\125\104\115\210\364\066\176\204\232\170\254\367\016\126
+\111\016\326\063\045\326\204\120\102\154\040\022\035\052\325\276
+\274\362\160\201\244\160\140\276\005\265\233\236\004\104\276\141
+\043\254\351\245\044\214\021\200\224\132\242\242\271\111\322\301
+\334\321\247\355\061\021\054\236\031\246\356\341\125\341\300\352
+\317\015\204\344\027\267\242\174\245\336\125\045\006\356\314\300
+\207\134\100\332\314\225\077\125\340\065\307\270\204\276\264\135
+\315\172\203\001\162\356\207\346\137\035\256\265\205\306\046\337
+\346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
+\167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
+\040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
+\013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
+\244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
+\302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
+\125\064\106\052\213\206\073
+END
+
+# Trust for "ACCVRAIZ1"
+# Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
+# Serial Number:5e:c3:b7:a6:43:7f:a4:e0
+# Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
+# Not Valid Before: Thu May 05 09:37:37 2011
+# Not Valid After : Tue Dec 31 09:37:37 2030
+# Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
+# Fingerprint (SHA1): 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ACCVRAIZ1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\223\005\172\210\025\306\117\316\210\057\372\221\026\122\050\170
+\274\123\144\027
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\320\240\132\356\005\266\011\224\041\241\175\361\262\051\202\002
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
+\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
+\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
+\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
+\023\002\105\123
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\136\303\267\246\103\177\244\340
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TWCA Global Root CA"
+#
+# Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
+# Serial Number: 3262 (0xcbe)
+# Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
+# Not Valid Before: Wed Jun 27 06:28:33 2012
+# Not Valid After : Tue Dec 31 15:59:59 2030
+# Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
+# Fingerprint (SHA1): 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TWCA Global Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
+\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
+\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
+\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
+\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
+\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
+\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
+\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
+\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\014\276
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\101\060\202\003\051\240\003\002\001\002\002\002\014
+\276\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
+\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
+\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
+\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
+\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
+\040\103\101\060\036\027\015\061\062\060\066\062\067\060\066\062
+\070\063\063\132\027\015\063\060\061\062\063\061\061\065\065\071
+\065\071\132\060\121\061\013\060\011\006\003\125\004\006\023\002
+\124\127\061\022\060\020\006\003\125\004\012\023\011\124\101\111
+\127\101\116\055\103\101\061\020\060\016\006\003\125\004\013\023
+\007\122\157\157\164\040\103\101\061\034\060\032\006\003\125\004
+\003\023\023\124\127\103\101\040\107\154\157\142\141\154\040\122
+\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
+\002\012\002\202\002\001\000\260\005\333\310\353\214\304\156\212
+\041\357\216\115\234\161\012\037\122\160\355\155\202\234\227\305
+\327\114\116\105\111\313\100\102\265\022\064\154\031\302\164\244
+\061\137\205\002\227\354\103\063\012\123\322\234\214\216\267\270
+\171\333\053\325\152\362\216\146\304\356\053\001\007\222\324\263
+\320\002\337\120\366\125\257\146\016\313\340\107\140\057\053\062
+\071\065\122\072\050\203\370\173\026\306\030\270\142\326\107\045
+\221\316\360\031\022\115\255\143\365\323\077\165\137\051\360\241
+\060\034\052\240\230\246\025\275\356\375\031\066\360\342\221\103
+\217\372\312\326\020\047\111\114\357\335\301\361\205\160\233\312
+\352\250\132\103\374\155\206\157\163\351\067\105\251\360\066\307
+\314\210\165\036\273\154\006\377\233\153\076\027\354\141\252\161
+\174\306\035\242\367\111\351\025\265\074\326\241\141\365\021\367
+\005\157\035\375\021\276\320\060\007\302\051\260\011\116\046\334
+\343\242\250\221\152\037\302\221\105\210\134\345\230\270\161\245
+\025\031\311\174\165\021\314\160\164\117\055\233\035\221\104\375
+\126\050\240\376\273\206\152\310\372\134\013\130\334\306\113\166
+\310\253\042\331\163\017\245\364\132\002\211\077\117\236\042\202
+\356\242\164\123\052\075\123\047\151\035\154\216\062\054\144\000
+\046\143\141\066\116\243\106\267\077\175\263\055\254\155\220\242
+\225\242\316\317\332\202\347\007\064\031\226\351\270\041\252\051
+\176\246\070\276\216\051\112\041\146\171\037\263\303\265\011\147
+\336\326\324\007\106\363\052\332\346\042\067\140\313\201\266\017
+\240\017\351\310\225\177\277\125\221\005\172\317\075\025\300\157
+\336\011\224\001\203\327\064\033\314\100\245\360\270\233\147\325
+\230\221\073\247\204\170\225\046\244\132\010\370\053\164\264\000
+\004\074\337\270\024\216\350\337\251\215\154\147\222\063\035\300
+\267\322\354\222\310\276\011\277\054\051\005\157\002\153\236\357
+\274\277\052\274\133\300\120\217\101\160\161\207\262\115\267\004
+\251\204\243\062\257\256\356\153\027\213\262\261\376\154\341\220
+\214\210\250\227\110\316\310\115\313\363\006\317\137\152\012\102
+\261\036\036\167\057\216\240\346\222\016\006\374\005\042\322\046
+\341\061\121\175\062\334\017\002\003\001\000\001\243\043\060\041
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
+\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
+\377\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
+\003\202\002\001\000\137\064\201\166\357\226\035\325\345\265\331
+\002\143\204\026\301\256\240\160\121\247\367\114\107\065\310\013
+\327\050\075\211\161\331\252\063\101\352\024\033\154\041\000\300
+\154\102\031\176\237\151\133\040\102\337\242\322\332\304\174\227
+\113\215\260\350\254\310\356\245\151\004\231\012\222\246\253\047
+\056\032\115\201\277\204\324\160\036\255\107\376\375\112\235\063
+\340\362\271\304\105\010\041\012\332\151\151\163\162\015\276\064
+\376\224\213\255\303\036\065\327\242\203\357\345\070\307\245\205
+\037\253\317\064\354\077\050\376\014\361\127\206\116\311\125\367
+\034\324\330\245\175\006\172\157\325\337\020\337\201\116\041\145
+\261\266\341\027\171\225\105\006\316\137\314\334\106\211\143\150
+\104\215\223\364\144\160\240\075\235\050\005\303\071\160\270\142
+\173\040\375\344\333\351\010\241\270\236\075\011\307\117\373\054
+\370\223\166\101\336\122\340\341\127\322\235\003\274\167\236\376
+\236\051\136\367\301\121\140\037\336\332\013\262\055\165\267\103
+\110\223\347\366\171\306\204\135\200\131\140\224\374\170\230\217
+\074\223\121\355\100\220\007\337\144\143\044\313\116\161\005\241
+\327\224\032\210\062\361\042\164\042\256\245\246\330\022\151\114
+\140\243\002\356\053\354\324\143\222\013\136\276\057\166\153\243
+\266\046\274\217\003\330\012\362\114\144\106\275\071\142\345\226
+\353\064\143\021\050\314\225\361\255\357\357\334\200\130\110\351
+\113\270\352\145\254\351\374\200\265\265\310\105\371\254\301\237
+\331\271\352\142\210\216\304\361\113\203\022\255\346\213\204\326
+\236\302\353\203\030\237\152\273\033\044\140\063\160\314\354\367
+\062\363\134\331\171\175\357\236\244\376\311\043\303\044\356\025
+\222\261\075\221\117\046\206\275\146\163\044\023\352\244\256\143
+\301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
+\225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
+\272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
+\150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
+\246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
+\311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
+\053\006\320\004\315
+END
+
+# Trust for "TWCA Global Root CA"
+# Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
+# Serial Number: 3262 (0xcbe)
+# Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
+# Not Valid Before: Wed Jun 27 06:28:33 2012
+# Not Valid After : Tue Dec 31 15:59:59 2030
+# Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
+# Fingerprint (SHA1): 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TWCA Global Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\234\273\110\123\366\244\366\323\122\244\350\062\122\125\140\023
+\365\255\257\145
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\371\003\176\317\346\236\074\163\172\052\220\007\151\377\053\226
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
+\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
+\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
+\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
+\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\014\276
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 95
-#define NSS_BUILTINS_LIBRARY_VERSION "1.95"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 96
+#define NSS_BUILTINS_LIBRARY_VERSION "1.96"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
extern SECStatus RSA_PopulatePrivateKey(RSAPrivateKey *key);
/********************************************************************
+** RSA algorithm
+*/
+
+/********************************************************************
+** Raw signing/encryption/decryption operations.
+**
+** No padding or formatting will be applied.
+** inputLen MUST be equivalent to the modulus size (in bytes).
+*/
+extern SECStatus
+RSA_SignRaw(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+extern SECStatus
+RSA_CheckSignRaw(RSAPublicKey * key,
+ const unsigned char * sig,
+ unsigned int sigLen,
+ const unsigned char * hash,
+ unsigned int hashLen);
+
+extern SECStatus
+RSA_CheckSignRecoverRaw(RSAPublicKey * key,
+ unsigned char * data,
+ unsigned int * dataLen,
+ unsigned int maxDataLen,
+ const unsigned char * sig,
+ unsigned int sigLen);
+
+extern SECStatus
+RSA_EncryptRaw(RSAPublicKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+extern SECStatus
+RSA_DecryptRaw(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+/********************************************************************
+** RSAES-OAEP encryption/decryption, as defined in RFC 3447, Section 7.1.
+**
+** Note: Only MGF1 is supported as the mask generation function. It will be
+** used with maskHashAlg as the inner hash function.
+**
+** Unless performing Known Answer Tests, "seed" should be NULL, indicating that
+** freebl should generate a random value. Otherwise, it should be an octet
+** string of seedLen bytes, which should be the same size as the output of
+** hashAlg.
+*/
+extern SECStatus
+RSA_EncryptOAEP(RSAPublicKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * label,
+ unsigned int labelLen,
+ const unsigned char * seed,
+ unsigned int seedLen,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+extern SECStatus
+RSA_DecryptOAEP(RSAPrivateKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * label,
+ unsigned int labelLen,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+/********************************************************************
+** RSAES-PKCS1-v1_5 encryption/decryption, as defined in RFC 3447, Section 7.2.
+*/
+extern SECStatus
+RSA_EncryptBlock(RSAPublicKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+extern SECStatus
+RSA_DecryptBlock(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+/********************************************************************
+** RSASSA-PSS signing/verifying, as defined in RFC 3447, Section 8.1.
+**
+** Note: Only MGF1 is supported as the mask generation function. It will be
+** used with maskHashAlg as the inner hash function.
+**
+** Unless performing Known Answer Tests, "salt" should be NULL, indicating that
+** freebl should generate a random value.
+*/
+extern SECStatus
+RSA_SignPSS(RSAPrivateKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * salt,
+ unsigned int saltLen,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen);
+
+extern SECStatus
+RSA_CheckSignPSS(RSAPublicKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ unsigned int saltLen,
+ const unsigned char * sig,
+ unsigned int sigLen,
+ const unsigned char * hash,
+ unsigned int hashLen);
+
+/********************************************************************
+** RSASSA-PKCS1-v1_5 signing/verifying, as defined in RFC 3447, Section 8.2.
+**
+** These functions expect as input to be the raw value to be signed. For most
+** cases using PKCS1-v1_5, this should be the value of T, the DER-encoded
+** DigestInfo structure defined in Section 9.2, Step 2.
+** Note: This can also be used for signatures that use PKCS1-v1_5 padding, such
+** as the signatures used in SSL/TLS, which sign a raw hash.
+*/
+extern SECStatus
+RSA_Sign(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * data,
+ unsigned int dataLen);
+
+extern SECStatus
+RSA_CheckSign(RSAPublicKey * key,
+ const unsigned char * sig,
+ unsigned int sigLen,
+ const unsigned char * data,
+ unsigned int dataLen);
+
+extern SECStatus
+RSA_CheckSignRecover(RSAPublicKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * sig,
+ unsigned int sigLen);
+
+/********************************************************************
** DSA signing algorithm
*/
SECItem *derivedSecret,
unsigned int outBytes)
{
- mp_int p, Xa, Yb, ZZ;
+ mp_int p, Xa, Yb, ZZ, psub1;
mp_err err = MP_OKAY;
int len = 0;
unsigned int nb;
MP_DIGITS(&Xa) = 0;
MP_DIGITS(&Yb) = 0;
MP_DIGITS(&ZZ) = 0;
+ MP_DIGITS(&psub1) = 0;
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&Xa) );
CHECK_MPI_OK( mp_init(&Yb) );
CHECK_MPI_OK( mp_init(&ZZ) );
+ CHECK_MPI_OK( mp_init(&psub1) );
SECITEM_TO_MPINT(*publicValue, &Yb);
SECITEM_TO_MPINT(*privateValue, &Xa);
SECITEM_TO_MPINT(*prime, &p);
+ CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
+
+ /* We assume that the modulus, p, is a safe prime. That is, p = 2q+1 where
+ * q is also a prime. Thus the orders of the subgroups are factors of 2q:
+ * namely 1, 2, q and 2q.
+ *
+ * We check that the peer's public value isn't zero (which isn't in the
+ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We
+ * also check that the public value is less than p, to avoid being fooled
+ * by values like p+1 or 2*p-1.
+ *
+ * Thus we must be operating in the subgroup of size q or 2q. */
+ if (mp_cmp_d(&Yb, 1) <= 0 ||
+ mp_cmp(&Yb, &psub1) >= 0) {
+ err = MP_BADARG;
+ goto cleanup;
+ }
+
/* ZZ = (Yb)**Xa mod p */
CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
/* number of bytes in the derived secret */
mp_clear(&Xa);
mp_clear(&Yb);
mp_clear(&ZZ);
+ mp_clear(&psub1);
if (secret) {
/* free the buffer allocated for the full secret. */
PORT_ZFree(secret, len);
/* End of Version 3.014 */
HMAC_ConstantTime,
- SSLv3_MAC_ConstantTime
+ SSLv3_MAC_ConstantTime,
/* End of Version 3.015 */
+
+ RSA_SignRaw,
+ RSA_CheckSignRaw,
+ RSA_CheckSignRecoverRaw,
+ RSA_EncryptRaw,
+ RSA_DecryptRaw,
+ RSA_EncryptOAEP,
+ RSA_DecryptOAEP,
+ RSA_EncryptBlock,
+ RSA_DecryptBlock,
+ RSA_SignPSS,
+ RSA_CheckSignPSS,
+ RSA_Sign,
+ RSA_CheckSign,
+ RSA_CheckSignRecover
+
+ /* End of Version 3.016 */
};
const FREEBLVector *
header, headerLen,
body, bodyLen, bodyTotalLen);
}
+
+SECStatus RSA_SignRaw(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_SignRaw)(key, output, outputLen, maxOutputLen, input,
+ inputLen);
+}
+
+SECStatus RSA_CheckSignRaw(RSAPublicKey *key,
+ const unsigned char *sig,
+ unsigned int sigLen,
+ const unsigned char *hash,
+ unsigned int hashLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_CheckSignRaw)(key, sig, sigLen, hash, hashLen);
+}
+
+SECStatus RSA_CheckSignRecoverRaw(RSAPublicKey *key,
+ unsigned char *data,
+ unsigned int *dataLen,
+ unsigned int maxDataLen,
+ const unsigned char *sig,
+ unsigned int sigLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_CheckSignRecoverRaw)(key, data, dataLen, maxDataLen,
+ sig, sigLen);
+}
+
+SECStatus RSA_EncryptRaw(RSAPublicKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_EncryptRaw)(key, output, outputLen, maxOutputLen,
+ input, inputLen);
+}
+
+SECStatus RSA_DecryptRaw(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_DecryptRaw)(key, output, outputLen, maxOutputLen,
+ input, inputLen);
+
+}
+
+SECStatus RSA_EncryptOAEP(RSAPublicKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char *label,
+ unsigned int labelLen,
+ const unsigned char *seed,
+ unsigned int seedLen,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_EncryptOAEP)(key, hashAlg, maskHashAlg, label,
+ labelLen, seed, seedLen, output,
+ outputLen, maxOutputLen, input, inputLen);
+}
+
+SECStatus RSA_DecryptOAEP(RSAPrivateKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char *label,
+ unsigned int labelLen,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_DecryptOAEP)(key, hashAlg, maskHashAlg, label,
+ labelLen, output, outputLen,
+ maxOutputLen, input, inputLen);
+}
+
+SECStatus RSA_EncryptBlock(RSAPublicKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_EncryptBlock)(key, output, outputLen, maxOutputLen,
+ input, inputLen);
+}
+
+SECStatus RSA_DecryptBlock(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_DecryptBlock)(key, output, outputLen, maxOutputLen,
+ input, inputLen);
+}
+
+SECStatus RSA_SignPSS(RSAPrivateKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char *salt,
+ unsigned int saltLen,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_SignPSS)(key, hashAlg, maskHashAlg, salt, saltLen,
+ output, outputLen, maxOutputLen, input,
+ inputLen);
+}
+
+SECStatus RSA_CheckSignPSS(RSAPublicKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ unsigned int saltLen,
+ const unsigned char *sig,
+ unsigned int sigLen,
+ const unsigned char *hash,
+ unsigned int hashLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_CheckSignPSS)(key, hashAlg, maskHashAlg, saltLen,
+ sig, sigLen, hash, hashLen);
+}
+
+SECStatus RSA_Sign(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_Sign)(key, output, outputLen, maxOutputLen, input,
+ inputLen);
+}
+
+SECStatus RSA_CheckSign(RSAPublicKey *key,
+ const unsigned char *sig,
+ unsigned int sigLen,
+ const unsigned char *data,
+ unsigned int dataLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_CheckSign)(key, sig, sigLen, data, dataLen);
+
+}
+
+SECStatus RSA_CheckSignRecover(RSAPublicKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *sig,
+ unsigned int sigLen) {
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_RSA_CheckSignRecover)(key, output, outputLen, maxOutputLen,
+ sig, sigLen);
+}
#include "blapi.h"
-#define FREEBL_VERSION 0x030F
+#define FREEBL_VERSION 0x0310
struct FREEBLVectorStr {
unsigned int bodyTotalLen);
/* Version 3.015 came to here */
+
+ SECStatus (* p_RSA_SignRaw)(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_CheckSignRaw)(RSAPublicKey *key,
+ const unsigned char *sig,
+ unsigned int sigLen,
+ const unsigned char *hash,
+ unsigned int hashLen);
+ SECStatus (* p_RSA_CheckSignRecoverRaw)(RSAPublicKey *key,
+ unsigned char *data,
+ unsigned int *dataLen,
+ unsigned int maxDataLen,
+ const unsigned char *sig,
+ unsigned int sigLen);
+ SECStatus (* p_RSA_EncryptRaw)(RSAPublicKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_DecryptRaw)(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_EncryptOAEP)(RSAPublicKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char *label,
+ unsigned int labelLen,
+ const unsigned char *seed,
+ unsigned int seedLen,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_DecryptOAEP)(RSAPrivateKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char *label,
+ unsigned int labelLen,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_EncryptBlock)(RSAPublicKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_DecryptBlock)(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_SignPSS)(RSAPrivateKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char *salt,
+ unsigned int saltLen,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_CheckSignPSS)(RSAPublicKey *key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ unsigned int saltLen,
+ const unsigned char *sig,
+ unsigned int sigLen,
+ const unsigned char *hash,
+ unsigned int hashLen);
+ SECStatus (* p_RSA_Sign)(RSAPrivateKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input,
+ unsigned int inputLen);
+ SECStatus (* p_RSA_CheckSign)(RSAPublicKey *key,
+ const unsigned char *sig,
+ unsigned int sigLen,
+ const unsigned char *data,
+ unsigned int dataLen);
+ SECStatus (* p_RSA_CheckSignRecover)(RSAPublicKey *key,
+ unsigned char *output,
+ unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *sig,
+ unsigned int sigLen);
+
+ /* Version 3.016 came to here */
+
+ /* Add new function pointers at the end of this struct and bump
+ * FREEBL_VERSION at the beginning of this file. */
};
typedef struct FREEBLVectorStr FREEBLVector;
pqg.c \
dsa.c \
rsa.c \
+ rsapkcs.c \
shvfy.c \
tlsprfalg.c \
seed.c \
static int has_intel_avx = 0;
static int has_intel_clmul = 0;
static PRBool use_hw_aes = PR_FALSE;
-static PRBool use_hw_avx = PR_FALSE;
static PRBool use_hw_gcm = PR_FALSE;
#endif
}
+#if USE_HW_AES
+/*
+ * Adapted from the example code in "How to detect New Instruction support in
+ * the 4th generation Intel Core processor family" by Max Locktyukhin.
+ */
+static PRBool
+check_xcr0_ymm()
+{
+ PRUint32 xcr0;
+#if defined(_MSC_VER)
+ xcr0 = (PRUint32)_xgetbv(0); /* Requires VS2010 SP1 or later. */
+#else
+ __asm__ ("xgetbv" : "=a" (xcr0) : "c" (0) : "%edx");
+#endif
+ /* Check if xmm and ymm state are enabled in XCR0. */
+ return (xcr0 & 6) == 6;
+}
+#endif
+
/*
** Initialize a new AES context suitable for AES encryption/decryption in
** the ECB or CBC mode.
freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1;
has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1;
- has_intel_avx = (ecx & (1 << 28)) != 0 ? 1 : -1;
+ if ((ecx & (1 << 27)) != 0 && (ecx & (1 << 28)) != 0 &&
+ check_xcr0_ymm()) {
+ has_intel_avx = 1;
+ } else {
+ has_intel_avx = -1;
+ }
} else {
has_intel_aes = -1;
has_intel_avx = -1;
--- /dev/null
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * RSA PKCS#1 v2.1 (RFC 3447) operations
+ */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include "secerr.h"
+
+#include "blapi.h"
+#include "secitem.h"
+#include "blapii.h"
+
+#define RSA_BLOCK_MIN_PAD_LEN 8
+#define RSA_BLOCK_FIRST_OCTET 0x00
+#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
+#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
+
+/*
+ * RSA block types
+ *
+ * The actual values are important -- they are fixed, *not* arbitrary.
+ * The explicit value assignments are not needed (because C would give
+ * us those same values anyway) but are included as a reminder...
+ */
+typedef enum {
+ RSA_BlockUnused = 0, /* unused */
+ RSA_BlockPrivate = 1, /* pad for a private-key operation */
+ RSA_BlockPublic = 2, /* pad for a public-key operation */
+ RSA_BlockRaw = 4, /* simply justify the block appropriately */
+ RSA_BlockTotal
+} RSA_BlockType;
+
+/* Needed for RSA-PSS functions */
+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+/* Constant time comparison of a single byte.
+ * Returns 1 iff a == b, otherwise returns 0.
+ * Note: For ranges of bytes, use constantTimeCompare.
+ */
+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
+ unsigned char c = ~((a - b) | (b - a));
+ c >>= 7;
+ return c;
+}
+
+/* Constant time comparison of a range of bytes.
+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
+ * returns 0.
+ */
+static unsigned char constantTimeCompare(const unsigned char *a,
+ const unsigned char *b,
+ unsigned int len) {
+ unsigned char tmp = 0;
+ unsigned int i;
+ for (i = 0; i < len; ++i, ++a, ++b)
+ tmp |= *a ^ *b;
+ return constantTimeEQ8(0x00, tmp);
+}
+
+/* Constant time conditional.
+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
+ * not 0 or 1.
+ */
+static unsigned int constantTimeCondition(unsigned int c,
+ unsigned int a,
+ unsigned int b)
+{
+ return (~(c - 1) & a) | ((c - 1) & b);
+}
+
+static unsigned int
+rsa_modulusLen(SECItem * modulus)
+{
+ unsigned char byteZero = modulus->data[0];
+ unsigned int modLen = modulus->len - !byteZero;
+ return modLen;
+}
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1.
+ */
+static unsigned char *
+rsa_FormatOneBlock(unsigned modulusLen,
+ RSA_BlockType blockType,
+ SECItem * data)
+{
+ unsigned char *block;
+ unsigned char *bp;
+ int padLen;
+ int i, j;
+ SECStatus rv;
+
+ block = (unsigned char *) PORT_Alloc(modulusLen);
+ if (block == NULL)
+ return NULL;
+
+ bp = block;
+
+ /*
+ * All RSA blocks start with two octets:
+ * 0x00 || BlockType
+ */
+ *bp++ = RSA_BLOCK_FIRST_OCTET;
+ *bp++ = (unsigned char) blockType;
+
+ switch (blockType) {
+
+ /*
+ * Blocks intended for private-key operation.
+ */
+ case RSA_BlockPrivate: /* preferred method */
+ /*
+ * 0x00 || BT || Pad || 0x00 || ActualData
+ * 1 1 padLen 1 data->len
+ * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
+ */
+ padLen = modulusLen - data->len - 3;
+ PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+ PORT_Free(block);
+ return NULL;
+ }
+ PORT_Memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
+ bp += padLen;
+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+ PORT_Memcpy(bp, data->data, data->len);
+ break;
+
+ /*
+ * Blocks intended for public-key operation.
+ */
+ case RSA_BlockPublic:
+ /*
+ * 0x00 || BT || Pad || 0x00 || ActualData
+ * 1 1 padLen 1 data->len
+ * Pad is all non-zero random bytes.
+ *
+ * Build the block left to right.
+ * Fill the entire block from Pad to the end with random bytes.
+ * Use the bytes after Pad as a supply of extra random bytes from
+ * which to find replacements for the zero bytes in Pad.
+ * If we need more than that, refill the bytes after Pad with
+ * new random bytes as necessary.
+ */
+ padLen = modulusLen - (data->len + 3);
+ PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+ PORT_Free(block);
+ return NULL;
+ }
+ j = modulusLen - 2;
+ rv = RNG_GenerateGlobalRandomBytes(bp, j);
+ if (rv == SECSuccess) {
+ for (i = 0; i < padLen; ) {
+ unsigned char repl;
+ /* Pad with non-zero random data. */
+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
+ ++i;
+ continue;
+ }
+ if (j <= padLen) {
+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
+ modulusLen - (2 + padLen));
+ if (rv != SECSuccess)
+ break;
+ j = modulusLen - 2;
+ }
+ do {
+ repl = bp[--j];
+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
+ bp[i++] = repl;
+ }
+ }
+ }
+ if (rv != SECSuccess) {
+ PORT_Free(block);
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return NULL;
+ }
+ bp += padLen;
+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+ PORT_Memcpy(bp, data->data, data->len);
+ break;
+
+ default:
+ PORT_Assert(0);
+ PORT_Free(block);
+ return NULL;
+ }
+
+ return block;
+}
+
+static SECStatus
+rsa_FormatBlock(SECItem * result,
+ unsigned modulusLen,
+ RSA_BlockType blockType,
+ SECItem * data)
+{
+ switch (blockType) {
+ case RSA_BlockPrivate:
+ case RSA_BlockPublic:
+ /*
+ * 0x00 || BT || Pad || 0x00 || ActualData
+ *
+ * The "3" below is the first octet + the second octet + the 0x00
+ * octet that always comes just before the ActualData.
+ */
+ PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+
+ result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+ if (result->data == NULL) {
+ result->len = 0;
+ return SECFailure;
+ }
+ result->len = modulusLen;
+
+ break;
+
+ case RSA_BlockRaw:
+ /*
+ * Pad || ActualData
+ * Pad is zeros. The application is responsible for recovering
+ * the actual data.
+ */
+ if (data->len > modulusLen ) {
+ return SECFailure;
+ }
+ result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
+ result->len = modulusLen;
+ PORT_Memcpy(result->data + (modulusLen - data->len),
+ data->data, data->len);
+ break;
+
+ default:
+ PORT_Assert(0);
+ result->data = NULL;
+ result->len = 0;
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+/*
+ * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447.
+ */
+static SECStatus
+MGF1(HASH_HashType hashAlg,
+ unsigned char * mask,
+ unsigned int maskLen,
+ const unsigned char * mgfSeed,
+ unsigned int mgfSeedLen)
+{
+ unsigned int digestLen;
+ PRUint32 counter;
+ PRUint32 rounds;
+ unsigned char * tempHash;
+ unsigned char * temp;
+ const SECHashObject * hash;
+ void * hashContext;
+ unsigned char C[4];
+
+ hash = HASH_GetRawHashObject(hashAlg);
+ if (hash == NULL)
+ return SECFailure;
+
+ hashContext = (*hash->create)();
+ rounds = (maskLen + hash->length - 1) / hash->length;
+ for (counter = 0; counter < rounds; counter++) {
+ C[0] = (unsigned char)((counter >> 24) & 0xff);
+ C[1] = (unsigned char)((counter >> 16) & 0xff);
+ C[2] = (unsigned char)((counter >> 8) & 0xff);
+ C[3] = (unsigned char)(counter & 0xff);
+
+ /* This could be optimized when the clone functions in
+ * rawhash.c are implemented. */
+ (*hash->begin)(hashContext);
+ (*hash->update)(hashContext, mgfSeed, mgfSeedLen);
+ (*hash->update)(hashContext, C, sizeof C);
+
+ tempHash = mask + counter * hash->length;
+ if (counter != (rounds - 1)) {
+ (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
+ } else { /* we're in the last round and need to cut the hash */
+ temp = (unsigned char *)PORT_Alloc(hash->length);
+ (*hash->end)(hashContext, temp, &digestLen, hash->length);
+ PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
+ PORT_Free(temp);
+ }
+ }
+ (*hash->destroy)(hashContext, PR_TRUE);
+
+ return SECSuccess;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_SignRaw(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * data,
+ unsigned int dataLen)
+{
+ SECStatus rv = SECSuccess;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ SECItem formatted;
+ SECItem unformatted;
+
+ if (maxOutputLen < modulusLen)
+ return SECFailure;
+
+ unformatted.len = dataLen;
+ unformatted.data = (unsigned char*)data;
+ formatted.data = NULL;
+ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
+ if (rv != SECSuccess)
+ goto done;
+
+ rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
+ *outputLen = modulusLen;
+
+done:
+ if (formatted.data != NULL)
+ PORT_ZFree(formatted.data, modulusLen);
+ return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRaw(RSAPublicKey * key,
+ const unsigned char * sig,
+ unsigned int sigLen,
+ const unsigned char * hash,
+ unsigned int hashLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned char * buffer;
+
+ if (sigLen != modulusLen)
+ goto failure;
+ if (hashLen > modulusLen)
+ goto failure;
+
+ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+ if (!buffer)
+ goto failure;
+
+ rv = RSA_PublicKeyOp(key, buffer, sig);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /*
+ * make sure we get the same results
+ */
+ /* XXX(rsleevi): Constant time */
+ /* NOTE: should we verify the leading zeros? */
+ if (PORT_Memcmp(buffer + (modulusLen - hashLen), hash, hashLen) != 0)
+ goto loser;
+
+ PORT_Free(buffer);
+ return SECSuccess;
+
+loser:
+ PORT_Free(buffer);
+failure:
+ return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecoverRaw(RSAPublicKey * key,
+ unsigned char * data,
+ unsigned int * dataLen,
+ unsigned int maxDataLen,
+ const unsigned char * sig,
+ unsigned int sigLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+
+ if (sigLen != modulusLen)
+ goto failure;
+ if (maxDataLen < modulusLen)
+ goto failure;
+
+ rv = RSA_PublicKeyOp(key, data, sig);
+ if (rv != SECSuccess)
+ goto failure;
+
+ *dataLen = modulusLen;
+ return SECSuccess;
+
+failure:
+ return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptRaw(RSAPublicKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ SECItem formatted;
+ SECItem unformatted;
+
+ formatted.data = NULL;
+ if (maxOutputLen < modulusLen)
+ goto failure;
+
+ unformatted.len = inputLen;
+ unformatted.data = (unsigned char*)input;
+ formatted.data = NULL;
+ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
+ if (rv != SECSuccess)
+ goto failure;
+
+ rv = RSA_PublicKeyOp(key, output, formatted.data);
+ if (rv != SECSuccess)
+ goto failure;
+
+ PORT_ZFree(formatted.data, modulusLen);
+ *outputLen = modulusLen;
+ return SECSuccess;
+
+failure:
+ if (formatted.data != NULL)
+ PORT_ZFree(formatted.data, modulusLen);
+ return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptRaw(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+
+ if (modulusLen > maxOutputLen)
+ goto failure;
+ if (inputLen != modulusLen)
+ goto failure;
+
+ rv = RSA_PrivateKeyOp(key, output, input);
+ if (rv != SECSuccess)
+ goto failure;
+
+ *outputLen = modulusLen;
+ return SECSuccess;
+
+failure:
+ return SECFailure;
+}
+
+/*
+ * Decodes an EME-OAEP encoded block, validating the encoding in constant
+ * time.
+ * Described in RFC 3447, section 7.1.2.
+ * input contains the encoded block, after decryption.
+ * label is the optional value L that was associated with the message.
+ * On success, the original message and message length will be stored in
+ * output and outputLen.
+ */
+static SECStatus
+eme_oaep_decode(unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * label,
+ unsigned int labelLen)
+{
+ const SECHashObject * hash;
+ void * hashContext;
+ SECStatus rv = SECFailure;
+ unsigned char labelHash[HASH_LENGTH_MAX];
+ unsigned int i;
+ unsigned int maskLen;
+ unsigned int paddingOffset;
+ unsigned char * mask = NULL;
+ unsigned char * tmpOutput = NULL;
+ unsigned char isGood;
+ unsigned char foundPaddingEnd;
+
+ hash = HASH_GetRawHashObject(hashAlg);
+
+ /* 1.c */
+ if (inputLen < (hash->length * 2) + 2) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
+ /* Step 3.a - Generate lHash */
+ hashContext = (*hash->create)();
+ if (hashContext == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ (*hash->begin)(hashContext);
+ if (labelLen > 0)
+ (*hash->update)(hashContext, label, labelLen);
+ (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash));
+ (*hash->destroy)(hashContext, PR_TRUE);
+
+ tmpOutput = (unsigned char*)PORT_Alloc(inputLen);
+ if (tmpOutput == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto done;
+ }
+
+ maskLen = inputLen - hash->length - 1;
+ mask = (unsigned char*)PORT_Alloc(maskLen);
+ if (mask == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto done;
+ }
+
+ PORT_Memcpy(tmpOutput, input, inputLen);
+
+ /* 3.c - Generate seedMask */
+ MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length],
+ inputLen - hash->length - 1);
+ /* 3.d - Unmask seed */
+ for (i = 0; i < hash->length; ++i)
+ tmpOutput[1 + i] ^= mask[i];
+
+ /* 3.e - Generate dbMask */
+ MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length);
+ /* 3.f - Unmask DB */
+ for (i = 0; i < maskLen; ++i)
+ tmpOutput[1 + hash->length + i] ^= mask[i];
+
+ /* 3.g - Compare Y, lHash, and PS in constant time
+ * Warning: This code is timing dependent and must not disclose which of
+ * these were invalid.
+ */
+ paddingOffset = 0;
+ isGood = 1;
+ foundPaddingEnd = 0;
+
+ /* Compare Y */
+ isGood &= constantTimeEQ8(0x00, tmpOutput[0]);
+
+ /* Compare lHash and lHash' */
+ isGood &= constantTimeCompare(&labelHash[0],
+ &tmpOutput[1 + hash->length],
+ hash->length);
+
+ /* Compare that the padding is zero or more zero octets, followed by a
+ * 0x01 octet */
+ for (i = 1 + (hash->length * 2); i < inputLen; ++i) {
+ unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]);
+ unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]);
+ /* non-constant time equivalent:
+ * if (tmpOutput[i] == 0x01 && !foundPaddingEnd)
+ * paddingOffset = i;
+ */
+ paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i,
+ paddingOffset);
+ /* non-constant time equivalent:
+ * if (tmpOutput[i] == 0x01)
+ * foundPaddingEnd = true;
+ *
+ * Note: This may yield false positives, as it will be set whenever
+ * a 0x01 byte is encountered. If there was bad padding (eg:
+ * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and
+ * paddingOffset will still be set to 2.
+ */
+ foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd);
+ /* non-constant time equivalent:
+ * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 &&
+ * !foundPaddingEnd) {
+ * isGood = false;
+ * }
+ *
+ * Note: This may yield false positives, as a message (and padding)
+ * that is entirely zeros will result in isGood still being true. Thus
+ * it's necessary to check foundPaddingEnd is positive below.
+ */
+ isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood);
+ }
+
+ /* While both isGood and foundPaddingEnd may have false positives, they
+ * cannot BOTH have false positives. If both are not true, then an invalid
+ * message was received. Note, this comparison must still be done in constant
+ * time so as not to leak either condition.
+ */
+ if (!(isGood & foundPaddingEnd)) {
+ PORT_SetError(SEC_ERROR_BAD_DATA);
+ goto done;
+ }
+
+ /* End timing dependent code */
+
+ ++paddingOffset; /* Skip the 0x01 following the end of PS */
+
+ *outputLen = inputLen - paddingOffset;
+ if (*outputLen > maxOutputLen) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ goto done;
+ }
+
+ if (*outputLen)
+ PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen);
+ rv = SECSuccess;
+
+done:
+ if (mask)
+ PORT_ZFree(mask, maskLen);
+ if (tmpOutput)
+ PORT_ZFree(tmpOutput, inputLen);
+ return rv;
+}
+
+/*
+ * Generate an EME-OAEP encoded block for encryption
+ * Described in RFC 3447, section 7.1.1
+ * We use input instead of M for the message to be encrypted
+ * label is the optional value L to be associated with the message.
+ */
+static SECStatus
+eme_oaep_encode(unsigned char * em,
+ unsigned int emLen,
+ const unsigned char * input,
+ unsigned int inputLen,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * label,
+ unsigned int labelLen,
+ const unsigned char * seed,
+ unsigned int seedLen)
+{
+ const SECHashObject * hash;
+ void * hashContext;
+ SECStatus rv;
+ unsigned char * mask;
+ unsigned int reservedLen;
+ unsigned int dbMaskLen;
+ unsigned int i;
+
+ hash = HASH_GetRawHashObject(hashAlg);
+ PORT_Assert(seed == NULL || seedLen == hash->length);
+
+ /* Step 1.b */
+ reservedLen = (2 * hash->length) + 2;
+ if (emLen < reservedLen || inputLen > (emLen - reservedLen)) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
+ /*
+ * From RFC 3447, Section 7.1
+ * +----------+---------+-------+
+ * DB = | lHash | PS | M |
+ * +----------+---------+-------+
+ * |
+ * +----------+ V
+ * | seed |--> MGF ---> xor
+ * +----------+ |
+ * | |
+ * +--+ V |
+ * |00| xor <----- MGF <-----|
+ * +--+ | |
+ * | | |
+ * V V V
+ * +--+----------+----------------------------+
+ * EM = |00|maskedSeed| maskedDB |
+ * +--+----------+----------------------------+
+ *
+ * We use mask to hold the result of the MGF functions, and all other
+ * values are generated in their final resting place.
+ */
+ *em = 0x00;
+
+ /* Step 2.a - Generate lHash */
+ hashContext = (*hash->create)();
+ if (hashContext == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ (*hash->begin)(hashContext);
+ if (labelLen > 0)
+ (*hash->update)(hashContext, label, labelLen);
+ (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length);
+ (*hash->destroy)(hashContext, PR_TRUE);
+
+ /* Step 2.b - Generate PS */
+ if (emLen - reservedLen - inputLen > 0) {
+ PORT_Memset(em + 1 + (hash->length * 2), 0x00,
+ emLen - reservedLen - inputLen);
+ }
+
+ /* Step 2.c. - Generate DB
+ * DB = lHash || PS || 0x01 || M
+ * Note that PS and lHash have already been placed into em at their
+ * appropriate offsets. This just copies M into place
+ */
+ em[emLen - inputLen - 1] = 0x01;
+ if (inputLen)
+ PORT_Memcpy(em + emLen - inputLen, input, inputLen);
+
+ if (seed == NULL) {
+ /* Step 2.d - Generate seed */
+ rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ } else {
+ /* For Known Answer Tests, copy the supplied seed. */
+ PORT_Memcpy(em + 1, seed, seedLen);
+ }
+
+ /* Step 2.e - Generate dbMask*/
+ dbMaskLen = emLen - hash->length - 1;
+ mask = (unsigned char*)PORT_Alloc(dbMaskLen);
+ if (mask == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length);
+ /* Step 2.f - Compute maskedDB*/
+ for (i = 0; i < dbMaskLen; ++i)
+ em[1 + hash->length + i] ^= mask[i];
+
+ /* Step 2.g - Generate seedMask */
+ MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen);
+ /* Step 2.h - Compute maskedSeed */
+ for (i = 0; i < hash->length; ++i)
+ em[1 + i] ^= mask[i];
+
+ PORT_ZFree(mask, dbMaskLen);
+ return SECSuccess;
+}
+
+SECStatus
+RSA_EncryptOAEP(RSAPublicKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * label,
+ unsigned int labelLen,
+ const unsigned char * seed,
+ unsigned int seedLen,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned char * oaepEncoded = NULL;
+
+ if (maxOutputLen < modulusLen) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ if ((labelLen == 0 && label != NULL) ||
+ (labelLen > 0 && label == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+ if (oaepEncoded == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen,
+ hashAlg, maskHashAlg, label, labelLen, seed, seedLen);
+ if (rv != SECSuccess)
+ goto done;
+
+ rv = RSA_PublicKeyOp(key, output, oaepEncoded);
+ if (rv != SECSuccess)
+ goto done;
+ *outputLen = modulusLen;
+
+done:
+ PORT_Free(oaepEncoded);
+ return rv;
+}
+
+SECStatus
+RSA_DecryptOAEP(RSAPrivateKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * label,
+ unsigned int labelLen,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned char * oaepEncoded = NULL;
+
+ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ if (inputLen != modulusLen) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
+ if ((labelLen == 0 && label != NULL) ||
+ (labelLen > 0 && label == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+ if (oaepEncoded == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+
+ rv = RSA_PrivateKeyOpDoubleChecked(key, oaepEncoded, input);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+ rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded,
+ modulusLen, hashAlg, maskHashAlg, label,
+ labelLen);
+
+done:
+ if (oaepEncoded)
+ PORT_ZFree(oaepEncoded, modulusLen);
+ return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptBlock(RSAPublicKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ SECItem formatted;
+ SECItem unformatted;
+
+ formatted.data = NULL;
+ if (maxOutputLen < modulusLen)
+ goto failure;
+
+ unformatted.len = inputLen;
+ unformatted.data = (unsigned char*)input;
+ formatted.data = NULL;
+ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic,
+ &unformatted);
+ if (rv != SECSuccess)
+ goto failure;
+
+ rv = RSA_PublicKeyOp(key, output, formatted.data);
+ if (rv != SECSuccess)
+ goto failure;
+
+ PORT_ZFree(formatted.data, modulusLen);
+ *outputLen = modulusLen;
+ return SECSuccess;
+
+failure:
+ if (formatted.data != NULL)
+ PORT_ZFree(formatted.data, modulusLen);
+ return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptBlock(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned int i;
+ unsigned char * buffer;
+
+ if (inputLen != modulusLen)
+ goto failure;
+
+ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+ if (!buffer)
+ goto failure;
+
+ rv = RSA_PrivateKeyOp(key, buffer, input);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* XXX(rsleevi): Constant time */
+ if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
+ buffer[1] != (unsigned char)RSA_BlockPublic) {
+ goto loser;
+ }
+ *outputLen = 0;
+ for (i = 2; i < modulusLen; i++) {
+ if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
+ *outputLen = modulusLen - i - 1;
+ break;
+ }
+ }
+ if (*outputLen == 0)
+ goto loser;
+ if (*outputLen > maxOutputLen)
+ goto loser;
+
+ PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+
+ PORT_Free(buffer);
+ return SECSuccess;
+
+loser:
+ PORT_Free(buffer);
+failure:
+ return SECFailure;
+}
+
+/*
+ * Encode a RSA-PSS signature.
+ * Described in RFC 3447, section 9.1.1.
+ * We use mHash instead of M as input.
+ * emBits from the RFC is just modBits - 1, see section 8.1.1.
+ * We only support MGF1 as the MGF.
+ *
+ * NOTE: this code assumes modBits is a multiple of 8.
+ */
+static SECStatus
+emsa_pss_encode(unsigned char * em,
+ unsigned int emLen,
+ const unsigned char * mHash,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * salt,
+ unsigned int saltLen)
+{
+ const SECHashObject * hash;
+ void * hash_context;
+ unsigned char * dbMask;
+ unsigned int dbMaskLen;
+ unsigned int i;
+ SECStatus rv;
+
+ hash = HASH_GetRawHashObject(hashAlg);
+ dbMaskLen = emLen - hash->length - 1;
+
+ /* Step 3 */
+ if (emLen < hash->length + saltLen + 2) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ /* Step 4 */
+ if (salt == NULL) {
+ rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - saltLen], saltLen);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ } else {
+ PORT_Memcpy(&em[dbMaskLen - saltLen], salt, saltLen);
+ }
+
+ /* Step 5 + 6 */
+ /* Compute H and store it at its final location &em[dbMaskLen]. */
+ hash_context = (*hash->create)();
+ if (hash_context == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ (*hash->begin)(hash_context);
+ (*hash->update)(hash_context, eightZeros, 8);
+ (*hash->update)(hash_context, mHash, hash->length);
+ (*hash->update)(hash_context, &em[dbMaskLen - saltLen], saltLen);
+ (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
+ (*hash->destroy)(hash_context, PR_TRUE);
+
+ /* Step 7 + 8 */
+ PORT_Memset(em, 0, dbMaskLen - saltLen - 1);
+ em[dbMaskLen - saltLen - 1] = 0x01;
+
+ /* Step 9 */
+ dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
+ if (dbMask == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
+
+ /* Step 10 */
+ for (i = 0; i < dbMaskLen; i++)
+ em[i] ^= dbMask[i];
+ PORT_Free(dbMask);
+
+ /* Step 11 */
+ em[0] &= 0x7f;
+
+ /* Step 12 */
+ em[emLen - 1] = 0xbc;
+
+ return SECSuccess;
+}
+
+/*
+ * Verify a RSA-PSS signature.
+ * Described in RFC 3447, section 9.1.2.
+ * We use mHash instead of M as input.
+ * emBits from the RFC is just modBits - 1, see section 8.1.2.
+ * We only support MGF1 as the MGF.
+ *
+ * NOTE: this code assumes modBits is a multiple of 8.
+ */
+static SECStatus
+emsa_pss_verify(const unsigned char * mHash,
+ const unsigned char * em,
+ unsigned int emLen,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ unsigned int saltLen)
+{
+ const SECHashObject * hash;
+ void * hash_context;
+ unsigned char * db;
+ unsigned char * H_; /* H' from the RFC */
+ unsigned int i;
+ unsigned int dbMaskLen;
+ SECStatus rv;
+
+ hash = HASH_GetRawHashObject(hashAlg);
+ dbMaskLen = emLen - hash->length - 1;
+
+ /* Step 3 + 4 + 6 */
+ if ((emLen < (hash->length + saltLen + 2)) ||
+ (em[emLen - 1] != 0xbc) ||
+ ((em[0] & 0x80) != 0)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+
+ /* Step 7 */
+ db = (unsigned char *)PORT_Alloc(dbMaskLen);
+ if (db == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ /* &em[dbMaskLen] points to H, used as mgfSeed */
+ MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
+
+ /* Step 8 */
+ for (i = 0; i < dbMaskLen; i++) {
+ db[i] ^= em[i];
+ }
+
+ /* Step 9 */
+ db[0] &= 0x7f;
+
+ /* Step 10 */
+ for (i = 0; i < (dbMaskLen - saltLen - 1); i++) {
+ if (db[i] != 0) {
+ PORT_Free(db);
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ }
+ if (db[dbMaskLen - saltLen - 1] != 0x01) {
+ PORT_Free(db);
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+
+ /* Step 12 + 13 */
+ H_ = (unsigned char *)PORT_Alloc(hash->length);
+ if (H_ == NULL) {
+ PORT_Free(db);
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ hash_context = (*hash->create)();
+ if (hash_context == NULL) {
+ PORT_Free(db);
+ PORT_Free(H_);
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ (*hash->begin)(hash_context);
+ (*hash->update)(hash_context, eightZeros, 8);
+ (*hash->update)(hash_context, mHash, hash->length);
+ (*hash->update)(hash_context, &db[dbMaskLen - saltLen], saltLen);
+ (*hash->end)(hash_context, H_, &i, hash->length);
+ (*hash->destroy)(hash_context, PR_TRUE);
+
+ PORT_Free(db);
+
+ /* Step 14 */
+ if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ } else {
+ rv = SECSuccess;
+ }
+
+ PORT_Free(H_);
+ return rv;
+}
+
+SECStatus
+RSA_SignPSS(RSAPrivateKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ const unsigned char * salt,
+ unsigned int saltLength,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv = SECSuccess;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned char *pssEncoded = NULL;
+
+ if (maxOutputLen < modulusLen) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ pssEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+ if (pssEncoded == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ rv = emsa_pss_encode(pssEncoded, modulusLen, input, hashAlg,
+ maskHashAlg, salt, saltLength);
+ if (rv != SECSuccess)
+ goto done;
+
+ rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded);
+ *outputLen = modulusLen;
+
+done:
+ PORT_Free(pssEncoded);
+ return rv;
+}
+
+SECStatus
+RSA_CheckSignPSS(RSAPublicKey * key,
+ HASH_HashType hashAlg,
+ HASH_HashType maskHashAlg,
+ unsigned int saltLength,
+ const unsigned char * sig,
+ unsigned int sigLen,
+ const unsigned char * hash,
+ unsigned int hashLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned char * buffer;
+
+ if (sigLen != modulusLen) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+
+ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ buffer = (unsigned char *)PORT_Alloc(modulusLen);
+ if (!buffer) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+
+ rv = RSA_PublicKeyOp(key, buffer, sig);
+ if (rv != SECSuccess) {
+ PORT_Free(buffer);
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+
+ rv = emsa_pss_verify(hash, buffer, modulusLen, hashAlg,
+ maskHashAlg, saltLength);
+ PORT_Free(buffer);
+
+ return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_Sign(RSAPrivateKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * input,
+ unsigned int inputLen)
+{
+ SECStatus rv = SECSuccess;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ SECItem formatted;
+ SECItem unformatted;
+
+ if (maxOutputLen < modulusLen)
+ return SECFailure;
+
+ unformatted.len = inputLen;
+ unformatted.data = (unsigned char*)input;
+ formatted.data = NULL;
+ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate,
+ &unformatted);
+ if (rv != SECSuccess)
+ goto done;
+
+ rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
+ *outputLen = modulusLen;
+
+ goto done;
+
+done:
+ if (formatted.data != NULL)
+ PORT_ZFree(formatted.data, modulusLen);
+ return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSign(RSAPublicKey * key,
+ const unsigned char * sig,
+ unsigned int sigLen,
+ const unsigned char * data,
+ unsigned int dataLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned int i;
+ unsigned char * buffer;
+
+ if (sigLen != modulusLen)
+ goto failure;
+ /*
+ * 0x00 || BT || Pad || 0x00 || ActualData
+ *
+ * The "3" below is the first octet + the second octet + the 0x00
+ * octet that always comes just before the ActualData.
+ */
+ if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))
+ goto failure;
+
+ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+ if (!buffer)
+ goto failure;
+
+ rv = RSA_PublicKeyOp(key, buffer, sig);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /*
+ * check the padding that was used
+ */
+ if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
+ buffer[1] != (unsigned char)RSA_BlockPrivate) {
+ goto loser;
+ }
+ for (i = 2; i < modulusLen - dataLen - 1; i++) {
+ if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
+ goto loser;
+ }
+ if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET)
+ goto loser;
+
+ /*
+ * make sure we get the same results
+ */
+ if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0)
+ goto loser;
+
+ PORT_Free(buffer);
+ return SECSuccess;
+
+loser:
+ PORT_Free(buffer);
+failure:
+ return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecover(RSAPublicKey * key,
+ unsigned char * output,
+ unsigned int * outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char * sig,
+ unsigned int sigLen)
+{
+ SECStatus rv;
+ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
+ unsigned int i;
+ unsigned char * buffer;
+
+ if (sigLen != modulusLen)
+ goto failure;
+
+ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
+ if (!buffer)
+ goto failure;
+
+ rv = RSA_PublicKeyOp(key, buffer, sig);
+ if (rv != SECSuccess)
+ goto loser;
+ *outputLen = 0;
+
+ /*
+ * check the padding that was used
+ */
+ if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
+ buffer[1] != (unsigned char)RSA_BlockPrivate) {
+ goto loser;
+ }
+ for (i = 2; i < modulusLen; i++) {
+ if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
+ *outputLen = modulusLen - i - 1;
+ break;
+ }
+ if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
+ goto loser;
+ }
+ if (*outputLen == 0)
+ goto loser;
+ if (*outputLen > maxOutputLen)
+ goto loser;
+
+ PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+
+ PORT_Free(buffer);
+ return SECSuccess;
+
+loser:
+ PORT_Free(buffer);
+failure:
+ return SECFailure;
+}
#include <prtime.h>
#include <prcvar.h>
#include <secasn1.h>
-#include <secoid.h>
#include <secdig.h>
#include <secport.h>
#include <secitem.h>
size_t RNG_FileUpdate(const char *fileName, size_t limit)
{
FILE * file;
- size_t bytes;
+ int fd;
+ int bytes;
size_t fileBytes = 0;
struct stat stat_buf;
unsigned char buffer[BUFSIZ];
return fileBytes;
RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
- file = fopen((char *)fileName, "r");
+ file = fopen(fileName, "r");
if (file != NULL) {
+ /* Read from the underlying file descriptor directly to bypass stdio
+ * buffering and avoid reading more bytes than we need from
+ * /dev/urandom. NOTE: we can't use fread with unbuffered I/O because
+ * fread may return EOF in unbuffered I/O mode on Android.
+ *
+ * Moreover, we read into a buffer of size BUFSIZ, so buffered I/O
+ * has no performance advantage. */
+ fd = fileno(file);
+ /* 'file' was just opened, so this should not fail. */
+ PORT_Assert(fd != -1);
while (limit > fileBytes) {
bytes = PR_MIN(sizeof buffer, limit - fileBytes);
- bytes = fread(buffer, 1, bytes, file);
- if (bytes == 0)
+ bytes = read(fd, buffer, bytes);
+ if (bytes <= 0)
break;
RNG_RandomUpdate(buffer, bytes);
fileBytes += bytes;
FILE * file;
unsigned char buffer[BUFSIZ];
- file = fopen((char *)fileName, "rb");
+ file = fopen(fileName, "rb");
if (file != NULL) {
while (fread(buffer, 1, sizeof(buffer), file) > 0)
;
size_t RNG_SystemRNG(void *dest, size_t maxLen)
{
FILE *file;
- size_t bytes;
+ int fd;
+ int bytes;
size_t fileBytes = 0;
unsigned char *buffer = dest;
if (file == NULL) {
return rng_systemFromNoise(dest, maxLen);
}
+ /* Read from the underlying file descriptor directly to bypass stdio
+ * buffering and avoid reading more bytes than we need from /dev/urandom.
+ * NOTE: we can't use fread with unbuffered I/O because fread may return
+ * EOF in unbuffered I/O mode on Android.
+ */
+ fd = fileno(file);
+ /* 'file' was just opened, so this should not fail. */
+ PORT_Assert(fd != -1);
while (maxLen > fileBytes) {
bytes = maxLen - fileBytes;
- bytes = fread(buffer, 1, bytes, file);
- if (bytes == 0)
+ bytes = read(fd, buffer, bytes);
+ if (bytes <= 0)
break;
fileBytes += bytes;
buffer += bytes;
PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed,0),
PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed,0),
PKIX_ERRORENTRY(X500NAMETOSTRINGHELPERFAILED,pkix_pl_X500Name_ToString_Helper failed,0),
-PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0)
+PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0),
+PKIX_ERRORENTRY(INVALIDOCSPHTTPMETHOD,Unsupported HTTP Method for OCSP retrieval,0),
+PKIX_ERRORENTRY(OCSPGETREQUESTTOOBIG,OCSP request too big for HTTP GET method,0)
* either (a) the default Responder has been set and enabled, and a Check
* request is received with no responder specified, or (b) a Check request is
* received with a specified responder. A request message is constructed and
- * given to the HttpClient. If non-blocking I/O is used the client may return
- * with WOULDBLOCK, in which case the OCSPChecker returns the WOULDBLOCK
- * condition to its caller in turn. On a subsequent call the I/O is resumed.
- * When a response is received it is decoded and the results provided to the
- * caller.
+ * given to the HttpClient. When a response is received it is decoded and the
+ * results provided to the caller.
*
+ * During the most recent enhancement of this function, it has been found that
+ * it doesn't correctly implement non-blocking I/O.
+ *
+ * The nbioContext is used in two places, for "response-obtaining" and
+ * for "response-verification".
+ *
+ * However, if this function gets called to resume, it always
+ * repeats the "request creation" and "response fetching" steps!
+ * As a result, the earlier operation is never resumed.
*/
PKIX_Error *
pkix_OcspChecker_CheckExternal(
PKIX_PL_Date *validity = NULL;
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
void *nbioContext = NULL;
+ enum { stageGET, stagePOST } currentStage;
+ PRBool retry = PR_FALSE;
PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckExternal");
goto cleanup;
}
- /* send request and create a response object */
- PKIX_CHECK(
- pkix_pl_OcspResponse_Create(request, NULL,
- checker->certVerifyFcn,
- &nbioContext,
- &response,
- plContext),
- PKIX_OCSPRESPONSECREATEFAILED);
- if (nbioContext != 0) {
- *pNBIOContext = nbioContext;
- goto cleanup;
- }
-
- PKIX_CHECK(
- pkix_pl_OcspResponse_Decode(response, &passed,
- &resultCode, plContext),
- PKIX_OCSPRESPONSEDECODEFAILED);
- if (passed == PKIX_FALSE) {
- goto cleanup;
- }
-
- PKIX_CHECK(
- pkix_pl_OcspResponse_GetStatus(response, &passed,
- &resultCode, plContext),
- PKIX_OCSPRESPONSEGETSTATUSRETURNEDANERROR);
- if (passed == PKIX_FALSE) {
- goto cleanup;
+ if (methodFlags & CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP) {
+ /* Do not try HTTP GET, only HTTP POST */
+ currentStage = stagePOST;
+ } else {
+ /* Try HTTP GET first, falling back to POST */
+ currentStage = stageGET;
}
- PKIX_CHECK(
- pkix_pl_OcspResponse_VerifySignature(response, cert,
- procParams, &passed,
- &nbioContext, plContext),
- PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
- if (nbioContext != 0) {
- *pNBIOContext = nbioContext;
- goto cleanup;
- }
- if (passed == PKIX_FALSE) {
- goto cleanup;
- }
+ do {
+ const char *method;
+ passed = PKIX_TRUE;
- PKIX_CHECK(
- pkix_pl_OcspResponse_GetStatusForCert(cid, response, date,
- &passed, &resultCode,
- plContext),
- PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
- if (passed == PKIX_FALSE) {
- revStatus = pkix_OcspChecker_MapResultCodeToRevStatus(resultCode);
- } else {
- revStatus = PKIX_RevStatus_Success;
- }
+ retry = PR_FALSE;
+ if (currentStage == stageGET) {
+ method = "GET";
+ } else {
+ PORT_Assert(currentStage == stagePOST);
+ method = "POST";
+ }
+
+ /* send request and create a response object */
+ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_Create(request, method, NULL,
+ checker->certVerifyFcn,
+ &nbioContext,
+ &response,
+ plContext),
+ PKIX_OCSPRESPONSECREATEFAILED);
+
+ if (pkixErrorResult) {
+ passed = PKIX_FALSE;
+ }
+
+ if (passed && nbioContext != 0) {
+ *pNBIOContext = nbioContext;
+ goto cleanup;
+ }
+
+ if (passed){
+ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_Decode(response, &passed,
+ &resultCode, plContext),
+ PKIX_OCSPRESPONSEDECODEFAILED);
+ if (pkixErrorResult) {
+ passed = PKIX_FALSE;
+ }
+ }
+
+ if (passed){
+ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_GetStatus(response, &passed,
+ &resultCode, plContext),
+ PKIX_OCSPRESPONSEGETSTATUSRETURNEDANERROR);
+ if (pkixErrorResult) {
+ passed = PKIX_FALSE;
+ }
+ }
+
+ if (passed){
+ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_VerifySignature(response, cert,
+ procParams, &passed,
+ &nbioContext, plContext),
+ PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
+ if (pkixErrorResult) {
+ passed = PKIX_FALSE;
+ } else {
+ if (nbioContext != 0) {
+ *pNBIOContext = nbioContext;
+ goto cleanup;
+ }
+ }
+ }
+
+ if (!passed && currentStage == stagePOST) {
+ /* We won't retry a POST failure, so it's final.
+ * Because the following block with its call to
+ * pkix_pl_OcspResponse_GetStatusForCert
+ * will take care of caching good or bad state,
+ * but we only execute that next block if there hasn't
+ * been a failure yet, we must cache the POST
+ * failure now.
+ */
+
+ if (cid && cid->certID) {
+ /* Caching MIGHT consume the cid. */
+ PKIX_Error *err;
+ err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
+ cid, plContext);
+ if (err) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
+ }
+ }
+ }
+
+ if (passed){
+ PKIX_Boolean allowCachingOfFailures =
+ (currentStage == stagePOST) ? PKIX_TRUE : PKIX_FALSE;
+
+ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_GetStatusForCert(cid, response,
+ allowCachingOfFailures,
+ date,
+ &passed, &resultCode,
+ plContext),
+ PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
+ if (pkixErrorResult) {
+ passed = PKIX_FALSE;
+ } else if (passed == PKIX_FALSE) {
+ revStatus = pkix_OcspChecker_MapResultCodeToRevStatus(resultCode);
+ } else {
+ revStatus = PKIX_RevStatus_Success;
+ }
+ }
+
+ if (currentStage == stageGET && revStatus != PKIX_RevStatus_Success &&
+ revStatus != PKIX_RevStatus_Revoked) {
+ /* we'll retry */
+ PKIX_DECREF(response);
+ retry = PR_TRUE;
+ currentStage = stagePOST;
+ revStatus = PKIX_RevStatus_NoInfo;
+ if (pkixErrorResult) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
+ plContext);
+ pkixErrorResult = NULL;
+ }
+ }
+ } while (retry);
cleanup:
if (revStatus == PKIX_RevStatus_NoInfo && (uriFound ||
}
*pRevStatus = revStatus;
- /* ocsp carries only tree statuses: good, bad, and unknown.
+ /* ocsp carries only three statuses: good, bad, and unknown.
* revStatus is used to pass them. reasonCode is always set
* to be unknown. */
*pReasonCode = crlEntryReasonUnspecified;
- if (!passed && cid && cid->certID) {
- /* We still own the certID object, which means that
- * it did not get consumed to create a cache entry.
- * Let's make sure there is one.
- */
- PKIX_Error *err;
- err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
- cid, plContext);
- if (err) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
- }
- }
PKIX_DECREF(cid);
PKIX_DECREF(request);
PKIX_DECREF(response);
PRTime time = 0;
SECStatus rv;
SECStatus rvOcsp;
+ OCSPFreshness freshness;
PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_GetFreshCacheStatus");
PKIX_NULLCHECK_THREE(cid, hasFreshStatus, statusIsGood);
time = PR_Now();
}
- rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+ rv = ocsp_GetCachedOCSPResponseStatus(
cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/
- &rvOcsp, missingResponseError);
+ &rvOcsp, missingResponseError, &freshness);
- *hasFreshStatus = (rv == SECSuccess);
+ *hasFreshStatus = (rv == SECSuccess && freshness == ocspFresh);
if (*hasFreshStatus) {
*statusIsGood = (rvOcsp == SECSuccess);
}
* PARAMETERS
* "request"
* Address of the OcspRequest for which a response is desired.
+ * "httpMethod"
+ * GET or POST
* "responder"
* Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
* query.
PKIX_Error *
pkix_pl_OcspResponse_Create(
PKIX_PL_OcspRequest *request,
+ const char *httpMethod,
void *responder,
PKIX_PL_VerifyCallback verifyFcn,
void **pNBIOContext,
PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
+ if (!strcmp(httpMethod, "GET") && !strcmp(httpMethod, "POST")) {
+ PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD);
+ }
+
nbioContext = *pNBIOContext;
*pNBIOContext = NULL;
}
if (httpClient && (httpClient->version == 1)) {
+ char *fullGetPath = NULL;
+ const char *sessionPath = NULL;
+ PRBool usePOST = !strcmp(httpMethod, "POST");
hcv1 = &(httpClient->fcnTable.ftable1);
PKIX_ERROR(PKIX_OCSPSERVERERROR);
}
- rv = (*hcv1->createFcn)(serverSession, "http", path,
- "POST",
+ if (usePOST) {
+ sessionPath = path;
+ } else {
+ /* calculate, are we allowed to use GET? */
+ enum { max_get_request_size = 255 }; /* defined by RFC2560 */
+ char b64ReqBuf[max_get_request_size+1];
+ size_t base64size;
+ size_t slashLengthIfNeeded = 0;
+ size_t pathLength;
+ PRInt32 urlEncodedBufLength;
+ size_t getURLLength;
+ char *walkOutput = NULL;
+
+ pathLength = strlen(path);
+ if (path[pathLength-1] != '/') {
+ slashLengthIfNeeded = 1;
+ }
+ base64size = (((encodedRequest->len +2)/3) * 4);
+ if (base64size > max_get_request_size) {
+ PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG);
+ }
+ memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
+ PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, b64ReqBuf);
+ urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
+ getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
+ fullGetPath = (char*)PORT_Alloc(getURLLength);
+ if (!fullGetPath) {
+ PKIX_ERROR(PKIX_OUTOFMEMORY);
+ }
+ strcpy(fullGetPath, path);
+ walkOutput = fullGetPath + pathLength;
+ if (walkOutput > fullGetPath && slashLengthIfNeeded) {
+ strcpy(walkOutput, "/");
+ ++walkOutput;
+ }
+ ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
+ sessionPath = fullGetPath;
+ }
+
+ rv = (*hcv1->createFcn)(serverSession, "http",
+ sessionPath, httpMethod,
PR_SecondsToInterval(timeout),
&sessionRequest);
+ sessionPath = NULL;
+ if (fullGetPath) {
+ PORT_Free(fullGetPath);
+ fullGetPath = NULL;
+ }
+
if (rv != SECSuccess) {
PKIX_ERROR(PKIX_OCSPSERVERERROR);
}
- rv = (*hcv1->setPostDataFcn)(sessionRequest,
- (char *)encodedRequest->data,
- encodedRequest->len,
- "application/ocsp-request");
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_OCSPSERVERERROR);
- }
+ if (usePOST) {
+ rv = (*hcv1->setPostDataFcn)(sessionRequest,
+ (char *)encodedRequest->data,
+ encodedRequest->len,
+ "application/ocsp-request");
+ if (rv != SECSuccess) {
+ PKIX_ERROR(PKIX_OCSPSERVERERROR);
+ }
+ }
/* create a PKIX_PL_OcspResponse object */
PKIX_CHECK(PKIX_PL_Object_Alloc
signature, issuerCert);
if (response->signerCert == NULL) {
- PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
+ if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
+ /* Make the error a little more specific. */
+ PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+ }
goto cleanup;
- }
-
+ }
PKIX_CHECK(
PKIX_PL_Cert_CreateFromCERTCertificate(response->signerCert,
&(response->pkixSignerCert),
pkix_pl_OcspResponse_GetStatusForCert(
PKIX_PL_OcspCertID *cid,
PKIX_PL_OcspResponse *response,
+ PKIX_Boolean allowCachingOfFailures,
PKIX_PL_Date *validity,
PKIX_Boolean *pPassed,
SECErrorCodes *pReturnCode,
{
PRTime time = 0;
SECStatus rv = SECFailure;
- SECStatus rvCache;
- PRBool certIDWasConsumed = PR_FALSE;
+ CERTOCSPSingleResponse *single = NULL;
PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_GetStatusForCert");
PKIX_NULLCHECK_THREE(response, pPassed, pReturnCode);
time = PR_Now();
}
- rv = cert_ProcessOCSPResponse(response->handle,
- response->nssOCSPResponse,
- cid->certID,
- response->signerCert,
- time,
- &certIDWasConsumed,
- &rvCache);
- if (certIDWasConsumed) {
- cid->certID = NULL;
+ rv = ocsp_GetVerifiedSingleResponseForCertID(response->handle,
+ response->nssOCSPResponse,
+ cid->certID,
+ response->signerCert,
+ time, &single);
+ if (rv == SECSuccess) {
+ /*
+ * Check whether the status says revoked, and if so
+ * how that compares to the time value passed into this routine.
+ */
+ rv = ocsp_CertHasGoodStatus(single->certStatus, time);
+ }
+
+ if (rv == SECSuccess || allowCachingOfFailures) {
+ /* allowed to update the cache */
+ PRBool certIDWasConsumed = PR_FALSE;
+
+ if (single) {
+ ocsp_CacheSingleResponse(cid->certID,single,
+ &certIDWasConsumed);
+ } else {
+ cert_RememberOCSPProcessingFailure(cid->certID,
+ &certIDWasConsumed);
+ }
+
+ if (certIDWasConsumed) {
+ cid->certID = NULL;
+ }
}
if (rv == SECSuccess) {
#include "cryptohi.h"
#include "ocspti.h"
#include "ocspi.h"
+#include "plbase64.h"
#ifdef __cplusplus
extern "C" {
PKIX_Error *
pkix_pl_OcspResponse_Create(
PKIX_PL_OcspRequest *request,
+ const char *httpMechanism,
void *responder,
PKIX_PL_VerifyCallback verifyFcn,
void **pNBIOContext,
pkix_pl_OcspResponse_GetStatusForCert(
PKIX_PL_OcspCertID *cid,
PKIX_PL_OcspResponse *response,
+ PKIX_Boolean allowCachingOfFailures,
PKIX_PL_Date *validity,
PKIX_Boolean *pPassed,
SECErrorCodes *pReturnCode,
;+ local:
;+ *;
;+};
+;+NSS_3.15.4 { # NSS 3.15.4 release
+;+ global:
+CERT_ForcePostMethodForOCSP;
+CERT_GetSubjectNameDigest;
+CERT_GetSubjectPublicKeyDigest;
+;+ local:
+;+ *;
+;+};
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.15.3.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION "3.15.4" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 15
-#define NSS_VPATCH 3
-#define NSS_VBUILD 1
+#define NSS_VPATCH 4
+#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
/**********************************************************************
* Functions to manage secmod flags
**********************************************************************/
-PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
-SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
- PRBool );
+PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size);
+SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
+ PK11DefaultArrayEntry *entry, PRBool add);
/**********************************************************************
* Functions to look at PKCS #11 dependent data
CK_ATTRIBUTE *inTemplate,int tsize);
CK_OBJECT_HANDLE *pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
CK_ATTRIBUTE *inTemplate,int tsize, int *objCount);
-SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
- PK11DefaultArrayEntry *entry, PRBool add);
#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
* pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
*/
-#ifndef _SECMIME_H_
-#define _SECMIME_H_ 1
+#ifndef _SMIME_H_
+#define _SMIME_H_ 1
#include "cms.h"
pkcs11.c \
pkcs11c.c \
pkcs11u.c \
- rsawrapr.c \
sdb.c \
sftkdb.c \
sftkhmac.c \
/*
************** Crypto Functions: Utilities ************************
*/
-
+/*
+ * Utility function for converting PSS/OAEP parameter types into
+ * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447.
+ */
+static HASH_HashType
+GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
+{
+ switch (mech) {
+ case CKM_SHA_1:
+ case CKG_MGF1_SHA1:
+ return HASH_AlgSHA1;
+ case CKM_SHA224:
+ case CKG_MGF1_SHA224:
+ return HASH_AlgSHA224;
+ case CKM_SHA256:
+ case CKG_MGF1_SHA256:
+ return HASH_AlgSHA256;
+ case CKM_SHA384:
+ case CKG_MGF1_SHA384:
+ return HASH_AlgSHA384;
+ case CKM_SHA512:
+ case CKG_MGF1_SHA512:
+ return HASH_AlgSHA512;
+ default:
+ return HASH_AlgNULL;
+ }
+}
/*
* return a context based on the SFTKContext type.
}
static SECStatus
-sftk_EncryptOAEP(SFTKOAEPEncryptInfo *info, unsigned char *output,
- unsigned int *outputLen, unsigned int maxLen,
- unsigned char *input, unsigned int inputLen)
+sftk_RSAEncryptRaw(NSSLOWKEYPublicKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
{
- return RSA_EncryptOAEP(info->params, info->key, output, outputLen,
- maxLen, input, inputLen);
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_EncryptRaw(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
}
static SECStatus
-sftk_DecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
- unsigned int *outputLen, unsigned int maxLen,
- unsigned char *input, unsigned int inputLen)
+sftk_RSADecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
{
- return RSA_DecryptOAEP(info->params, info->key, output, outputLen,
- maxLen, input, inputLen);
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_DecryptRaw(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static SECStatus
+sftk_RSAEncrypt(NSSLOWKEYPublicKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_EncryptBlock(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static SECStatus
+sftk_RSADecrypt(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_DecryptBlock(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static SECStatus
+sftk_RSAEncryptOAEP(SFTKOAEPEncryptInfo *info, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
+ maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
+
+ if (info->params->source != CKZ_DATA_SPECIFIED) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ return RSA_EncryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
+ (const unsigned char*)info->params->pSourceData,
+ info->params->ulSourceDataLen, NULL, 0,
+ output, outputLen, maxLen, input, inputLen);
+}
+
+static SECStatus
+sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
+ maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
+
+ if (info->params->source != CKZ_DATA_SPECIFIED) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ rv = RSA_DecryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
+ (const unsigned char*)info->params->pSourceData,
+ info->params->ulSourceDataLen,
+ output, outputLen, maxLen, input, inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
}
/** NSC_CryptInit initializes an encryption/Decryption operation.
context->cipherInfo = (void *)pubKey;
context->update = (SFTKCipher)
(pMechanism->mechanism == CKM_RSA_X_509
- ? RSA_EncryptRaw : RSA_EncryptBlock);
+ ? sftk_RSAEncryptRaw : sftk_RSAEncrypt);
} else {
NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(key,CKK_RSA,&crv);
if (privKey == NULL) {
context->cipherInfo = (void *)privKey;
context->update = (SFTKCipher)
(pMechanism->mechanism == CKM_RSA_X_509
- ? RSA_DecryptRaw : RSA_DecryptBlock);
+ ? sftk_RSADecryptRaw : sftk_RSADecrypt);
}
context->destroy = sftk_Null;
break;
crv = CKR_KEY_HANDLE_INVALID;
break;
}
- context->update = (SFTKCipher) sftk_EncryptOAEP;
+ context->update = (SFTKCipher) sftk_RSAEncryptOAEP;
context->maxLen = nsslowkey_PublicModulusLen(info->key);
context->cipherInfo = info;
} else {
crv = CKR_KEY_HANDLE_INVALID;
break;
}
- context->update = (SFTKCipher) sftk_DecryptOAEP;
+ context->update = (SFTKCipher) sftk_RSADecryptOAEP;
context->maxLen = nsslowkey_PrivateModulusLen(info->key);
context->cipherInfo = info;
}
|| context->padDataLength == context->blockSize);
+ if (context->doPad) {
+ /* Check the data length for block ciphers. If we are padding,
+ * then we must be using a block cipher. In the non-padding case
+ * the error will be returned by the underlying decryption
+ * function when we do the actual decrypt. We need to do the
+ * check here to avoid returning a negative length to the caller
+ * or reading before the beginning of the pEncryptedPart buffer.
+ */
+ if ((ulEncryptedPartLen == 0) ||
+ (ulEncryptedPartLen % context->blockSize) != 0) {
+ return CKR_ENCRYPTED_DATA_LEN_RANGE;
+ }
+ }
+
if (!pPart) {
if (context->doPad) {
- /* we can check the data length here because if we are padding,
- * then we must be using a block cipher. In the non-padding case
- * the error will be returned by the underlying decryption
- * function when do do the actual decrypt. We need to do the
- * check here to avoid returning a negative length to the caller.
- */
- if ((ulEncryptedPartLen == 0) ||
- (ulEncryptedPartLen % context->blockSize) != 0) {
- return CKR_ENCRYPTED_DATA_LEN_RANGE;
- }
*pulPartLen =
ulEncryptedPartLen + context->padDataLength - context->blockSize;
return CKR_OK;
* encode RSA PKCS #1 Signature data before signing...
*/
static SECStatus
-sftk_HashSign(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
- unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+sftk_RSAHashSign(SFTKHashSignInfo *info, unsigned char *sig,
+ unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen)
{
- return RSA_HashSign(info->hashOid,info->key,sig,sigLen,maxLen,
- hash,hashLen);
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_HashSign(info->hashOid, info->key, sig, sigLen, maxLen,
+ hash, hashLen);
}
/* XXX Old template; want to expunge it eventually. */
{ 0, }
};
+/*
+ * encode RSA PKCS #1 Signature data before signing...
+ */
SECStatus
RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
- unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
- unsigned char *hash, unsigned int hashLen)
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen)
{
-
SECStatus rv = SECFailure;
SECItem digder;
PLArenaPool *arena = NULL;
digder.data = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) { goto loser; }
-
+ if (!arena) {
+ goto loser;
+ }
+
/* Construct digest info */
di = SGN_CreateDigestInfo(hashOid, hash, hashLen);
- if (!di) { goto loser; }
+ if (!di) {
+ goto loser;
+ }
/* Der encode the digest as a DigestInfo */
rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
/*
** Encrypt signature after constructing appropriate PKCS#1 signature
** block
*/
- rv = RSA_Sign(key,sig,sigLen,maxLen,digder.data,digder.len);
+ rv = RSA_Sign(&key->u.rsa, sig, sigLen, maxLen, digder.data,
+ digder.len);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
loser:
SGN_DestroyDigestInfo(di);
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return rv;
}
static SECStatus
-sftk_SignPSS(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
- unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+sftk_RSASign(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_Sign(&key->u.rsa, output, outputLen, maxOutputLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
+}
+
+static SECStatus
+sftk_RSASignRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_SignRaw(&key->u.rsa, output, outputLen, maxOutputLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
+
+}
+
+static SECStatus
+sftk_RSASignPSS(SFTKHashSignInfo *info, unsigned char *sig,
+ unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen)
{
- return RSA_SignPSS(info->params,info->key,sig,sigLen,maxLen,
- hash,hashLen);
+ SECStatus rv = SECFailure;
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+ CK_RSA_PKCS_PSS_PARAMS *params = (CK_RSA_PKCS_PSS_PARAMS *)info->params;
+
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = GetHashTypeFromMechanism(params->hashAlg);
+ maskHashAlg = GetHashTypeFromMechanism(params->mgf);
+
+ rv = RSA_SignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, NULL,
+ params->sLen, sig, sigLen, maxLen, hash, hashLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
}
static SECStatus
context->multi = PR_TRUE; \
crv = sftk_doSub ## mmm (context); \
if (crv != CKR_OK) break; \
- context->update = (SFTKCipher) sftk_HashSign; \
+ context->update = (SFTKCipher) sftk_RSAHashSign; \
info = PORT_New(SFTKHashSignInfo); \
if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
info->hashOid = SEC_OID_ ## mmm ; \
INIT_RSA_SIGN_MECH(SHA512)
case CKM_RSA_PKCS:
- context->update = (SFTKCipher) RSA_Sign;
+ context->update = (SFTKCipher) sftk_RSASign;
goto finish_rsa;
case CKM_RSA_X_509:
- context->update = (SFTKCipher) RSA_SignRaw;
+ context->update = (SFTKCipher) sftk_RSASignRaw;
finish_rsa:
if (key_type != CKK_RSA) {
crv = CKR_KEY_TYPE_INCONSISTENT;
}
context->cipherInfo = info;
context->destroy = (SFTKDestroy) sftk_Space;
- context->update = (SFTKCipher) sftk_SignPSS;
+ context->update = (SFTKCipher) sftk_RSASignPSS;
context->maxLen = nsslowkey_PrivateModulusLen(info->key);
break;
context->hashUpdate = sftk_HMACConstantTime_Update;
context->hashdestroy = sftk_MACConstantTime_DestroyContext;
context->end = sftk_MACConstantTime_EndHash;
- context->update = sftk_SignCopy;
+ context->update = (SFTKCipher) sftk_SignCopy;
context->destroy = sftk_Space;
context->maxLen = 64;
context->multi = PR_TRUE;
context->hashUpdate = sftk_SSLv3MACConstantTime_Update;
context->hashdestroy = sftk_MACConstantTime_DestroyContext;
context->end = sftk_MACConstantTime_EndHash;
- context->update = sftk_SignCopy;
+ context->update = (SFTKCipher) sftk_SignCopy;
context->destroy = sftk_Space;
context->maxLen = 64;
context->multi = PR_TRUE;
/* Handle RSA Signature formatting */
static SECStatus
-sftk_hashCheckSign(SFTKHashVerifyInfo *info, unsigned char *sig,
- unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
+sftk_hashCheckSign(SFTKHashVerifyInfo *info, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
{
- return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen,
- digest, digestLen);
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen, digest,
+ digestLen);
}
SECStatus
RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
- unsigned char *sig, unsigned int sigLen,
- unsigned char *digest, unsigned int digestLen)
+ const unsigned char *sig, unsigned int sigLen,
+ const unsigned char *hash, unsigned int hashLen)
{
-
SECItem it;
SGNDigestInfo *di = NULL;
SECStatus rv = SECSuccess;
-
- it.data = NULL;
-
- if (key == NULL) goto loser;
- it.len = nsslowkey_PublicModulusLen(key);
- if (!it.len) goto loser;
+ it.data = NULL;
+ it.len = nsslowkey_PublicModulusLen(key);
+ if (!it.len) {
+ goto loser;
+ }
- it.data = (unsigned char *) PORT_Alloc(it.len);
- if (it.data == NULL) goto loser;
+ it.data = (unsigned char *)PORT_Alloc(it.len);
+ if (it.data == NULL) {
+ goto loser;
+ }
/* decrypt the block */
- rv = RSA_CheckSignRecover(key, it.data, &it.len, it.len, sig, sigLen);
- if (rv != SECSuccess) goto loser;
+ rv = RSA_CheckSignRecover(&key->u.rsa, it.data, &it.len, it.len, sig,
+ sigLen);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
di = SGN_DecodeDigestInfo(&it);
- if (di == NULL) goto loser;
- if (di->digest.len != digestLen) goto loser;
+ if (di == NULL) {
+ goto loser;
+ }
+ if (di->digest.len != hashLen) {
+ goto loser;
+ }
/* make sure the tag is OK */
if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != hashOid) {
- goto loser;
+ goto loser;
}
/* make sure the "parameters" are not too bogus. */
if (di->digestAlgorithm.parameters.len > 2) {
- goto loser;
+ goto loser;
}
/* Now check the signature */
- if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
- goto done;
+ if (PORT_Memcmp(hash, di->digest.data, di->digest.len) == 0) {
+ goto done;
}
loser:
rv = SECFailure;
done:
- if (it.data != NULL) PORT_Free(it.data);
- if (di != NULL) SGN_DestroyDigestInfo(di);
-
+ if (it.data != NULL) {
+ PORT_Free(it.data);
+ }
+ if (di != NULL) {
+ SGN_DestroyDigestInfo(di);
+ }
+
return rv;
}
static SECStatus
-sftk_CheckSignPSS(SFTKHashVerifyInfo *info, unsigned char *sig,
- unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
+sftk_RSACheckSign(NSSLOWKEYPublicKey *key, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSign(&key->u.rsa, sig, sigLen, digest, digestLen);
+}
+
+static SECStatus
+sftk_RSACheckSignRaw(NSSLOWKEYPublicKey *key, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
{
- return RSA_CheckSignPSS(info->params, info->key, sig, sigLen,
- digest, digestLen);
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSignRaw(&key->u.rsa, sig, sigLen, digest, digestLen);
+}
+
+static SECStatus
+sftk_RSACheckSignPSS(SFTKHashVerifyInfo *info, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
+{
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+ CK_RSA_PKCS_PSS_PARAMS *params = (CK_RSA_PKCS_PSS_PARAMS *)info->params;
+
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = GetHashTypeFromMechanism(params->hashAlg);
+ maskHashAlg = GetHashTypeFromMechanism(params->mgf);
+
+ return RSA_CheckSignPSS(&info->key->u.rsa, hashAlg, maskHashAlg,
+ params->sLen, sig, sigLen, digest, digestLen);
}
/* NSC_VerifyInit initializes a verification operation,
INIT_RSA_VFY_MECH(SHA512)
case CKM_RSA_PKCS:
- context->verify = (SFTKVerify) RSA_CheckSign;
+ context->verify = (SFTKVerify) sftk_RSACheckSign;
goto finish_rsa;
case CKM_RSA_X_509:
- context->verify = (SFTKVerify) RSA_CheckSignRaw;
+ context->verify = (SFTKVerify) sftk_RSACheckSignRaw;
finish_rsa:
if (key_type != CKK_RSA) {
if (info) PORT_Free(info);
}
context->cipherInfo = info;
context->destroy = (SFTKDestroy) sftk_Space;
- context->verify = (SFTKVerify) sftk_CheckSignPSS;
+ context->verify = (SFTKVerify) sftk_RSACheckSignPSS;
break;
case CKM_DSA_SHA1:
context->multi = PR_TRUE;
/*
************** Crypto Functions: Verify Recover ************************
*/
+static SECStatus
+sftk_RSACheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
+ unsigned int *dataLen, unsigned int maxDataLen,
+ const unsigned char *sig, unsigned int sigLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSignRecover(&key->u.rsa, data, dataLen, maxDataLen,
+ sig, sigLen);
+}
+
+static SECStatus
+sftk_RSACheckSignRecoverRaw(NSSLOWKEYPublicKey *key, unsigned char *data,
+ unsigned int *dataLen, unsigned int maxDataLen,
+ const unsigned char *sig, unsigned int sigLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSignRecoverRaw(&key->u.rsa, data, dataLen, maxDataLen,
+ sig, sigLen);
+}
/* NSC_VerifyRecoverInit initializes a signature verification operation,
* where the data is recovered from the signature.
}
context->cipherInfo = pubKey;
context->update = (SFTKCipher) (pMechanism->mechanism == CKM_RSA_X_509
- ? RSA_CheckSignRecoverRaw : RSA_CheckSignRecover);
+ ? sftk_RSACheckSignRecoverRaw : sftk_RSACheckSignRecover);
context->destroy = sftk_Null;
break;
default:
+++ /dev/null
-/*
- * PKCS#1 encoding and decoding functions.
- * This file is believed to contain no code licensed from other parties.
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "blapi.h"
-#include "softoken.h"
-
-#include "lowkeyi.h"
-#include "secerr.h"
-
-#define RSA_BLOCK_MIN_PAD_LEN 8
-#define RSA_BLOCK_FIRST_OCTET 0x00
-#define RSA_BLOCK_PRIVATE0_PAD_OCTET 0x00
-#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
-#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
-
-/* Needed for RSA-PSS functions */
-static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-
-/* Constant time comparison of a single byte.
- * Returns 1 iff a == b, otherwise returns 0.
- * Note: For ranges of bytes, use constantTimeCompare.
- */
-static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
- unsigned char c = ~(a - b | b - a);
- c >>= 7;
- return c;
-}
-
-/* Constant time comparison of a range of bytes.
- * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
- * returns 0.
- */
-static unsigned char constantTimeCompare(const unsigned char *a,
- const unsigned char *b,
- unsigned int len) {
- unsigned char tmp = 0;
- unsigned int i;
- for (i = 0; i < len; ++i, ++a, ++b)
- tmp |= *a ^ *b;
- return constantTimeEQ8(0x00, tmp);
-}
-
-/* Constant time conditional.
- * Returns a if c is 1, or b if c is 0. The result is undefined if c is
- * not 0 or 1.
- */
-static unsigned int constantTimeCondition(unsigned int c,
- unsigned int a,
- unsigned int b)
-{
- return (~(c - 1) & a) | ((c - 1) & b);
-}
-
-/*
- * Format one block of data for public/private key encryption using
- * the rules defined in PKCS #1.
- */
-static unsigned char *
-rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
- SECItem *data)
-{
- unsigned char *block;
- unsigned char *bp;
- int padLen;
- int i, j;
- SECStatus rv;
-
- block = (unsigned char *) PORT_Alloc(modulusLen);
- if (block == NULL)
- return NULL;
-
- bp = block;
-
- /*
- * All RSA blocks start with two octets:
- * 0x00 || BlockType
- */
- *bp++ = RSA_BLOCK_FIRST_OCTET;
- *bp++ = (unsigned char) blockType;
-
- switch (blockType) {
-
- /*
- * Blocks intended for private-key operation.
- */
- case RSA_BlockPrivate0: /* essentially unused */
- case RSA_BlockPrivate: /* preferred method */
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- * 1 1 padLen 1 data->len
- * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
- */
- padLen = modulusLen - data->len - 3;
- PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
- PORT_Free (block);
- return NULL;
- }
- PORT_Memset (bp,
- blockType == RSA_BlockPrivate0
- ? RSA_BLOCK_PRIVATE0_PAD_OCTET
- : RSA_BLOCK_PRIVATE_PAD_OCTET,
- padLen);
- bp += padLen;
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
- PORT_Memcpy (bp, data->data, data->len);
- break;
-
- /*
- * Blocks intended for public-key operation.
- */
- case RSA_BlockPublic:
-
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- * 1 1 padLen 1 data->len
- * Pad is all non-zero random bytes.
- *
- * Build the block left to right.
- * Fill the entire block from Pad to the end with random bytes.
- * Use the bytes after Pad as a supply of extra random bytes from
- * which to find replacements for the zero bytes in Pad.
- * If we need more than that, refill the bytes after Pad with
- * new random bytes as necessary.
- */
- padLen = modulusLen - (data->len + 3);
- PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
- PORT_Free (block);
- return NULL;
- }
- j = modulusLen - 2;
- rv = RNG_GenerateGlobalRandomBytes(bp, j);
- if (rv == SECSuccess) {
- for (i = 0; i < padLen; ) {
- unsigned char repl;
- /* Pad with non-zero random data. */
- if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
- ++i;
- continue;
- }
- if (j <= padLen) {
- rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
- modulusLen - (2 + padLen));
- if (rv != SECSuccess)
- break;
- j = modulusLen - 2;
- }
- do {
- repl = bp[--j];
- } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
- if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
- bp[i++] = repl;
- }
- }
- }
- if (rv != SECSuccess) {
- sftk_fatalError = PR_TRUE;
- PORT_Free (block);
- return NULL;
- }
- bp += padLen;
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
- PORT_Memcpy (bp, data->data, data->len);
- break;
-
- default:
- PORT_Assert (0);
- PORT_Free (block);
- return NULL;
- }
-
- return block;
-}
-
-static SECStatus
-rsa_FormatBlock(SECItem *result, unsigned modulusLen,
- RSA_BlockType blockType, SECItem *data)
-{
- /*
- * XXX For now assume that the data length fits in a single
- * XXX encryption block; the ASSERTs below force this.
- * XXX To fix it, each case will have to loop over chunks whose
- * XXX lengths satisfy the assertions, until all data is handled.
- * XXX (Unless RSA has more to say about how to handle data
- * XXX which does not fit in a single encryption block?)
- * XXX And I do not know what the result is supposed to be,
- * XXX so the interface to this function may need to change
- * XXX to allow for returning multiple blocks, if they are
- * XXX not wanted simply concatenated one after the other.
- */
-
- switch (blockType) {
- case RSA_BlockPrivate0:
- case RSA_BlockPrivate:
- case RSA_BlockPublic:
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- *
- * The "3" below is the first octet + the second octet + the 0x00
- * octet that always comes just before the ActualData.
- */
- PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
-
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
- if (result->data == NULL) {
- result->len = 0;
- return SECFailure;
- }
- result->len = modulusLen;
-
- break;
-
- case RSA_BlockRaw:
- /*
- * Pad || ActualData
- * Pad is zeros. The application is responsible for recovering
- * the actual data.
- */
- if (data->len > modulusLen ) {
- return SECFailure;
- }
- result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
- result->len = modulusLen;
- PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
- break;
-
- default:
- PORT_Assert (0);
- result->data = NULL;
- result->len = 0;
- return SECFailure;
- }
-
- return SECSuccess;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_Sign(NSSLOWKEYPrivateKey *key,
- unsigned char * output,
- unsigned int * output_len,
- unsigned int maxOutputLen,
- unsigned char * input,
- unsigned int input_len)
-{
- SECStatus rv = SECSuccess;
- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
- SECItem formatted;
- SECItem unformatted;
-
- if (maxOutputLen < modulus_len)
- return SECFailure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- return SECFailure;
-
- unformatted.len = input_len;
- unformatted.data = input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
- &unformatted);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
- sftk_fatalError = PR_TRUE;
- }
- *output_len = modulus_len;
-
- goto done;
-
-done:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulus_len);
- return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSign(NSSLOWKEYPublicKey *key,
- unsigned char * sign,
- unsigned int sign_len,
- unsigned char * hash,
- unsigned int hash_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
- unsigned int i;
- unsigned char * buffer;
-
- modulus_len = nsslowkey_PublicModulusLen(key);
- if (sign_len != modulus_len)
- goto failure;
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- *
- * The "3" below is the first octet + the second octet + the 0x00
- * octet that always comes just before the ActualData.
- */
- if (hash_len > modulus_len - (3 + RSA_BLOCK_MIN_PAD_LEN))
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
- if (rv != SECSuccess)
- goto loser;
-
- /*
- * check the padding that was used
- */
- if (buffer[0] != 0 || buffer[1] != 1)
- goto loser;
- for (i = 2; i < modulus_len - hash_len - 1; i++) {
- if (buffer[i] != 0xff)
- goto loser;
- }
- if (buffer[i] != 0)
- goto loser;
-
- /*
- * make sure we get the same results
- */
- if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
- goto loser;
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecover(NSSLOWKEYPublicKey *key,
- unsigned char * data,
- unsigned int * data_len,
- unsigned int max_output_len,
- unsigned char * sign,
- unsigned int sign_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
- unsigned int i;
- unsigned char * buffer;
-
- if (sign_len != modulus_len)
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
- if (rv != SECSuccess)
- goto loser;
- *data_len = 0;
-
- /*
- * check the padding that was used
- */
- if (buffer[0] != 0 || buffer[1] != 1)
- goto loser;
- for (i = 2; i < modulus_len; i++) {
- if (buffer[i] == 0) {
- *data_len = modulus_len - i - 1;
- break;
- }
- if (buffer[i] != 0xff)
- goto loser;
- }
- if (*data_len == 0)
- goto loser;
- if (*data_len > max_output_len)
- goto loser;
-
- /*
- * make sure we get the same results
- */
- PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptBlock(NSSLOWKEYPublicKey *key,
- unsigned char * output,
- unsigned int * output_len,
- unsigned int max_output_len,
- unsigned char * input,
- unsigned int input_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
- SECItem formatted;
- SECItem unformatted;
-
- formatted.data = NULL;
- if (max_output_len < modulus_len)
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
-
- unformatted.len = input_len;
- unformatted.data = input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
- &unformatted);
- if (rv != SECSuccess)
- goto failure;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
- if (rv != SECSuccess)
- goto failure;
-
- PORT_ZFree(formatted.data, modulus_len);
- *output_len = modulus_len;
- return SECSuccess;
-
-failure:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulus_len);
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptBlock(NSSLOWKEYPrivateKey *key,
- unsigned char * output,
- unsigned int * output_len,
- unsigned int max_output_len,
- unsigned char * input,
- unsigned int input_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
- unsigned int i;
- unsigned char * buffer;
-
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
- if (input_len != modulus_len)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
- sftk_fatalError = PR_TRUE;
- }
- goto loser;
- }
-
- if (buffer[0] != 0 || buffer[1] != 2)
- goto loser;
- *output_len = 0;
- for (i = 2; i < modulus_len; i++) {
- if (buffer[i] == 0) {
- *output_len = modulus_len - i - 1;
- break;
- }
- }
- if (*output_len == 0)
- goto loser;
- if (*output_len > max_output_len)
- goto loser;
-
- PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-/*
- * added to make pkcs #11 happy
- * RAW is RSA_X_509
- */
-SECStatus
-RSA_SignRaw(NSSLOWKEYPrivateKey *key,
- unsigned char * output,
- unsigned int * output_len,
- unsigned int maxOutputLen,
- unsigned char * input,
- unsigned int input_len)
-{
- SECStatus rv = SECSuccess;
- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
- SECItem formatted;
- SECItem unformatted;
-
- if (maxOutputLen < modulus_len)
- return SECFailure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- return SECFailure;
-
- unformatted.len = input_len;
- unformatted.data = input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
- sftk_fatalError = PR_TRUE;
- }
- *output_len = modulus_len;
-
-done:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulus_len);
- return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRaw(NSSLOWKEYPublicKey *key,
- unsigned char * sign,
- unsigned int sign_len,
- unsigned char * hash,
- unsigned int hash_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
- unsigned char * buffer;
-
- if (sign_len != modulus_len)
- goto failure;
- if (hash_len > modulus_len)
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
-
- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
- if (!buffer)
- goto failure;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
- if (rv != SECSuccess)
- goto loser;
-
- /*
- * make sure we get the same results
- */
- /* NOTE: should we verify the leading zeros? */
- if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
- goto loser;
-
- PORT_Free(buffer);
- return SECSuccess;
-
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey *key,
- unsigned char * data,
- unsigned int * data_len,
- unsigned int max_output_len,
- unsigned char * sign,
- unsigned int sign_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
-
- if (sign_len != modulus_len)
- goto failure;
- if (max_output_len < modulus_len)
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
- if (rv != SECSuccess)
- goto failure;
-
- *data_len = modulus_len;
- return SECSuccess;
-
-failure:
- return SECFailure;
-}
-
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptRaw(NSSLOWKEYPublicKey *key,
- unsigned char * output,
- unsigned int * output_len,
- unsigned int max_output_len,
- unsigned char * input,
- unsigned int input_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
- SECItem formatted;
- SECItem unformatted;
-
- formatted.data = NULL;
- if (max_output_len < modulus_len)
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
-
- unformatted.len = input_len;
- unformatted.data = input;
- formatted.data = NULL;
- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
- if (rv != SECSuccess)
- goto failure;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
- if (rv != SECSuccess)
- goto failure;
-
- PORT_ZFree(formatted.data, modulus_len);
- *output_len = modulus_len;
- return SECSuccess;
-
-failure:
- if (formatted.data != NULL)
- PORT_ZFree(formatted.data, modulus_len);
- return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptRaw(NSSLOWKEYPrivateKey *key,
- unsigned char * output,
- unsigned int * output_len,
- unsigned int max_output_len,
- unsigned char * input,
- unsigned int input_len)
-{
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
-
- if (modulus_len <= 0)
- goto failure;
- if (modulus_len > max_output_len)
- goto failure;
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey)
- goto failure;
- if (input_len != modulus_len)
- goto failure;
-
- rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
- sftk_fatalError = PR_TRUE;
- }
- goto failure;
- }
-
- *output_len = modulus_len;
- return SECSuccess;
-
-failure:
- return SECFailure;
-}
-
-/*
- * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447.
- */
-static SECStatus
-MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
- const unsigned char *mgfSeed, unsigned int mgfSeedLen)
-{
- unsigned int digestLen;
- PRUint32 counter, rounds;
- unsigned char *tempHash, *temp;
- const SECHashObject *hash;
- void *hashContext;
- unsigned char C[4];
-
- hash = HASH_GetRawHashObject(hashAlg);
- if (hash == NULL)
- return SECFailure;
-
- hashContext = (*hash->create)();
- rounds = (maskLen + hash->length - 1) / hash->length;
- for (counter = 0; counter < rounds; counter++) {
- C[0] = (unsigned char)((counter >> 24) & 0xff);
- C[1] = (unsigned char)((counter >> 16) & 0xff);
- C[2] = (unsigned char)((counter >> 8) & 0xff);
- C[3] = (unsigned char)(counter & 0xff);
-
- /* This could be optimized when the clone functions in
- * rawhash.c are implemented. */
- (*hash->begin)(hashContext);
- (*hash->update)(hashContext, mgfSeed, mgfSeedLen);
- (*hash->update)(hashContext, C, sizeof C);
-
- tempHash = mask + counter * hash->length;
- if (counter != (rounds-1)) {
- (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
- } else { /* we're in the last round and need to cut the hash */
- temp = PORT_Alloc(hash->length);
- (*hash->end)(hashContext, temp, &digestLen, hash->length);
- PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
- PORT_Free(temp);
- }
- }
- (*hash->destroy)(hashContext, PR_TRUE);
-
- return SECSuccess;
-}
-
-/*
- * Decodes an EME-OAEP encoded block, validating the encoding in constant
- * time.
- * Described in RFC 3447, section 7.1.2.
- * input contains the encoded block, after decryption.
- * label is the optional value L that was associated with the message.
- * On success, the original message and message length will be stored in
- * output and outputLen.
- */
-static SECStatus
-eme_oaep_decode(unsigned char *output, unsigned int *outputLen,
- unsigned int maxOutputLen,
- const unsigned char *input, unsigned int inputLen,
- HASH_HashType hashAlg, HASH_HashType maskHashAlg,
- const unsigned char *label, unsigned int labelLen)
-{
- const SECHashObject *hash;
- void *hashContext;
- SECStatus rv = SECFailure;
- unsigned char labelHash[HASH_LENGTH_MAX];
- unsigned int i, maskLen, paddingOffset;
- unsigned char *mask = NULL, *tmpOutput = NULL;
- unsigned char isGood, foundPaddingEnd;
-
- hash = HASH_GetRawHashObject(hashAlg);
-
- /* 1.c */
- if (inputLen < (hash->length * 2) + 2) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
-
- /* Step 3.a - Generate lHash */
- hashContext = (*hash->create)();
- if (hashContext == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hashContext);
- if (labelLen > 0)
- (*hash->update)(hashContext, label, labelLen);
- (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash));
- (*hash->destroy)(hashContext, PR_TRUE);
-
- tmpOutput = (unsigned char*)PORT_Alloc(inputLen);
- if (tmpOutput == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto done;
- }
-
- maskLen = inputLen - hash->length - 1;
- mask = (unsigned char*)PORT_Alloc(maskLen);
- if (mask == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto done;
- }
-
- PORT_Memcpy(tmpOutput, input, inputLen);
-
- /* 3.c - Generate seedMask */
- MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length],
- inputLen - hash->length - 1);
- /* 3.d - Unmask seed */
- for (i = 0; i < hash->length; ++i)
- tmpOutput[1 + i] ^= mask[i];
-
- /* 3.e - Generate dbMask */
- MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length);
- /* 3.f - Unmask DB */
- for (i = 0; i < maskLen; ++i)
- tmpOutput[1 + hash->length + i] ^= mask[i];
-
- /* 3.g - Compare Y, lHash, and PS in constant time
- * Warning: This code is timing dependent and must not disclose which of
- * these were invalid.
- */
- paddingOffset = 0;
- isGood = 1;
- foundPaddingEnd = 0;
-
- /* Compare Y */
- isGood &= constantTimeEQ8(0x00, tmpOutput[0]);
-
- /* Compare lHash and lHash' */
- isGood &= constantTimeCompare(&labelHash[0],
- &tmpOutput[1 + hash->length],
- hash->length);
-
- /* Compare that the padding is zero or more zero octets, followed by a
- * 0x01 octet */
- for (i = 1 + (hash->length * 2); i < inputLen; ++i) {
- unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]);
- unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]);
- /* non-constant time equivalent:
- * if (tmpOutput[i] == 0x01 && !foundPaddingEnd)
- * paddingOffset = i;
- */
- paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i,
- paddingOffset);
- /* non-constant time equivalent:
- * if (tmpOutput[i] == 0x01)
- * foundPaddingEnd = true;
- *
- * Note: This may yield false positives, as it will be set whenever
- * a 0x01 byte is encountered. If there was bad padding (eg:
- * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and
- * paddingOffset will still be set to 2.
- */
- foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd);
- /* non-constant time equivalent:
- * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 &&
- * !foundPaddingEnd) {
- * isGood = false;
- * }
- *
- * Note: This may yield false positives, as a message (and padding)
- * that is entirely zeros will result in isGood still being true. Thus
- * it's necessary to check foundPaddingEnd is positive below.
- */
- isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood);
- }
-
- /* While both isGood and foundPaddingEnd may have false positives, they
- * cannot BOTH have false positives. If both are not true, then an invalid
- * message was received. Note, this comparison must still be done in constant
- * time so as not to leak either condition.
- */
- if (!(isGood & foundPaddingEnd)) {
- PORT_SetError(SEC_ERROR_BAD_DATA);
- goto done;
- }
-
- /* End timing dependent code */
-
- ++paddingOffset; /* Skip the 0x01 following the end of PS */
-
- *outputLen = inputLen - paddingOffset;
- if (*outputLen > maxOutputLen) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- goto done;
- }
-
- if (*outputLen)
- PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen);
- rv = SECSuccess;
-
-done:
- if (mask)
- PORT_ZFree(mask, maskLen);
- if (tmpOutput)
- PORT_ZFree(tmpOutput, inputLen);
- return rv;
-}
-
-/*
- * Generate an EME-OAEP encoded block for encryption
- * Described in RFC 3447, section 7.1.1
- * We use input instead of M for the message to be encrypted
- * label is the optional value L to be associated with the message.
- */
-static SECStatus
-eme_oaep_encode(unsigned char *em, unsigned int emLen,
- const unsigned char *input, unsigned int inputLen,
- HASH_HashType hashAlg, HASH_HashType maskHashAlg,
- const unsigned char *label, unsigned int labelLen)
-{
- const SECHashObject *hash;
- void *hashContext;
- SECStatus rv;
- unsigned char *mask;
- unsigned int reservedLen, dbMaskLen, i;
-
- hash = HASH_GetRawHashObject(hashAlg);
-
- /* Step 1.b */
- reservedLen = (2 * hash->length) + 2;
- if (emLen < reservedLen || inputLen > (emLen - reservedLen)) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
-
- /*
- * From RFC 3447, Section 7.1
- * +----------+---------+-------+
- * DB = | lHash | PS | M |
- * +----------+---------+-------+
- * |
- * +----------+ V
- * | seed |--> MGF ---> xor
- * +----------+ |
- * | |
- * +--+ V |
- * |00| xor <----- MGF <-----|
- * +--+ | |
- * | | |
- * V V V
- * +--+----------+----------------------------+
- * EM = |00|maskedSeed| maskedDB |
- * +--+----------+----------------------------+
- *
- * We use mask to hold the result of the MGF functions, and all other
- * values are generated in their final resting place.
- */
- *em = 0x00;
-
- /* Step 2.a - Generate lHash */
- hashContext = (*hash->create)();
- if (hashContext == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hashContext);
- if (labelLen > 0)
- (*hash->update)(hashContext, label, labelLen);
- (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length);
- (*hash->destroy)(hashContext, PR_TRUE);
-
- /* Step 2.b - Generate PS */
- if (emLen - reservedLen - inputLen > 0) {
- PORT_Memset(em + 1 + (hash->length * 2), 0x00,
- emLen - reservedLen - inputLen);
- }
-
- /* Step 2.c. - Generate DB
- * DB = lHash || PS || 0x01 || M
- * Note that PS and lHash have already been placed into em at their
- * appropriate offsets. This just copies M into place
- */
- em[emLen - inputLen - 1] = 0x01;
- if (inputLen)
- PORT_Memcpy(em + emLen - inputLen, input, inputLen);
-
- /* Step 2.d - Generate seed */
- rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length);
- if (rv != SECSuccess) {
- return rv;
- }
-
- /* Step 2.e - Generate dbMask*/
- dbMaskLen = emLen - hash->length - 1;
- mask = (unsigned char*)PORT_Alloc(dbMaskLen);
- if (mask == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length);
- /* Step 2.f - Compute maskedDB*/
- for (i = 0; i < dbMaskLen; ++i)
- em[1 + hash->length + i] ^= mask[i];
-
- /* Step 2.g - Generate seedMask */
- MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen);
- /* Step 2.h - Compute maskedSeed */
- for (i = 0; i < hash->length; ++i)
- em[1 + i] ^= mask[i];
-
- PORT_ZFree(mask, dbMaskLen);
- return SECSuccess;
-}
-
-/*
- * Encode a RSA-PSS signature.
- * Described in RFC 3447, section 9.1.1.
- * We use mHash instead of M as input.
- * emBits from the RFC is just modBits - 1, see section 8.1.1.
- * We only support MGF1 as the MGF.
- *
- * NOTE: this code assumes modBits is a multiple of 8.
- */
-static SECStatus
-emsa_pss_encode(unsigned char *em, unsigned int emLen,
- const unsigned char *mHash, HASH_HashType hashAlg,
- HASH_HashType maskHashAlg, unsigned int sLen)
-{
- const SECHashObject *hash;
- void *hash_context;
- unsigned char *dbMask;
- unsigned int dbMaskLen, i;
- SECStatus rv;
-
- hash = HASH_GetRawHashObject(hashAlg);
- dbMaskLen = emLen - hash->length - 1;
-
- /* Step 3 */
- if (emLen < hash->length + sLen + 2) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
-
- /* Step 4 */
- rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - sLen], sLen);
- if (rv != SECSuccess) {
- return rv;
- }
-
- /* Step 5 + 6 */
- /* Compute H and store it at its final location &em[dbMaskLen]. */
- hash_context = (*hash->create)();
- if (hash_context == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hash_context);
- (*hash->update)(hash_context, eightZeros, 8);
- (*hash->update)(hash_context, mHash, hash->length);
- (*hash->update)(hash_context, &em[dbMaskLen - sLen], sLen);
- (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
- (*hash->destroy)(hash_context, PR_TRUE);
-
- /* Step 7 + 8 */
- PORT_Memset(em, 0, dbMaskLen - sLen - 1);
- em[dbMaskLen - sLen - 1] = 0x01;
-
- /* Step 9 */
- dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
- if (dbMask == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
-
- /* Step 10 */
- for (i = 0; i < dbMaskLen; i++)
- em[i] ^= dbMask[i];
- PORT_Free(dbMask);
-
- /* Step 11 */
- em[0] &= 0x7f;
-
- /* Step 12 */
- em[emLen - 1] = 0xbc;
-
- return SECSuccess;
-}
-
-/*
- * Verify a RSA-PSS signature.
- * Described in RFC 3447, section 9.1.2.
- * We use mHash instead of M as input.
- * emBits from the RFC is just modBits - 1, see section 8.1.2.
- * We only support MGF1 as the MGF.
- *
- * NOTE: this code assumes modBits is a multiple of 8.
- */
-static SECStatus
-emsa_pss_verify(const unsigned char *mHash,
- const unsigned char *em, unsigned int emLen,
- HASH_HashType hashAlg, HASH_HashType maskHashAlg,
- unsigned int sLen)
-{
- const SECHashObject *hash;
- void *hash_context;
- unsigned char *db;
- unsigned char *H_; /* H' from the RFC */
- unsigned int i, dbMaskLen;
- SECStatus rv;
-
- hash = HASH_GetRawHashObject(hashAlg);
- dbMaskLen = emLen - hash->length - 1;
-
- /* Step 3 + 4 + 6 */
- if ((emLen < (hash->length + sLen + 2)) ||
- (em[emLen - 1] != 0xbc) ||
- ((em[0] & 0x80) != 0)) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- /* Step 7 */
- db = (unsigned char *)PORT_Alloc(dbMaskLen);
- if (db == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- /* &em[dbMaskLen] points to H, used as mgfSeed */
- MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
-
- /* Step 8 */
- for (i = 0; i < dbMaskLen; i++) {
- db[i] ^= em[i];
- }
-
- /* Step 9 */
- db[0] &= 0x7f;
-
- /* Step 10 */
- for (i = 0; i < (dbMaskLen - sLen - 1); i++) {
- if (db[i] != 0) {
- PORT_Free(db);
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
- }
- if (db[dbMaskLen - sLen - 1] != 0x01) {
- PORT_Free(db);
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- /* Step 12 + 13 */
- H_ = (unsigned char *)PORT_Alloc(hash->length);
- if (H_ == NULL) {
- PORT_Free(db);
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- hash_context = (*hash->create)();
- if (hash_context == NULL) {
- PORT_Free(db);
- PORT_Free(H_);
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- (*hash->begin)(hash_context);
- (*hash->update)(hash_context, eightZeros, 8);
- (*hash->update)(hash_context, mHash, hash->length);
- (*hash->update)(hash_context, &db[dbMaskLen - sLen], sLen);
- (*hash->end)(hash_context, H_, &i, hash->length);
- (*hash->destroy)(hash_context, PR_TRUE);
-
- PORT_Free(db);
-
- /* Step 14 */
- if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- rv = SECFailure;
- } else {
- rv = SECSuccess;
- }
-
- PORT_Free(H_);
- return rv;
-}
-
-static HASH_HashType
-GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
-{
- switch (mech) {
- case CKM_SHA_1:
- case CKG_MGF1_SHA1:
- return HASH_AlgSHA1;
- case CKM_SHA224:
- case CKG_MGF1_SHA224:
- return HASH_AlgSHA224;
- case CKM_SHA256:
- case CKG_MGF1_SHA256:
- return HASH_AlgSHA256;
- case CKM_SHA384:
- case CKG_MGF1_SHA384:
- return HASH_AlgSHA384;
- case CKM_SHA512:
- case CKG_MGF1_SHA512:
- return HASH_AlgSHA512;
- default:
- return HASH_AlgNULL;
- }
-}
-
-/* MGF1 is the only supported MGF. */
-SECStatus
-RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
- NSSLOWKEYPublicKey *key,
- const unsigned char *sign, unsigned int sign_len,
- const unsigned char *hash, unsigned int hash_len)
-{
- HASH_HashType hashAlg;
- HASH_HashType maskHashAlg;
- SECStatus rv;
- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
- unsigned char *buffer;
-
- if (sign_len != modulus_len) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf);
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- buffer = (unsigned char *)PORT_Alloc(modulus_len);
- if (!buffer) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
-
- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
- if (rv != SECSuccess) {
- PORT_Free(buffer);
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- return SECFailure;
- }
-
- rv = emsa_pss_verify(hash, buffer, modulus_len, hashAlg,
- maskHashAlg, pss_params->sLen);
- PORT_Free(buffer);
-
- return rv;
-}
-
-/* MGF1 is the only supported MGF. */
-SECStatus
-RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, NSSLOWKEYPrivateKey *key,
- unsigned char *output, unsigned int *output_len,
- unsigned int max_output_len,
- const unsigned char *input, unsigned int input_len)
-{
- SECStatus rv = SECSuccess;
- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
- unsigned char *pss_encoded = NULL;
- HASH_HashType hashAlg;
- HASH_HashType maskHashAlg;
-
- if (max_output_len < modulus_len) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey) {
- PORT_SetError(SEC_ERROR_INVALID_KEY);
- return SECFailure;
- }
-
- hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf);
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- pss_encoded = (unsigned char *)PORT_Alloc(modulus_len);
- if (pss_encoded == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- rv = emsa_pss_encode(pss_encoded, modulus_len, input, hashAlg,
- maskHashAlg, pss_params->sLen);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, pss_encoded);
- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
- sftk_fatalError = PR_TRUE;
- }
- *output_len = modulus_len;
-
-done:
- PORT_Free(pss_encoded);
- return rv;
-}
-
-/* MGF1 is the only supported MGF. */
-SECStatus
-RSA_EncryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
- NSSLOWKEYPublicKey *key,
- unsigned char *output, unsigned int *outputLen,
- unsigned int maxOutputLen,
- const unsigned char *input, unsigned int inputLen)
-{
- SECStatus rv = SECFailure;
- unsigned int modulusLen = nsslowkey_PublicModulusLen(key);
- unsigned char *oaepEncoded = NULL;
- unsigned char *sourceData = NULL;
- unsigned int sourceDataLen = 0;
-
- HASH_HashType hashAlg;
- HASH_HashType maskHashAlg;
-
- if (maxOutputLen < modulusLen) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey) {
- PORT_SetError(SEC_ERROR_INVALID_KEY);
- return SECFailure;
- }
-
- hashAlg = GetHashTypeFromMechanism(oaepParams->hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(oaepParams->mgf);
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- /* The PKCS#11 source parameter is the "source" of the label parameter.
- * The only defined source is explicitly specified, in which case, the
- * label is an optional byte string in pSourceData. If ulSourceDataLen is
- * zero, then pSourceData MUST be NULL - otherwise, it must be non-NULL.
- */
- if (oaepParams->source != CKZ_DATA_SPECIFIED) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
- sourceData = (unsigned char*)oaepParams->pSourceData;
- sourceDataLen = oaepParams->ulSourceDataLen;
- if ((sourceDataLen == 0 && sourceData != NULL) ||
- (sourceDataLen > 0 && sourceData == NULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
- if (oaepEncoded == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen,
- hashAlg, maskHashAlg, sourceData, sourceDataLen);
- if (rv != SECSuccess)
- goto done;
-
- rv = RSA_PublicKeyOp(&key->u.rsa, output, oaepEncoded);
- if (rv != SECSuccess)
- goto done;
- *outputLen = modulusLen;
-
-done:
- PORT_Free(oaepEncoded);
- return rv;
-}
-
-/* MGF1 is the only supported MGF. */
-SECStatus
-RSA_DecryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
- NSSLOWKEYPrivateKey *key,
- unsigned char *output, unsigned int *outputLen,
- unsigned int maxOutputLen,
- const unsigned char *input, unsigned int inputLen)
-{
- SECStatus rv = SECFailure;
- unsigned int modulusLen = nsslowkey_PrivateModulusLen(key);
- unsigned char *oaepEncoded = NULL;
- unsigned char *sourceData = NULL;
- unsigned int sourceDataLen = 0;
-
- HASH_HashType hashAlg = GetHashTypeFromMechanism(oaepParams->hashAlg);
- HASH_HashType maskHashAlg = GetHashTypeFromMechanism(oaepParams->mgf);
-
- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- if (inputLen != modulusLen) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
- if (key->keyType != NSSLOWKEYRSAKey) {
- PORT_SetError(SEC_ERROR_INVALID_KEY);
- return SECFailure;
- }
-
- /* The PKCS#11 source parameter is the "source" of the label parameter.
- * The only defined source is explicitly specified, in which case, the
- * label is an optional byte string in pSourceData. If ulSourceDataLen is
- * zero, then pSourceData MUST be NULL - otherwise, it must be non-NULL.
- */
- if (oaepParams->source != CKZ_DATA_SPECIFIED) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
- sourceData = (unsigned char*)oaepParams->pSourceData;
- sourceDataLen = oaepParams->ulSourceDataLen;
- if ((sourceDataLen == 0 && sourceData != NULL) ||
- (sourceDataLen > 0 && sourceData == NULL)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
-
- oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
- if (oaepEncoded == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
-
- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, oaepEncoded, input);
- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
- sftk_fatalError = PR_TRUE;
- goto done;
- }
-
- rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded,
- modulusLen, hashAlg, maskHashAlg, sourceData,
- sourceDataLen);
-
-done:
- if (oaepEncoded)
- PORT_ZFree(oaepEncoded, modulusLen);
- return rv;
-}
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.15.3.1" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.15.4" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 15
-#define SOFTOKEN_VPATCH 3
-#define SOFTOKEN_VBUILD 1
+#define SOFTOKEN_VPATCH 4
+#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */
SEC_BEGIN_PROTOS
/*
-** RSA encryption/decryption. When encrypting/decrypting the output
-** buffer must be at least the size of the public key modulus.
-*/
-
-/*
-** Format some data into a PKCS#1 encryption block, preparing the
-** data for RSA encryption.
-** "result" where the formatted block is stored (memory is allocated)
-** "modulusLen" the size of the formatted block
-** "blockType" what block type to use (SEC_RSABlock*)
-** "data" the data to format
-*/
-extern SECStatus RSA_FormatBlock(SECItem *result,
- unsigned int modulusLen,
- RSA_BlockType blockType,
- SECItem *data);
-/*
-** Similar, but just returns a pointer to the allocated memory, *and*
-** will *only* format one block, even if we (in the future) modify
-** RSA_FormatBlock() to loop over multiples of modulusLen.
-*/
-extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
- RSA_BlockType blockType,
- SECItem *data);
-
-
-
-/*
- * convenience wrappers for doing single RSA operations. They create the
- * RSA context internally and take care of the formatting
- * requirements. Blinding happens automagically within RSA_Sign and
- * RSA_DecryptBlock.
+ * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the
+ * encoded digest info is computed internally, rather than by the caller.
+ *
+ * The HashSign variants expect as input the value of H, the computed hash
+ * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded
+ * DigestInfo structure internally prior to signing/verifying.
*/
-extern
-SECStatus RSA_Sign(NSSLOWKEYPrivateKey *key, unsigned char *output,
- unsigned int *outputLen, unsigned int maxOutputLen,
- unsigned char *input, unsigned int inputLen);
-extern
-SECStatus RSA_HashSign(SECOidTag hashOid,
- NSSLOWKEYPrivateKey *key, unsigned char *sig,
- unsigned int *sigLen, unsigned int maxLen,
- unsigned char *hash, unsigned int hashLen);
-extern
-SECStatus RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
- NSSLOWKEYPrivateKey *key,
- unsigned char *output, unsigned int *output_len,
- unsigned int max_output_len, const unsigned char *input,
- unsigned int input_len);
-extern
-SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
- unsigned int signLength, unsigned char *hash,
- unsigned int hashLength);
-extern
-SECStatus RSA_HashCheckSign(SECOidTag hashOid,
- NSSLOWKEYPublicKey *key, unsigned char *sig,
- unsigned int sigLen, unsigned char *digest,
- unsigned int digestLen);
-extern
-SECStatus RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
- NSSLOWKEYPublicKey *key,
- const unsigned char *sign, unsigned int sign_len,
- const unsigned char *hash, unsigned int hash_len);
-extern
-SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
- unsigned int *data_len,unsigned int max_output_len,
- unsigned char *sign, unsigned int sign_len);
-extern
-SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey *key, unsigned char *output,
- unsigned int *outputLen, unsigned int maxOutputLen,
- unsigned char *input, unsigned int inputLen);
-extern
-SECStatus RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, unsigned char *output,
- unsigned int *outputLen, unsigned int maxOutputLen,
- unsigned char *input, unsigned int inputLen);
-
-extern
-SECStatus RSA_EncryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
- NSSLOWKEYPublicKey *key,
- unsigned char *output, unsigned int *outputLen,
- unsigned int maxOutputLen,
- const unsigned char *input, unsigned int inputLen);
-
-extern
-SECStatus RSA_DecryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
- NSSLOWKEYPrivateKey *key,
- unsigned char *output, unsigned int *outputLen,
- unsigned int maxOutputLen,
- const unsigned char *input, unsigned int inputLen);
+extern SECStatus
+RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen);
+
+extern SECStatus
+RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
+ const unsigned char *sig, unsigned int sigLen,
+ const unsigned char *hash, unsigned int hashLen);
-/*
- * added to make pkcs #11 happy
- * RAW is RSA_X_509
- */
-extern
-SECStatus RSA_SignRaw( NSSLOWKEYPrivateKey *key, unsigned char *output,
- unsigned int *output_len, unsigned int maxOutputLen,
- unsigned char *input, unsigned int input_len);
-extern
-SECStatus RSA_CheckSignRaw( NSSLOWKEYPublicKey *key, unsigned char *sign,
- unsigned int sign_len, unsigned char *hash,
- unsigned int hash_len);
-extern
-SECStatus RSA_CheckSignRecoverRaw( NSSLOWKEYPublicKey *key, unsigned char *data,
- unsigned int *data_len, unsigned int max_output_len,
- unsigned char *sign, unsigned int sign_len);
-extern
-SECStatus RSA_EncryptRaw( NSSLOWKEYPublicKey *key, unsigned char *output,
- unsigned int *output_len,
- unsigned int max_output_len,
- unsigned char *input, unsigned int input_len);
-extern
-SECStatus RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
- unsigned int *output_len,
- unsigned int max_output_len,
- unsigned char *input, unsigned int input_len);
#ifdef NSS_ENABLE_ECC
/*
** pepare an ECParam structure from DEREncoded params
#ifndef _SOFTOKNT_H_
#define _SOFTOKNT_H_
-/*
- * RSA block types
- *
- * The actual values are important -- they are fixed, *not* arbitrary.
- * The explicit value assignments are not needed (because C would give
- * us those same values anyway) but are included as a reminder...
- */
-typedef enum {
- RSA_BlockPrivate0 = 0, /* unused, really */
- RSA_BlockPrivate = 1, /* pad for a private-key operation */
- RSA_BlockPublic = 2, /* pad for a public-key operation */
- RSA_BlockRaw = 4, /* simply justify the block appropriately */
- RSA_BlockTotal
-} RSA_BlockType;
-
#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048
/*
;+ local:
;+*;
;+};
+;+NSS_3.15.4 { # NSS 3.15.4 release
+;+ global:
+SSL_PeerCertificateChain;
+SSL_RecommendedCanFalseStart;
+SSL_SetCanFalseStartCallback;
+;+ local:
+;+*;
+;+};
#define SSL_ENABLE_FALSE_START 22 /* Enable SSL false start (off by */
/* default, applies only to */
/* clients). False start is a */
-/* mode where an SSL client will start sending application data before */
-/* verifying the server's Finished message. This means that we could end up */
-/* sending data to an imposter. However, the data will be encrypted and */
-/* only the true server can derive the session key. Thus, so long as the */
-/* cipher isn't broken this is safe. Because of this, False Start will only */
-/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80 */
-/* bits. The advantage of False Start is that it saves a round trip for */
-/* client-speaks-first protocols when performing a full handshake. */
+/* mode where an SSL client will start sending application data before
+ * verifying the server's Finished message. This means that we could end up
+ * sending data to an imposter. However, the data will be encrypted and
+ * only the true server can derive the session key. Thus, so long as the
+ * cipher isn't broken this is safe. The advantage of false start is that
+ * it saves a round trip for client-speaks-first protocols when performing a
+ * full handshake.
+ *
+ * In addition to enabling this option, the application must register a
+ * callback using the SSL_SetCanFalseStartCallback function.
+ */
/* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
* on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
*/
SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+/*
+** Return the certificates presented by the SSL peer. If the SSL peer
+** did not present certificates, return NULL with the
+** SSL_ERROR_NO_CERTIFICATE error. On failure, return NULL with an error
+** code other than SSL_ERROR_NO_CERTIFICATE.
+** "fd" the socket "file" descriptor
+*/
+SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
+
/* SSL_PeerStapledOCSPResponses returns the OCSP responses that were provided
* by the TLS server. The return value is a pointer to an internal SECItemArray
* that contains the returned OCSP responses; it is only valid until the
SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
/*
-** Set the callback on a particular socket that gets called when we finish
-** performing a handshake.
+** Set the callback that gets called when a TLS handshake is complete. The
+** handshake callback is called after verifying the peer's Finished message and
+** before processing incoming application data.
+**
+** For the initial handshake: If the handshake false started (see
+** SSL_ENABLE_FALSE_START), then application data may already have been sent
+** before the handshake callback is called. If we did not false start then the
+** callback will get called before any application data is sent.
*/
typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
void *client_data);
SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd,
SSLHandshakeCallback cb, void *client_data);
+/* Applications that wish to enable TLS false start must set this callback
+** function. NSS will invoke the functon to determine if a particular
+** connection should use false start or not. SECSuccess indicates that the
+** callback completed successfully, and if so *canFalseStart indicates if false
+** start can be used. If the callback does not return SECSuccess then the
+** handshake will be canceled. NSS's recommended criteria can be evaluated by
+** calling SSL_RecommendedCanFalseStart.
+**
+** If no false start callback is registered then false start will never be
+** done, even if the SSL_ENABLE_FALSE_START option is enabled.
+**/
+typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
+ PRFileDesc *fd, void *arg, PRBool *canFalseStart);
+
+SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
+ PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
+
+/* This function sets *canFalseStart according to the recommended criteria for
+** false start. These criteria may change from release to release and may depend
+** on which handshake features have been negotiated and/or properties of the
+** certifciates/keys used on the connection.
+*/
+SSL_IMPORT SECStatus SSL_RecommendedCanFalseStart(PRFileDesc *fd,
+ PRBool *canFalseStart);
+
/*
** For the server, request a new handshake. For the client, begin a new
** handshake. If flushCache is non-zero, the SSL3 cache entry will be
* precedence (desirability). It only includes cipher suites we implement.
* This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
* in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
+ *
+ * Important: See bug 946147 before enabling, reordering, or adding any cipher
+ * suites to this list.
*/
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
/* cipher_suite policy enabled isPresent */
+
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-
-#ifdef NSS_ENABLE_ECC
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+ * bug 946147.
+ */
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-
-#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ /* RSA */
+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-
+ /* 56-bit DES "domestic" cipher suites */
{ SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ /* export ciphersuites with 1024-bit public key exchange keys */
{ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ /* export ciphersuites with 512-bit public key exchange keys */
{ SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ /* ciphersuites with no encryption */
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
};
+/* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
+ */
+#ifdef DEBUG
+void ssl3_CheckCipherSuiteOrderConsistency()
+{
+ unsigned int i;
+
+ /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
+ * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
+ */
+ PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
+
+ for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
+ PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
+ }
+}
+#endif
+
/* This list of SSL3 compression methods is sorted in descending order of
* precedence (desirability). It only includes compression methods we
* implement.
static SECStatus
ssl3_GetNewRandom(SSL3Random *random)
{
- PRUint32 gmt = ssl_Time();
SECStatus rv;
- random->rand[0] = (unsigned char)(gmt >> 24);
- random->rand[1] = (unsigned char)(gmt >> 16);
- random->rand[2] = (unsigned char)(gmt >> 8);
- random->rand[3] = (unsigned char)(gmt);
-
/* first 4 bytes are reserverd for time */
- rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
+ rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
}
}
/* Allow DER encoded DSA signatures in SSL 3.0 */
if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
- signature = DSAU_DecodeDerSig(buf);
+ signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
if (!signature) {
PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
return SECFailure;
calg = cipher_def->calg;
- if (calg == calg_aes_gcm) {
+ if (calg == ssl_calg_aes_gcm) {
pwSpec->encode = NULL;
pwSpec->decode = NULL;
pwSpec->destroy = NULL;
case ssl_calg_rc2:
case ssl_calg_idea:
case ssl_calg_fortezza:
+ case ssl_calg_aes_gcm:
break;
}
* Forces the use of the provided epoch
* ssl_SEND_FLAG_CAP_RECORD_VERSION
* Caps the record layer version number of TLS ClientHello to { 3, 1 }
- * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
+ * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
* ClientHello.client_version and use the record layer version number
* (TLSPlaintext.version) instead when negotiating protocol versions. In
* addition, if the record layer version number of ClientHello is { 3, 2 }
- * (TLS 1.1) or higher, these servers reset the TCP connections. Set this
+ * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
+ * some F5 BIG-IP servers hang if a record containing a ClientHello has a
+ * version greater than { 3, 1 } and a length greater than 255. Set this
* flag to work around such servers.
*/
PRInt32
SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
nIn));
- PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
+ PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
return SECFailure;
}
+
+ /* Create a backup SHA-1 hash for a potential client auth
+ * signature.
+ *
+ * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
+ * handshake hash function (SHA-256). If the server or the client
+ * does not support SHA-256 as a signature hash, we can either
+ * maintain a backup SHA-1 handshake hash or buffer all handshake
+ * messages.
+ */
+ if (!ss->sec.isServer) {
+ ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
+ if (ss->ssl3.hs.backupHash == NULL) {
+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+ return SECFailure;
+ }
+
+ if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+ return SECFailure;
+ }
+ }
} else {
/* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
* created successfully. */
ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
return rv;
}
+ if (ss->ssl3.hs.backupHash) {
+ rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
+ if (rv != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+ return rv;
+ }
+ }
} else {
rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
if (rv != SECSuccess) {
return rv;
}
+static SECStatus
+ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
+ SSL3Hashes * hashes) /* output goes here. */
+{
+ SECStatus rv = SECSuccess;
+
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+ PORT_Assert( !ss->sec.isServer );
+ PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
+
+ rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
+ sizeof(hashes->u.raw));
+ if (rv != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ hashes->hashAlg = SEC_OID_SHA1;
+
+loser:
+ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+ ss->ssl3.hs.backupHash = NULL;
+ return rv;
+}
+
/*
* SSL 2 based implementations pass in the initial outbound buffer
* so that the handshake hash can contain the included information.
int num_suites;
int actual_count = 0;
PRBool isTLS = PR_FALSE;
- PRBool requestingResume = PR_FALSE;
PRInt32 total_exten_len = 0;
unsigned numCompressionMethods;
PRInt32 flags;
ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
PORT_Assert(IS_DTLS(ss) || !resending);
+ SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
+ ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
+
/* We might be starting a session renegotiation in which case we should
* clear previous state.
*/
}
if (sid) {
- requestingResume = PR_TRUE;
SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
- /* Are we attempting a stateless session resume? */
- if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
- sid->u.ssl3.sessionTicket.ticket.data)
- SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
-
PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
sid->u.ssl3.sessionIDLength));
return SECFailure; /* ssl3_config_match_init has set error code. */
/* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
- * only if we're willing to complete an SSL 3.0 handshake.
+ * only if TLS is disabled.
*/
- if (!ss->firstHsDone && ss->vrange.min == SSL_LIBRARY_VERSION_3_0) {
+ if (!ss->firstHsDone && !isTLS) {
/* Must set this before calling Hello Extension Senders,
* to suppress sending of empty RI extension.
*/
ss->ssl3.hs.sendingSCSV = PR_TRUE;
}
+ /* When we attempt session resumption (only), we must lock the sid to
+ * prevent races with other resumption connections that receive a
+ * NewSessionTicket that will cause the ticket in the sid to be replaced.
+ * Once we've copied the session ticket into our ClientHello message, it
+ * is OK for the ticket to change, so we just need to make sure we hold
+ * the lock across the calls to ssl3_CallHelloExtensionSenders.
+ */
+ if (sid->u.ssl3.lock) {
+ PR_RWLock_Rlock(sid->u.ssl3.lock);
+ }
+
if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
PRUint32 maxBytes = 65535; /* 2^16 - 1 */
PRInt32 extLen;
extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
if (extLen < 0) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return SECFailure;
}
maxBytes -= extLen;
/* how many suites are permitted by policy and user preference? */
num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
- if (!num_suites)
+ if (!num_suites) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return SECFailure; /* count_cipher_suites has set error code. */
+ }
if (ss->ssl3.hs.sendingSCSV) {
++num_suites; /* make room for SCSV */
}
rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
}
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by GetNewRandom. */
}
}
rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
SSL3_RANDOM_LENGTH);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
else
rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
rv = ssl3_AppendHandshakeVariable(
ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
}
rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
sizeof(ssl3CipherSuite));
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
actual_count++;
if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
actual_count++;
if (actual_count > num_suites) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
/* set error card removal/insertion error */
PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
return SECFailure;
rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
sizeof(ssl3CipherSuite));
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
}
* the server.. */
if (actual_count != num_suites) {
/* Card removal/insertion error */
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
return SECFailure;
}
rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
for (i = 0; i < compressionMethodsCount; i++) {
continue;
rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */
}
}
rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
if (rv != SECSuccess) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by AppendHandshake. */
}
extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
if (extLen < 0) {
+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return SECFailure;
}
maxBytes -= extLen;
PORT_Assert(!maxBytes);
}
+
+ if (sid->u.ssl3.lock) {
+ PR_RWLock_Unlock(sid->u.ssl3.lock);
+ }
+
+ if (ss->xtnData.sentSessionTicketInClientHello) {
+ SSL_AtomicIncrementLong(&ssl3stats.sch_sid_stateless_resumes);
+ }
+
if (ss->ssl3.hs.sendingSCSV) {
/* Since we sent the SCSV, pretend we sent empty RI extension. */
TLSExtensionData *xtnData = &ss->xtnData;
}
flags = 0;
- if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
+ if (!ss->firstHsDone && !IS_DTLS(ss)) {
flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
}
rv = ssl3_FlushHandshake(ss, flags);
SSL_GETPID(), ss->fd));
ssl_GetSpecReadLock(ss);
- rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
+ if (ss->ssl3.hs.hashType == handshake_hash_single &&
+ ss->ssl3.hs.backupHash) {
+ rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
+ PORT_Assert(!ss->ssl3.hs.backupHash);
+ } else {
+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
+ }
ssl_ReleaseSpecReadLock(ss);
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
if (rv != SECSuccess) {
goto done;
}
- /* We always sign using the handshake hash function. It's possible that
- * a server could support SHA-256 as the handshake hash but not as a
- * signature hash. In that case we wouldn't be able to do client
- * certificates with it. The alternative is to buffer all handshake
- * messages. */
sigAndHash.hashAlg = hashes.hashAlg;
rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
/* If we sent a session ticket, then this is a stateless resume. */
- if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
- sid->u.ssl3.sessionTicket.ticket.data != NULL)
+ if (ss->xtnData.sentSessionTicketInClientHello)
SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
}
+/*
+ * Returns the TLS signature algorithm for the client authentication key and
+ * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
+ */
+static SECStatus
+ssl3_ExtractClientKeyInfo(sslSocket *ss,
+ TLSSignatureAlgorithm *sigAlg,
+ PRBool *preferSha1)
+{
+ SECStatus rv = SECSuccess;
+ SECKEYPublicKey *pubk;
+
+ pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+ if (pubk == NULL) {
+ rv = SECFailure;
+ goto done;
+ }
+
+ rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
+ * it may be unable to sign SHA-256 hashes. This is the case for older
+ * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
+ * older, DSA key size is at most 1024 bits and the hash function must
+ * be SHA-1.
+ */
+ if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
+ *preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
+ } else {
+ *preferSha1 = PR_FALSE;
+ }
+
+done:
+ if (pubk)
+ SECKEY_DestroyPublicKey(pubk);
+ return rv;
+}
+
+/* Destroys the backup handshake hash context if we don't need it. Note that
+ * this function selects the hash algorithm for client authentication
+ * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
+ * to determine whether to use SHA-1 or SHA-256. */
+static void
+ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
+ const SECItem *algorithms)
+{
+ SECStatus rv;
+ TLSSignatureAlgorithm sigAlg;
+ PRBool preferSha1;
+ PRBool supportsSha1 = PR_FALSE;
+ PRBool supportsSha256 = PR_FALSE;
+ PRBool needBackupHash = PR_FALSE;
+ unsigned int i;
+
+#ifndef NO_PKCS11_BYPASS
+ /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
+ if (ss->opt.bypassPKCS11) {
+ PORT_Assert(!ss->ssl3.hs.backupHash);
+ return;
+ }
+#endif
+ PORT_Assert(ss->ssl3.hs.backupHash);
+
+ /* Determine the key's signature algorithm and whether it prefers SHA-1. */
+ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ /* Determine the server's hash support for that signature algorithm. */
+ for (i = 0; i < algorithms->len; i += 2) {
+ if (algorithms->data[i+1] == sigAlg) {
+ if (algorithms->data[i] == tls_hash_sha1) {
+ supportsSha1 = PR_TRUE;
+ } else if (algorithms->data[i] == tls_hash_sha256) {
+ supportsSha256 = PR_TRUE;
+ }
+ }
+ }
+
+ /* If either the server does not support SHA-256 or the client key prefers
+ * SHA-1, leave the backup hash. */
+ if (supportsSha1 && (preferSha1 || !supportsSha256)) {
+ needBackupHash = PR_TRUE;
+ }
+
+done:
+ if (!needBackupHash) {
+ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+ ss->ssl3.hs.backupHash = NULL;
+ }
+}
+
typedef struct dnameNode {
struct dnameNode *next;
SECItem name;
ss->ssl3.clientCertificate,
certUsageSSLClient, PR_FALSE);
if (ss->ssl3.clientCertChain == NULL) {
- if (ss->ssl3.clientCertificate != NULL) {
- CERT_DestroyCertificate(ss->ssl3.clientCertificate);
- ss->ssl3.clientCertificate = NULL;
- }
- if (ss->ssl3.clientPrivateKey != NULL) {
- SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
- ss->ssl3.clientPrivateKey = NULL;
- }
+ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+ ss->ssl3.clientCertificate = NULL;
+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+ ss->ssl3.clientPrivateKey = NULL;
goto send_no_certificate;
}
+ if (ss->ssl3.hs.hashType == handshake_hash_single) {
+ ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
+ }
break; /* not an error */
case SECFailure:
return rv;
}
+static SECStatus
+ssl3_CheckFalseStart(sslSocket *ss)
+{
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+ PORT_Assert( !ss->ssl3.hs.authCertificatePending );
+ PORT_Assert( !ss->ssl3.hs.canFalseStart );
+
+ if (!ss->canFalseStartCallback) {
+ SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
+ SSL_GETPID(), ss->fd));
+ } else {
+ PRBool maybeFalseStart;
+ SECStatus rv;
+
+ /* An attacker can control the selected ciphersuite so we only wish to
+ * do False Start in the case that the selected ciphersuite is
+ * sufficiently strong that the attack can gain no advantage.
+ * Therefore we always require an 80-bit cipher. */
+ ssl_GetSpecReadLock(ss);
+ maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
+ ssl_ReleaseSpecReadLock(ss);
+
+ if (!maybeFalseStart) {
+ SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
+ SSL_GETPID(), ss->fd));
+ } else {
+ rv = (ss->canFalseStartCallback)(ss->fd,
+ ss->canFalseStartCallbackData,
+ &ss->ssl3.hs.canFalseStart);
+ if (rv == SECSuccess) {
+ SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
+ SSL_GETPID(), ss->fd,
+ ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
+ } else {
+ SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
+ SSL_GETPID(), ss->fd,
+ PR_ErrorToName(PR_GetError())));
+ }
+ return rv;
+ }
+ }
+
+ ss->ssl3.hs.canFalseStart = PR_FALSE;
+ return SECSuccess;
+}
+
PRBool
-ssl3_CanFalseStart(sslSocket *ss) {
- PRBool rv;
+ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
+{
+ PRBool result;
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
- /* XXX: does not take into account whether we are waiting for
- * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
- * that is done, this function could return different results each time it
- * would be called.
- */
+ switch (ss->ssl3.hs.ws) {
+ case wait_new_session_ticket:
+ result = PR_TRUE;
+ break;
+ case wait_change_cipher:
+ result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
+ break;
+ default:
+ result = PR_FALSE;
+ break;
+ }
- ssl_GetSpecReadLock(ss);
- rv = ss->opt.enableFalseStart &&
- !ss->sec.isServer &&
- !ss->ssl3.hs.isResuming &&
- ss->ssl3.cwSpec &&
-
- /* An attacker can control the selected ciphersuite so we only wish to
- * do False Start in the case that the selected ciphersuite is
- * sufficiently strong that the attack can gain no advantage.
- * Therefore we require an 80-bit cipher and a forward-secret key
- * exchange. */
- ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
- (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
- ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
- ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
- ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
- ssl_ReleaseSpecReadLock(ss);
- return rv;
+ return result;
}
static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
ss->ssl3.clientCertChain != NULL &&
ss->ssl3.clientPrivateKey != NULL;
+ if (!sendClientCert &&
+ ss->ssl3.hs.hashType == handshake_hash_single &&
+ ss->ssl3.hs.backupHash) {
+ /* Don't need the backup handshake hash. */
+ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+ ss->ssl3.hs.backupHash = NULL;
+ }
+
/* We must wait for the server's certificate to be authenticated before
* sending the client certificate in order to disclosing the client
* certificate to an attacker that does not have a valid cert for the
}
if (ss->ssl3.hs.authCertificatePending &&
(sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
+ SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
+ " certificate authentication is still pending.",
+ SSL_GETPID(), ss->fd));
ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
return SECWouldBlock;
}
goto loser; /* err code was set. */
}
- /* XXX: If the server's certificate hasn't been authenticated by this
- * point, then we may be leaking this NPN message to an attacker.
+ /* This must be done after we've set ss->ssl3.cwSpec in
+ * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
+ * from cwSpec. This must be done before we call ssl3_CheckFalseStart
+ * because the false start callback (if any) may need the information from
+ * the functions that depend on this being set.
*/
+ ss->enoughFirstHsDone = PR_TRUE;
+
if (!ss->firstHsDone) {
+ /* XXX: If the server's certificate hasn't been authenticated by this
+ * point, then we may be leaking this NPN message to an attacker.
+ */
rv = ssl3_SendNextProto(ss);
if (rv != SECSuccess) {
goto loser; /* err code was set. */
}
+
+ if (ss->opt.enableFalseStart) {
+ if (!ss->ssl3.hs.authCertificatePending) {
+ /* When we fix bug 589047, we will need to know whether we are
+ * false starting before we try to flush the client second
+ * round to the network. With that in mind, we purposefully
+ * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
+ * which includes a call to ssl3_FlushHandshake, so that
+ * no application develops a reliance on such flushing being
+ * done before its false start callback is called.
+ */
+ ssl_ReleaseXmitBufLock(ss);
+ rv = ssl3_CheckFalseStart(ss);
+ ssl_GetXmitBufLock(ss);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ } else {
+ /* The certificate authentication and the server's Finished
+ * message are racing each other. If the certificate
+ * authentication wins, then we will try to false start in
+ * ssl3_AuthCertificateComplete.
+ */
+ SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
+ " certificate authentication is still pending.",
+ SSL_GETPID(), ss->fd));
+ }
+ }
}
rv = ssl3_SendFinished(ss, 0);
else
ss->ssl3.hs.ws = wait_change_cipher;
- /* Do the handshake callback for sslv3 here, if we can false start. */
- if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
- (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
- }
+ PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
return SECSuccess;
SECStatus
ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
{
- SECStatus rv;
- NewSessionTicket session_ticket;
+ SECStatus rv;
+ SECItem ticketData;
SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
SSL_GETPID(), ss->fd));
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+ PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
+ PORT_Assert(!ss->ssl3.hs.receivedNewSessionTicket);
+
if (ss->ssl3.hs.ws != wait_new_session_ticket) {
SSL3_SendAlert(ss, alert_fatal, unexpected_message);
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
return SECFailure;
}
- session_ticket.received_timestamp = ssl_Time();
+ /* RFC5077 Section 3.3: "The client MUST NOT treat the ticket as valid
+ * until it has verified the server's Finished message." See the comment in
+ * ssl3_FinishHandshake for more details.
+ */
+ ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
if (length < 4) {
(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
return SECFailure;
}
- session_ticket.ticket_lifetime_hint =
+ ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
(PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
- rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
- &b, &length);
+ rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
if (length != 0 || rv != SECSuccess) {
(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
return SECFailure; /* malformed */
}
-
- rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
+ rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
+ &ticketData);
if (rv != SECSuccess) {
- (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
- PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
- return SECFailure;
+ return rv;
}
+ ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
+
ss->ssl3.hs.ws = wait_change_cipher;
return SECSuccess;
}
ss->ssl3.hs.authCertificatePending = PR_TRUE;
rv = SECSuccess;
-
- /* XXX: Async cert validation and False Start don't work together
- * safely yet; if we leave False Start enabled, we may end up false
- * starting (sending application data) before we
- * SSL_AuthCertificateComplete has been called.
- */
- ss->opt.enableFalseStart = PR_FALSE;
}
if (rv != SECSuccess) {
} else if (ss->ssl3.hs.restartTarget != NULL) {
sslRestartTarget target = ss->ssl3.hs.restartTarget;
ss->ssl3.hs.restartTarget = NULL;
+
+ if (target == ssl3_FinishHandshake) {
+ SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
+ " with peer's finished message", SSL_GETPID(), ss->fd));
+ }
+
rv = target(ss);
/* Even if we blocked here, we have accomplished enough to claim
* success. Any remaining work will be taken care of by subsequent
rv = SECSuccess;
}
} else {
- rv = SECSuccess;
+ SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
+ " peer's finished message", SSL_GETPID(), ss->fd));
+
+ PORT_Assert(!ss->ssl3.hs.isResuming);
+ PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
+
+ if (ss->opt.enableFalseStart &&
+ !ss->firstHsDone &&
+ !ss->ssl3.hs.isResuming &&
+ ssl3_WaitingForStartOfServerSecondRound(ss)) {
+ /* ssl3_SendClientSecondRound deferred the false start check because
+ * certificate authentication was pending, so we do it now if we still
+ * haven't received any of the server's second round yet.
+ */
+ rv = ssl3_CheckFalseStart(ss);
+ } else {
+ rv = SECSuccess;
+ }
}
done:
return rv;
}
-/* called from ssl3_HandleServerHelloDone
+/* called from ssl3_SendClientSecondRound
+ * ssl3_HandleFinished
*/
static SECStatus
ssl3_SendNextProto(sslSocket *ss)
return;
}
-/* called from ssl3_HandleServerHelloDone
+/* called from ssl3_SendClientSecondRound
* ssl3_HandleClientHello
* ssl3_HandleFinished
*/
*/
if (isServer && !ss->ssl3.hs.isResuming &&
ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
+ /* RFC 5077 Section 3.3: "In the case of a full handshake, the
+ * server MUST verify the client's Finished message before sending
+ * the ticket." Presumably, this also means that the client's
+ * certificate, if any, must be verified beforehand too.
+ */
rv = ssl3_SendNewSessionTicket(ss);
if (rv != SECSuccess) {
goto xmit_loser;
return rv;
}
- ss->gs.writeOffset = 0;
- ss->gs.readOffset = 0;
-
if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
effectiveExchKeyType = kt_rsa;
} else {
return rv;
}
+/* The return type is SECStatus instead of void because this function needs
+ * to have type sslRestartTarget.
+ */
SECStatus
ssl3_FinishHandshake(sslSocket * ss)
{
/* The first handshake is now completed. */
ss->handshake = NULL;
- ss->firstHsDone = PR_TRUE;
+
+ /* RFC 5077 Section 3.3: "The client MUST NOT treat the ticket as valid
+ * until it has verified the server's Finished message." When the server
+ * sends a NewSessionTicket in a resumption handshake, we must wait until
+ * the handshake is finished (we have verified the server's Finished
+ * AND the server's certificate) before we update the ticket in the sid.
+ *
+ * This must be done before we call (*ss->sec.cache)(ss->sec.ci.sid)
+ * because CacheSID requires the session ticket to already be set, and also
+ * because of the lazy lock creation scheme used by CacheSID and
+ * ssl3_SetSIDSessionTicket.
+ */
+ if (ss->ssl3.hs.receivedNewSessionTicket) {
+ PORT_Assert(!ss->sec.isServer);
+ ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ss->ssl3.hs.newSessionTicket);
+ /* The sid took over the ticket data */
+ PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
+ ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
+ }
if (ss->ssl3.hs.cacheSID) {
+ PORT_Assert(ss->sec.ci.sid->cached == never_cached);
(*ss->sec.cache)(ss->sec.ci.sid);
ss->ssl3.hs.cacheSID = PR_FALSE;
}
+ ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
ss->ssl3.hs.ws = idle_handshake;
- /* Do the handshake callback for sslv3 here, if we cannot false start. */
- if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
- (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
- }
+ ssl_FinishHandshake(ss);
return SECSuccess;
}
ssl_ReleaseSSL3HandshakeLock(ss);
return rv;
-
}
/*
ss->ssl3.hs.messages.buf = NULL;
ss->ssl3.hs.messages.space = 0;
+ ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
+ PORT_Memset(&ss->ssl3.hs.newSessionTicket, 0,
+ sizeof(ss->ssl3.hs.newSessionTicket));
+
ss->ssl3.initialized = PR_TRUE;
return SECSuccess;
}
/* free the SSL3Buffer (msg_body) */
PORT_Free(ss->ssl3.hs.msg_body.buf);
+ SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
+
/* free up the CipherSpecs */
ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
{
PRInt32 extension_length;
NewSessionTicket *session_ticket = NULL;
+ sslSessionID *sid = ss->sec.ci.sid;
/* Ignore the SessionTicket extension if processing is disabled. */
if (!ss->opt.enableSessionTickets)
* the extension always respond with an empty extension.
*/
if (!ss->sec.isServer) {
- sslSessionID *sid = ss->sec.ci.sid;
- session_ticket = &sid->u.ssl3.sessionTicket;
+ /* The caller must be holding sid->u.ssl3.lock for reading. We cannot
+ * just acquire and release the lock within this function because the
+ * caller will call this function twice, and we need the inputs to be
+ * consistent between the two calls. Note that currently the caller
+ * will only be holding the lock when we are the client and when we're
+ * attempting to resume an existing session.
+ */
+
+ session_ticket = &sid->u.ssl3.locked.sessionTicket;
if (session_ticket->ticket.data) {
if (ss->xtnData.ticketTimestampVerified) {
extension_length += session_ticket->ticket.len;
rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
session_ticket->ticket.len, 2);
ss->xtnData.ticketTimestampVerified = PR_FALSE;
+ ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
} else {
rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
}
{
SSL3Ciphertext cText;
int rv;
- PRBool canFalseStart = PR_FALSE;
+ PRBool keepGoing = PR_TRUE;
SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
+ /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
+ * which requires the 1stHandshakeLock, which must be acquired before the
+ * RecvBufLock.
+ */
+ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
do {
PRBool handleRecordNow = PR_FALSE;
rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
} else {
/* bring in the next sslv3 record. */
+ if (ss->recvdCloseNotify) {
+ /* RFC 5246 Section 7.2.1:
+ * Any data received after a closure alert is ignored.
+ */
+ return 0;
+ }
if (!IS_DTLS(ss)) {
rv = ssl3_GatherData(ss, &ss->gs, flags);
} else {
if (rv < 0) {
return ss->recvdCloseNotify ? 0 : rv;
}
+ if (ss->gs.buf.len > 0) {
+ /* We have application data to return to the application. This
+ * prioritizes returning application data to the application over
+ * completing any renegotiation handshake we may be doing.
+ */
+ PORT_Assert(ss->firstHsDone);
+ PORT_Assert(cText.type == content_application_data);
+ break;
+ }
- /* If we kicked off a false start in ssl3_HandleServerHelloDone, break
- * out of this loop early without finishing the handshake.
- */
- if (ss->opt.enableFalseStart) {
- ssl_GetSSL3HandshakeLock(ss);
- canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
- ss->ssl3.hs.ws == wait_new_session_ticket) &&
- ssl3_CanFalseStart(ss);
- ssl_ReleaseSSL3HandshakeLock(ss);
+ PORT_Assert(keepGoing);
+ ssl_GetSSL3HandshakeLock(ss);
+ if (ss->ssl3.hs.ws == idle_handshake) {
+ /* We are done with the current handshake so stop trying to
+ * handshake. Note that it would be safe to test ss->firstHsDone
+ * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
+ * we prioritize completing a renegotiation handshake over sending
+ * application data.
+ */
+ PORT_Assert(ss->firstHsDone);
+ PORT_Assert(!ss->ssl3.hs.canFalseStart);
+ keepGoing = PR_FALSE;
+ } else if (ss->ssl3.hs.canFalseStart) {
+ /* Prioritize sending application data over trying to complete
+ * the handshake if we're false starting.
+ *
+ * If we were to do this check at the beginning of the loop instead
+ * of here, then this function would become be a no-op after
+ * receiving the ServerHelloDone in the false start case, and we
+ * would never complete the handshake.
+ */
+ PORT_Assert(!ss->firstHsDone);
+
+ if (ssl3_WaitingForStartOfServerSecondRound(ss)) {
+ keepGoing = PR_FALSE;
+ } else {
+ ss->ssl3.hs.canFalseStart = PR_FALSE;
+ }
}
- } while (ss->ssl3.hs.ws != idle_handshake &&
- !canFalseStart &&
- ss->gs.buf.len == 0);
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ } while (keepGoing);
ss->gs.readOffset = 0;
ss->gs.writeOffset = ss->gs.buf.len;
{
int rv;
+ /* ssl3_GatherCompleteHandshake requires both of these locks. */
+ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
do {
rv = ssl3_GatherCompleteHandshake(ss, flags);
} while (rv > 0 && ss->gs.buf.len == 0);
}
/* NEED LOCKS IN HERE. */
+CERTCertList *
+SSL_PeerCertificateChain(PRFileDesc *fd)
+{
+ sslSocket *ss;
+ CERTCertList *chain = NULL;
+ CERTCertificate *cert;
+ ssl3CertNode *cur;
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
+ SSL_GETPID(), fd));
+ return NULL;
+ }
+ if (!ss->opt.useSecurity || !ss->sec.peerCert) {
+ PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+ return NULL;
+ }
+ chain = CERT_NewCertList();
+ if (!chain) {
+ return NULL;
+ }
+ cert = CERT_DupCertificate(ss->sec.peerCert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
+ }
+ for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
+ cert = CERT_DupCertificate(cur->cert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
+ }
+ }
+ return chain;
+
+loser:
+ CERT_DestroyCertList(chain);
+ return NULL;
+}
+
+/* NEED LOCKS IN HERE. */
CERTCertificate *
SSL_LocalCertificate(PRFileDesc *fd)
{
sslSocket *ss;
const char *cipherName;
PRBool isDes = PR_FALSE;
- PRBool enoughFirstHsDone = PR_FALSE;
ss = ssl_FindSocket(fd);
if (!ss) {
*op = SSL_SECURITY_STATUS_OFF;
}
- if (ss->firstHsDone) {
- enoughFirstHsDone = PR_TRUE;
- } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
- ssl3_CanFalseStart(ss)) {
- enoughFirstHsDone = PR_TRUE;
- }
-
- if (ss->opt.useSecurity && enoughFirstHsDone) {
+ if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
if (ss->version < SSL_LIBRARY_VERSION_3_0) {
cipherName = ssl_cipherName[ss->sec.cipherType];
} else {
certStatusArray = &ss->sec.ci.sid->peerCertStatus;
if (certStatusArray->len) {
- CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert,
- now, &certStatusArray->items[0],
- ss->pkcs11PinArg);
+ PORT_SetError(0);
+ if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
+ &certStatusArray->items[0],
+ ss->pkcs11PinArg)
+ != SECSuccess) {
+ PRErrorCode error = PR_GetError();
+ PORT_Assert(error != 0);
+ }
}
/* this may seem backwards, but isn't. */
(*ss->sec.uncache)(sid);
rv = (SECStatus)sent;
} else if (!ss->opt.noCache) {
- /* Put the sid in session-id cache, (may already be there) */
- (*ss->sec.cache)(sid);
+ if (sid->cached == never_cached) {
+ (*ss->sec.cache)(sid);
+ }
rv = SECSuccess;
}
ssl_FreeSID(sid);
sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
}
- if (!ss->opt.noCache)
+ if (!ss->opt.noCache && sid->cached == never_cached)
(*ss->sec.cache)(sid);
}
#include "sslproto.h"
/*
- * The ciphers are listed in the following order:
- * - stronger ciphers before weaker ciphers
- * - national ciphers before international ciphers
- * - faster ciphers before slower ciphers
- *
- * National ciphers such as Camellia are listed before international ciphers
- * such as AES and RC4 to allow servers that prefer Camellia to negotiate
- * Camellia without having to disable AES and RC4, which are needed for
- * interoperability with clients that don't yet implement Camellia.
- *
* The ordering of cipher suites in this table must match the ordering in
* the cipherSuites table in ssl3con.c.
*
* in ssl3ecc.c.
*
* Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
+ *
+ * The ordering is as follows:
+ * * No-encryption cipher suites last
+ * * Export/weak/obsolete cipher suites before no-encryption cipher suites
+ * * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
+ * * Within key agreement sections, order by symmetric encryption algorithm:
+ * AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
+ * then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
+ * strong cipher internationally, and is often hardware-accelerated.
+ * Camellia also has wide international support across standards
+ * organizations. SEED is only recommended by the Korean government. 3DES
+ * only provides 112 bits of security. RC4 is now deprecated or forbidden
+ * by many standards organizations.
+ * * Within symmetric algorithm sections, order by message authentication
+ * algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
+ * * Within message authentication algorithm sections, order by asymmetric
+ * signature algorithm: ECDSA, then RSA, then DSS.
+ *
+ * Exception: Because some servers ignore the high-order byte of the cipher
+ * suite ID, we must be careful about adding cipher suites with IDs larger
+ * than 0x00ff; see bug 946147. For these broken servers, the first four cipher\r
+ * suites, with the MSB zeroed, look like:\r
+ * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {0x00,0x2B }\r
+ * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }\r
+ * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }\r
+ * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }\r
+ * The broken server only supports the third and fourth ones and will select
+ * the third one.
*/
const PRUint16 SSL_ImplementedCiphers[] = {
- /* AES-GCM */
#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-#endif /* NSS_ENABLE_ECC */
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_128_GCM_SHA256,
-
- /* 256-bit */
-#ifdef NSS_ENABLE_ECC
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+ */
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-#ifdef NSS_ENABLE_ECC
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
- TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_RSA_WITH_AES_256_CBC_SHA256,
-
- /* 128-bit */
-#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
#endif /* NSS_ENABLE_ECC */
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_DSS_WITH_RC4_128_SHA,
+
#ifdef NSS_ENABLE_ECC
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
#endif /* NSS_ENABLE_ECC */
- TLS_RSA_WITH_SEED_CBC_SHA,
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
- SSL_RSA_WITH_RC4_128_SHA,
- SSL_RSA_WITH_RC4_128_MD5,
-
- /* 112-bit 3DES */
-#ifdef NSS_ENABLE_ECC
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-#ifdef NSS_ENABLE_ECC
- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+ SSL_RSA_WITH_RC4_128_SHA,
+ SSL_RSA_WITH_RC4_128_MD5,
/* 56-bit DES "domestic" cipher suites */
SSL_DHE_RSA_WITH_DES_CBC_SHA,
} Cached;
struct sslSessionIDStr {
+ /* The global cache lock must be held when accessing these members when the
+ * sid is in any cache.
+ */
sslSessionID * next; /* chain used for client sockets, only */
+ Cached cached;
+ int references;
+ PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
+
+ /* The rest of the members, except for the members of u.ssl3.locked, may
+ * be modified only when the sid is not in any cache.
+ */
CERTCertificate * peerCert;
SECItemArray peerCertStatus; /* client only */
SSL3ProtocolVersion version;
PRUint32 creationTime; /* seconds since Jan 1, 1970 */
- PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
- Cached cached;
- int references;
SSLSignType authAlgorithm;
PRUint32 authKeyBits;
char masterValid;
char clAuthValid;
- /* Session ticket if we have one, is sent as an extension in the
- * ClientHello message. This field is used by clients.
+ SECItem srvName;
+
+ /* This lock is lazily initialized by CacheSID when a sid is first
+ * cached. Before then, there is no need to lock anything because
+ * the sid isn't being shared by anything.
+ */
+ PRRWLock *lock;
+
+ /* The lock must be held while reading or writing these members
+ * because they change while the sid is cached.
*/
- NewSessionTicket sessionTicket;
- SECItem srvName;
+ struct {
+ /* The session ticket, if we have one, is sent as an extension
+ * in the ClientHello message. This field is used only by
+ * clients. It is protected by lock when lock is non-null
+ * (after the sid has been added to the client session cache).
+ */
+ NewSessionTicket sessionTicket;
+ } locked;
} ssl3;
} u;
};
-
typedef struct ssl3CipherSuiteDefStr {
ssl3CipherSuite cipher_suite;
SSL3BulkCipher bulk_cipher_alg;
/* SessionTicket Extension related data. */
PRBool ticketTimestampVerified;
PRBool emptySessionTicket;
+ PRBool sentSessionTicketInClientHello;
/* SNI Extension related data
* Names data is not coppied from the input buffer. It can not be
* SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
* |sha| for SHA-1.
* TLS 1.2 and later use only |sha|, for SHA-256. */
+ /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
+ * handshake hash for generating client auth signatures. Confusingly, the
+ * backup hash function is SHA-1. */
+#define backupHash md5
PK11Context * md5;
PK11Context * sha;
PRBool sendingSCSV; /* instead of empty RI */
sslBuffer msgState; /* current state for handshake messages*/
/* protected by recvBufLock */
+
+ /* The session ticket received in a NewSessionTicket message is temporarily
+ * stored in newSessionTicket until the handshake is finished; then it is
+ * moved to the sid.
+ */
+ PRBool receivedNewSessionTicket;
+ NewSessionTicket newSessionTicket;
+
PRUint16 finishedBytes; /* size of single finished below */
union {
TLSFinished tFinished[2]; /* client, then server */
/* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
PRBool cacheSID;
+ PRBool canFalseStart; /* Can/did we False Start */
+
/* clientSigAndHash contains the contents of the signature_algorithms
* extension (if any) from the client. This is only valid for TLS 1.2
* or later. */
unsigned long clientAuthRequested;
unsigned long delayDisabled; /* Nagle delay disabled */
unsigned long firstHsDone; /* first handshake is complete. */
+ unsigned long enoughFirstHsDone; /* enough of the first handshake is
+ * done for callbacks to be able to
+ * retrieve channel security
+ * parameters from the SSL socket. */
unsigned long handshakeBegun;
unsigned long lastWriteBlocked;
unsigned long recvdCloseNotify; /* received SSL EOF. */
void *badCertArg;
SSLHandshakeCallback handshakeCallback;
void *handshakeCallbackData;
+ SSLCanFalseStartCallback canFalseStartCallback;
+ void *canFalseStartCallbackData;
void *pkcs11PinArg;
SSLNextProtoCallback nextProtoCallback;
void *nextProtoArg;
extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
-extern PRBool ssl3_CanFalseStart(sslSocket *ss);
+extern void ssl_FinishHandshake(sslSocket *ss);
+
+/* Returns PR_TRUE if we are still waiting for the server to respond to our
+ * client second round. Once we've received any part of the server's second
+ * round then we don't bother trying to false start since it is almost always
+ * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
+ * were sent in the same packet and we want to process them all at the same
+ * time. If we were to try to false start in the middle of the server's second
+ * round, then we would increase the number of I/O operations
+ * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
+ */
+extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
+
extern SECStatus
ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
PRBool isServer,
/* Hello Extension related routines. */
extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
-extern SECStatus ssl3_SetSIDSessionTicket(sslSessionID *sid,
- NewSessionTicket *session_ticket);
+extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
+ /*in/out*/ NewSessionTicket *session_ticket);
extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
unsigned char *encKey, unsigned char *macKey);
/********************** misc calls *********************/
+#ifdef DEBUG
+extern void ssl3_CheckCipherSuiteOrderConsistency();
+#endif
+
extern int ssl_MapLowLevelError(int hiLevelError);
extern PRUint32 ssl_Time(void);
sslSocket * ss;
SSLChannelInfo inf;
sslSessionID * sid;
- PRBool enoughFirstHsDone = PR_FALSE;
if (!info || len < sizeof inf.length) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
memset(&inf, 0, sizeof inf);
inf.length = PR_MIN(sizeof inf, len);
- if (ss->firstHsDone) {
- enoughFirstHsDone = PR_TRUE;
- } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
- ssl3_CanFalseStart(ss)) {
- enoughFirstHsDone = PR_TRUE;
- }
-
- if (ss->opt.useSecurity && enoughFirstHsDone) {
+ if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
sid = ss->sec.ci.sid;
inf.protocolVersion = ss->version;
inf.authKeyBits = ss->sec.authKeyBits;
PORT_SetError(SEC_ERROR_NO_MEMORY);
return (SECFailure);
}
+
+#ifdef DEBUG
+ ssl3_CheckCipherSuiteOrderConsistency();
+#endif
+
ssl_inited = 1;
}
return SECSuccess;
if (sid->version < SSL_LIBRARY_VERSION_3_0) {
SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
+ } else {
+ if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
+ SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
+ PR_FALSE);
+ }
+ if (sid->u.ssl3.srvName.data) {
+ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+ }
+
+ if (sid->u.ssl3.lock) {
+ PR_DestroyRWLock(sid->u.ssl3.lock);
+ }
}
+
if (sid->peerID != NULL)
PORT_Free((void *)sid->peerID); /* CONST */
if ( sid->localCert ) {
CERT_DestroyCertificate(sid->localCert);
}
- if (sid->u.ssl3.sessionTicket.ticket.data) {
- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
- }
- if (sid->u.ssl3.srvName.data) {
- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
- }
PORT_ZFree(sid, sizeof(sslSessionID));
}
CacheSID(sslSessionID *sid)
{
PRUint32 expirationPeriod;
+
+ PORT_Assert(sid->cached == never_cached);
+
SSL_TRC(8, ("SSL: Cache: sid=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
"time=%x cached=%d",
sid, sid->cached, sid->addr.pr_s6_addr32[0],
sid->addr.pr_s6_addr32[3], sid->port, sid->creationTime,
sid->cached));
- if (sid->cached == in_client_cache)
- return;
-
if (!sid->urlSvrName) {
/* don't cache this SID because it can never be matched */
return;
sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
} else {
if (sid->u.ssl3.sessionIDLength == 0 &&
- sid->u.ssl3.sessionTicket.ticket.data == NULL)
+ sid->u.ssl3.locked.sessionTicket.ticket.data == NULL)
return;
+
/* Client generates the SessionID if this was a stateless resume. */
if (sid->u.ssl3.sessionIDLength == 0) {
SECStatus rv;
expirationPeriod = ssl3_sid_timeout;
PRINT_BUF(8, (0, "sessionID:",
sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
+
+ sid->u.ssl3.lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, NULL);
+ if (!sid->u.ssl3.lock) {
+ return;
+ }
}
PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
if (!sid->creationTime)
return myTime;
}
-SECStatus
-ssl3_SetSIDSessionTicket(sslSessionID *sid, NewSessionTicket *session_ticket)
+void
+ssl3_SetSIDSessionTicket(sslSessionID *sid,
+ /*in/out*/ NewSessionTicket *newSessionTicket)
{
- SECStatus rv;
+ PORT_Assert(sid);
+ PORT_Assert(newSessionTicket);
- /* We need to lock the cache, as this sid might already be in the cache. */
- LOCK_CACHE;
-
- /* A server might have sent us an empty ticket, which has the
- * effect of clearing the previously known ticket.
+ /* if sid->u.ssl3.lock, we are updating an existing entry that is already
+ * cached or was once cached, so we need to acquire and release the write
+ * lock. Otherwise, this is a new session that isn't shared with anything
+ * yet, so no locking is needed.
*/
- if (sid->u.ssl3.sessionTicket.ticket.data)
- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
- if (session_ticket->ticket.len > 0) {
- rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.sessionTicket.ticket,
- &session_ticket->ticket);
- if (rv != SECSuccess) {
- UNLOCK_CACHE;
- return rv;
+ if (sid->u.ssl3.lock) {
+ PR_RWLock_Wlock(sid->u.ssl3.lock);
+
+ /* A server might have sent us an empty ticket, which has the
+ * effect of clearing the previously known ticket.
+ */
+ if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
+ SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
+ PR_FALSE);
}
- } else {
- sid->u.ssl3.sessionTicket.ticket.data = NULL;
- sid->u.ssl3.sessionTicket.ticket.len = 0;
}
- sid->u.ssl3.sessionTicket.received_timestamp =
- session_ticket->received_timestamp;
- sid->u.ssl3.sessionTicket.ticket_lifetime_hint =
- session_ticket->ticket_lifetime_hint;
- UNLOCK_CACHE;
- return SECSuccess;
+ PORT_Assert(!sid->u.ssl3.locked.sessionTicket.ticket.data);
+
+ /* Do a shallow copy, moving the ticket data. */
+ sid->u.ssl3.locked.sessionTicket = *newSessionTicket;
+ newSessionTicket->ticket.data = NULL;
+ newSessionTicket->ticket.len = 0;
+
+ if (sid->u.ssl3.lock) {
+ PR_RWLock_Unlock(sid->u.ssl3.lock);
+ }
}
ss->securityHandshake = 0;
}
if (ss->handshake == 0) {
- ssl_GetRecvBufLock(ss);
- ss->gs.recordLen = 0;
- ssl_ReleaseRecvBufLock(ss);
-
- SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
- SSL_GETPID(), ss->fd));
- /* call handshake callback for ssl v2 */
- /* for v3 this is done in ssl3_HandleFinished() */
- if ((ss->handshakeCallback != NULL) && /* has callback */
- (!ss->firstHsDone) && /* only first time */
- (ss->version < SSL_LIBRARY_VERSION_3_0)) { /* not ssl3 */
- ss->firstHsDone = PR_TRUE;
- (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+ /* for v3 this is done in ssl3_FinishHandshake */
+ if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {
+ ssl_GetRecvBufLock(ss);
+ ss->gs.recordLen = 0;
+ ssl_FinishHandshake(ss);
+ ssl_ReleaseRecvBufLock(ss);
}
- ss->firstHsDone = PR_TRUE;
- ss->gs.writeOffset = 0;
- ss->gs.readOffset = 0;
break;
}
rv = (*ss->handshake)(ss);
return rv;
}
+void
+ssl_FinishHandshake(sslSocket *ss)
+{
+ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
+ SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
+
+ ss->firstHsDone = PR_TRUE;
+ ss->enoughFirstHsDone = PR_TRUE;
+ ss->gs.writeOffset = 0;
+ ss->gs.readOffset = 0;
+
+ if (ss->handshakeCallback) {
+ (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+ }
+}
+
/*
* Handshake function that blocks. Used to force a
* retry on a connection on the next read/write.
ssl_Get1stHandshakeLock(ss);
ss->firstHsDone = PR_FALSE;
+ ss->enoughFirstHsDone = PR_FALSE;
if ( asServer ) {
ss->handshake = ssl2_BeginServerHandshake;
ss->handshaking = sslHandshakingAsServer;
ssl_ReleaseRecvBufLock(ss);
ssl_GetSSL3HandshakeLock(ss);
+ ss->ssl3.hs.canFalseStart = PR_FALSE;
+ ss->ssl3.hs.restartTarget = NULL;
/*
** Blow away old security state and get a fresh setup.
/* SSL v2 protocol does not support subsequent handshakes. */
if (ss->version < SSL_LIBRARY_VERSION_3_0) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
rv = SECFailure;
} else {
ssl_GetSSL3HandshakeLock(ss);
return SECSuccess;
}
+/* Register an application callback to be called when false start may happen.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
+ void *arg)
+{
+ sslSocket *ss;
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ if (!ss->opt.useSecurity) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ ssl_Get1stHandshakeLock(ss);
+ ssl_GetSSL3HandshakeLock(ss);
+
+ ss->canFalseStartCallback = cb;
+ ss->canFalseStartCallbackData = arg;
+
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ ssl_Release1stHandshakeLock(ss);
+
+ return SECSuccess;
+}
+
+SECStatus
+SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
+{
+ sslSocket *ss;
+
+ *canFalseStart = PR_FALSE;
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",
+ SSL_GETPID(), fd));
+ return SECFailure;
+ }
+
+ if (!ss->ssl3.initialized) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ return SECFailure;
+ }
+
+ /* Require a forward-secret key exchange. */
+ *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+ ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+ ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
+
+ return SECSuccess;
+}
+
/* Try to make progress on an SSL handshake by attempting to read the
** next handshake from the peer, and sending any responses.
** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK if it cannot
int amount;
int available;
+ /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the
+ * 1stHandshakeLock. */
+ ssl_Get1stHandshakeLock(ss);
ssl_GetRecvBufLock(ss);
available = ss->gs.writeOffset - ss->gs.readOffset;
done:
ssl_ReleaseRecvBufLock(ss);
+ ssl_Release1stHandshakeLock(ss);
return rv;
}
int
ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
{
- int rv = 0;
+ int rv = 0;
SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
SSL_GETPID(), ss->fd, len));
ss->writerThread = PR_GetCurrentThread();
/* If any of these is non-zero, the initial handshake is not done. */
if (!ss->firstHsDone) {
- PRBool canFalseStart = PR_FALSE;
+ PRBool falseStart = PR_FALSE;
ssl_Get1stHandshakeLock(ss);
- if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+ if (ss->opt.enableFalseStart &&
+ ss->version >= SSL_LIBRARY_VERSION_3_0) {
ssl_GetSSL3HandshakeLock(ss);
- if ((ss->ssl3.hs.ws == wait_change_cipher ||
- ss->ssl3.hs.ws == wait_finished ||
- ss->ssl3.hs.ws == wait_new_session_ticket) &&
- ssl3_CanFalseStart(ss)) {
- canFalseStart = PR_TRUE;
- }
+ falseStart = ss->ssl3.hs.canFalseStart;
ssl_ReleaseSSL3HandshakeLock(ss);
}
- if (!canFalseStart &&
+ if (!falseStart &&
(ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
rv = ssl_Do1stHandshake(ss);
}
goto done;
}
+ if (!ss->firstHsDone) {
+ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0);
+#ifdef DEBUG
+ ssl_GetSSL3HandshakeLock(ss);
+ PORT_Assert(ss->ssl3.hs.canFalseStart);
+ ssl_ReleaseSSL3HandshakeLock(ss);
+#endif
+ SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start",
+ SSL_GETPID(), ss->fd));
+ }
+
/* Send out the data using one of these functions:
* ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock,
* ssl3_SendApplicationData
ss->badCertArg = os->badCertArg;
ss->handshakeCallback = os->handshakeCallback;
ss->handshakeCallbackData = os->handshakeCallbackData;
+ ss->canFalseStartCallback = os->canFalseStartCallback;
+ ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
ss->pkcs11PinArg = os->pkcs11PinArg;
/* Create security data */
} else if (new_flags & PR_POLL_WRITE) {
/* The caller is trying to write, but the handshake is
** blocked waiting for data to read, and the first
- ** handshake has been sent. so do NOT to poll on write.
+ ** handshake has been sent. So do NOT to poll on write
+ ** unless we did false start.
*/
- new_flags ^= PR_POLL_WRITE; /* don't select on write. */
- new_flags |= PR_POLL_READ; /* do select on read. */
+ if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+ ss->ssl3.hs.canFalseStart)) {
+ new_flags ^= PR_POLL_WRITE; /* don't select on write. */
+ }
+ new_flags |= PR_POLL_READ; /* do select on read. */
}
}
} else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.15.3.1"
+#define NSSUTIL_VERSION "3.15.4"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 15
-#define NSSUTIL_VPATCH 3
-#define NSSUTIL_VBUILD 1
+#define NSSUTIL_VPATCH 4
+#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS
}
SGNDigestInfo *
-SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
+SGN_CreateDigestInfo(SECOidTag algorithm, const unsigned char *sig,
+ unsigned len)
{
SGNDigestInfo *di;
SECStatus rv;
** I think that is all anybody ever wants to do anyway.
*/
extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
- unsigned char *sig,
+ const unsigned char *sig,
unsigned int sigLen);
/*
########################################################################
start_httpserv()
{
+ HTTP_METHOD=$1
+
if [ -n "$testname" ] ; then
echo "$SCRIPTNAME: $testname ----"
fi
echo "httpserv starting at `date`"
+ ODDIR="${HOSTDIR}/chains/OCSPD"
echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
+ echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
+ echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
+ echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
echo " -i ${HTTPPID} $verbose &"
${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
+ -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
+ -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
+ -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
-i ${HTTPPID} $verbose &
RET=$?
DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
+ DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
+ NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
+ NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
+ NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
+
+ html_head "Certificate Chains Tests"
+}
+
+chains_run_httpserv()
+{
+ HTTP_METHOD=$1
if [ -n "${NSS_AIA_PATH}" ]; then
HTTPPID=${NSS_AIA_PATH}/http_pid.$$
# Start_httpserv sets environment variables, which are required for
# correct cleanup. (Running it in a subshell doesn't work, the
# value of $SHELL_HTTPPID wouldn't arrive in this scope.)
- start_httpserv
+ start_httpserv ${HTTP_METHOD}
cd "${SAVEPWD}"
fi
+}
- html_head "Certificate Chains Tests"
+chains_stop_httpserv()
+{
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ kill_httpserv
+ fi
}
############################ chains_cleanup ############################
########################################################################
chains_cleanup()
{
- if [ -n "${NSS_AIA_PATH}" ]; then
- kill_httpserv
- fi
-
html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
{
if [ -n "${OCSP}" ]; then
OPTIONS="${OPTIONS} --extAIA"
+
+ if [ "${OCSP}" = "offline" ]; then
+ MY_OCSP_URL=${NSS_OCSP_UNUSED}
+ else
+ MY_OCSP_URL=${NSS_AIA_OCSP}
+ fi
DATA="${DATA}2
7
-${NSS_AIA_OCSP}:${OCSP}
+${MY_OCSP_URL}
0
n
n
KEY_NAME=$1.p12
DB=$2
- KEY_FILE=${QADIR}/libpkix/certs/${KEY_NAME}
+ KEY_FILE=../OCSPD/${KEY_NAME}
TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
echo "${SCRIPTNAME}: ${TESTNAME}"
html_msg $? 0 "${SCENARIO}${TESTNAME}"
}
+export_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
############################# import_cert ##############################
# local shell function to import certificate into database
########################################################################
CERT_ISSUER=
CERT=${CERT_NICK}.cert
CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
else
CERT=${CERT_NICK}${CERT_ISSUER}.der
CERT_FILE=${CERT}
########################################################################
verify_cert()
{
+ ENGINE=$1
+
DB_OPT=
FETCH_OPT=
POLICY_OPT=
CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
VFY_CERTS="${VFY_CERTS} ${CERT}"
VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT="../OCSPD/${CERT_NICK}.der"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
else
CERT=${CERT_NICK}${CERT_ISSUER}.der
VFY_CERTS="${VFY_CERTS} ${CERT}"
fi
done
- VFY_OPTS_TNAME="${TRUST_AND_DB_OPT} ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
- VFY_OPTS_ALL="${DB_OPT} -pp -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+ VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
echo "${SCRIPTNAME}: ${TESTNAME}"
CERT_ISSUER=
CERT=${CERT_NICK}.cert
CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
else
CERT=${CERT_NICK}${CERT_ISSUER}.der
CERT_FILE=${CERT}
# sample line:
# URI: "http://ocsp.server:2601"
- OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
- OCSP_PORT=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:.*:\([0-9]*\)\"/\1/")
+ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
return $?
}
EXT_NS=
EXT_EKU=
SERIAL=
+ EXPORT_KEY=
;;
"type")
TYPE="${VALUE}"
"serial")
SERIAL="${VALUE}"
;;
+ "export_key")
+ EXPORT_KEY=1
+ ;;
"copycrl")
COPYCRL="${VALUE}"
copy_crl "${COPYCRL}"
if [ "${TYPE}" = "Bridge" ]; then
create_pkcs7 "${ENTITY}"
fi
+ if [ -n "${EXPORT_KEY}" ]; then
+ export_key "${ENTITY}" "${DB}"
+ fi
ENTITY=
fi
if [ -n "${VERIFY}" ]; then
- verify_cert
+ verify_cert "-pp"
+ if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ]; then
+ verify_cert ""
+ verify_cert "-p"
+ fi
VERIFY=
fi
fi
}
+process_scenario()
+{
+ SCENARIO_FILE=$1
+
+ > ${AIA_FILES}
+
+ parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
+
+ while read AIA_FILE
+ do
+ rm ${AIA_FILE} 2> /dev/null
+ done < ${AIA_FILES}
+ rm ${AIA_FILES}
+}
+
+# process ocspd.cfg separately
+chains_ocspd()
+{
+ process_scenario "ocspd.cfg"
+}
+
+# process ocsp.cfg separately
+chains_method()
+{
+ process_scenario "method.cfg"
+}
+
############################# chains_main ##############################
# local shell function to process all testing scenarios
########################################################################
do
[ `echo ${LINE} | cut -b 1` != "#" ] || continue
- > ${AIA_FILES}
-
- parse_config < "${QADIR}/chains/scenarios/${LINE}"
+ [ ${LINE} != 'ocspd.cfg' ] || continue
+ [ ${LINE} != 'method.cfg' ] || continue
- while read AIA_FILE
- do
- rm ${AIA_FILE} 2> /dev/null
- done < ${AIA_FILES}
- rm ${AIA_FILES}
+ process_scenario ${LINE}
done < "${CHAINS_SCENARIOS}"
}
################################ main ##################################
chains_init
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_ocspd
+VERIFY_CLASSIC_ENGINE_TOO=1
+chains_run_httpserv get
+chains_method
+chains_stop_httpserv
+chains_run_httpserv post
+chains_method
+chains_stop_httpserv
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_run_httpserv random
chains_main
+chains_stop_httpserv
+chains_run_httpserv get-unknown
+chains_main
+chains_stop_httpserv
chains_cleanup
-
-This script is used to generate certificates used by ocspd.
-
-Some steps to run (only once - before all OCSP testing):
-1. Edit security/nss/tests/chains/scenarios/scenarios to have there only ocspd.cfg
-2. Set environment variable to run only chains tests: export NSS_TESTS=chains.sh
-3. Set environment variable to have the correct URI in the certificates: export NSS_AIA_OCSP=http://dochinups.us.oracle.com
-4. Run tests: ./all.sh
-5. Go to results directory: cd tests_results/security/${HOST}.${ID}/chains
-6. Copy ocspd-certs.sh and ocspd.conf.template to this directory
-7. Run: ./ocspd-certs.sh OCSPD ${OCSPD_ETC_DIR} ${LIBPKIX_CERTS_DIR}:
- Example: ./ocspd-certs.sh OCSPD /export/iopr/openca-ocsp-responder/etc/ocspdPKIX \
- ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
-8. Commit the new certificates that have been generated under ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
-9. Copy config files and keys/certs/crls to ocspd etc directory:
- cp *.conf /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX
- cp *.pem *.key /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX/OCSPD
-10. Start ocsp deamons on dochinups (for all configs).
+OBSOLETE
+tests have been changed to use a local ocsp server (using httpserv)
--- /dev/null
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Method
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+testdb ../OCSPD/Client
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
scenario OCSP
-check_ocsp OCSPEE11:x
+check_ocsp OCSPEE11OCSPCA1:d
db OCSPRoot
-import OCSPRoot:x:CT,C,C
+import OCSPRoot:d:CT,C,C
db OCSPCA1
import_key OCSPCA1
testdb OCSPRoot
#EE - OK, CA - OK
-verify OCSPEE11:x
- cert OCSPCA1:x
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
result pass
#EE - revoked, CA - OK
-verify OCSPEE12:x
- cert OCSPCA1:x
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
result fail
#EE - unknown
-verify OCSPEE15:x
- cert OCSPCA1:x
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
result pass
#EE - unknown, requireFreshInfo
-verify OCSPEE15:x
- cert OCSPCA1:x
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
result fail
#EE - OK, CA - revoked, leaf, no fresh info
-verify OCSPEE21:x
- cert OCSPCA2:x
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
result pass
#EE - OK, CA - revoked, leaf, requireFreshInfo
-verify OCSPEE21:x
- cert OCSPCA2:x
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
result fail
#EE - OK, CA - revoked, chain, requireFreshInfo
-verify OCSPEE21:x
- cert OCSPCA2:x
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
trust OCSPRoot
rev_type chain
rev_flags requireFreshInfo
result fail
#EE - OK, CA - unknown
-verify OCSPEE31:x
- cert OCSPCA3:x
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
result pass
#EE - OK, CA - unknown, requireFreshInfo
-verify OCSPEE31:x
- cert OCSPCA3:x
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
result fail
#EE - revoked, doNotUse
-verify OCSPEE12:x
- cert OCSPCA1:x
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
result pass
#EE - revoked, forbidFetching
-verify OCSPEE12:x
- cert OCSPCA1:x
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
result pass
#EE - unknown status, failIfNoInfo
-verify OCSPEE15:x
- cert OCSPCA1:x
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
result fail
#EE - OK, CA - revoked, leaf, failIfNoInfo
-verify OCSPEE21:x
- cert OCSPCA2:x
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
#EE - OK on OCSP, revoked locally - should fail ??
# two things about this test: crl is not imported into the db and
# cert 13 is not revoked by crl.
-verify OCSPEE13:x
- cert OCSPCA1:x
+verify OCSPEE13OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
trust OCSPCA1
rev_type leaf
rev_flags testLocalInfoFirst
result pass
db OCSPRoot1
-import OCSPRoot:x:CT,C,C
+import OCSPRoot:d:CT,C,C
-verify OCSPEE23:x
- cert OCSPCA2:x
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
trust OCSPRoot
rev_type chain
rev_mtype ocsp
result fail
db OCSPRoot2
-import OCSPRoot:x:T,,
+import OCSPRoot:d:T,,
# bug 527438
# expected result of this test is FAIL
-verify OCSPEE23:x
- cert OCSPCA2:x
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
trust OCSPRoot
rev_type chain
rev_mtype ocsp
#root CA
entity OCSPRoot
type Root
+ export_key
#CA - OK
entity OCSPCA1
type Intermediate
issuer OCSPRoot
serial 1
- ocsp 2600
+ ocsp online
+ export_key
#CA - revoked
entity OCSPCA2
type Intermediate
issuer OCSPRoot
serial 2
- ocsp 2600
+ ocsp online
+ export_key
#CA - unknown status
entity OCSPCA3
type Intermediate
issuer OCSPRoot
serial 3
- ocsp 2599
+ ocsp offline
+ export_key
#EE - OK
entity OCSPEE11
type EE
issuer OCSPCA1
serial 1
- ocsp 2601
+ ocsp online
#EE - revoked on OCSP
entity OCSPEE12
type EE
issuer OCSPCA1
serial 2
- ocsp 2601
+ ocsp online
#EE - revoked on CRL
entity OCSPEE13
type EE
issuer OCSPCA1
serial 3
- ocsp 2601
+ ocsp online
#EE - revoked on OCSP and CRL
entity OCSPEE14
type EE
issuer OCSPCA1
serial 4
- ocsp 2601
+ ocsp online
#EE - unknown status
entity OCSPEE15
type EE
issuer OCSPCA1
serial 5
- ocsp 2599
+ ocsp offline
#EE - valid EE, revoked CA
entity OCSPEE21
type EE
issuer OCSPCA2
serial 1
- ocsp 2602
+ ocsp online
#EE - revoked EE, revoked CA
entity OCSPEE22
type EE
issuer OCSPCA2
serial 2
- ocsp 2602
+ ocsp online
#EE - revoked EE, CA pointing to invalid OCSP
entity OCSPEE23
type EE
issuer OCSPCA2
serial 3
- ocsp 2599
+ ocsp offline
#EE - valid EE, CA pointing to invalid OCSP
entity OCSPEE31
type EE
issuer OCSPCA3
serial 1
- ocsp 2603
+ ocsp online
#EE - revoked EE, CA pointing to invalid OCSP
entity OCSPEE32
type EE
issuer OCSPCA3
serial 2
- ocsp 2603
+ ocsp online
#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
entity OCSPEE33
type EE
issuer OCSPCA3
serial 3
- ocsp 2599
+ ocsp offline
crl OCSPRoot
revoke OCSPCA3
serial 3
+# Used for running a single OCSP server (httpserv) instance that can
+# handle multiple CAs, e.g.:
+# httpserv -p 8641 -d . -f dbpasswd \
+# -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
+# -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
+db Server
+import OCSPRoot::CT,C,C
+import_key OCSPRoot
+import_key OCSPCA1
+import_key OCSPCA2
+import_key OCSPCA3
+
+# A DB containing all certs, but no keys.
+# Useful for manual OCSP client testing, e.g.:
+# ocspclnt -d . -S OCSPEE12OCSPCA1 -u s
+db Client
+import OCSPRoot::CT,C,C
+import OCSPCA1OCSPRoot::
+import OCSPCA2OCSPRoot::
+import OCSPCA3OCSPRoot::
+import OCSPEE11OCSPCA1::
+import OCSPEE12OCSPCA1::
+import OCSPEE13OCSPCA1::
+import OCSPEE14OCSPCA1::
+import OCSPEE15OCSPCA1::
+import OCSPEE21OCSPCA2::
+import OCSPEE22OCSPCA2::
+import OCSPEE23OCSPCA2::
+import OCSPEE31OCSPCA3::
+import OCSPEE32OCSPCA3::
+import OCSPEE33OCSPCA3::
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
+#
+# Scenario ocspd.cfg will always be processed first,
+# regardless of its presence in this list.
+#
+# Scenario method.cfg will always be processed, regardless of its presence
+# in this list, and will be processed twice, once with httpserv -O get
+# and once with -O post. Because method.cfg will be executed with both
+# classic and libpkix engines, it must not contain any policy checks.
+#
bridge.cfg
megabridge_3_2.cfg
extension.cfg
0 rc4_-D RC4_Decrypt
0 rsa_-E RSA_Encrypt
0 rsa_-D RSA_Decrypt
+ 0 rsa_oaep_-E RSA_EncryptOAEP
+ 0 rsa_oaep_-D RSA_DecryptOAEP
+ 0 rsa_pss_-S RSA_SignPSS
+ 0 rsa_pss_-V RSA_CheckSignPSS
0 dsa_-S DSA_Sign
0 dsa_-V DSA_Verify
0 md2_-H MD2_Hash
cd ${CLIENTDIR}
}
-ocsp_stapling()
-{
- # Parameter -4 is used as a temporary workaround for lack of IPv6 connectivity
- # on some build bot slaves.
-
- TESTNAME="startssl valid, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}
- html_msg $? 0 "$TESTNAME"
-
- TESTNAME="startssl revoked, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}
- html_msg $? 3 "$TESTNAME"
-
- TESTNAME="comodo trial test expired revoked, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}
- html_msg $? 1 "$TESTNAME"
-
- TESTNAME="thawte (expired) valid, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}
- html_msg $? 1 "$TESTNAME"
-
- TESTNAME="thawte (expired) revoked, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}
- html_msg $? 1 "$TESTNAME"
-
- TESTNAME="digicert valid, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}
- html_msg $? 0 "$TESTNAME"
-
- TESTNAME="digicert revoked, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}
- html_msg $? 3 "$TESTNAME"
-
- TESTNAME="live valid, supports OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}"
- ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}
- html_msg $? 0 "$TESTNAME"
-
- TESTNAME="startssl valid, doesn't support OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}"
- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}
- html_msg $? 2 "$TESTNAME"
-
- TESTNAME="cacert untrusted, doesn't support OCSP stapling"
- echo "$SCRIPTNAME: $TESTNAME"
- echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}"
- ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}
- html_msg $? 1 "$TESTNAME"
-}
-
################## main #################################################
ocsp_init
ocsp_iopr_run
-ocsp_stapling
--threads X set thread number to X (max. 10, default 10)
--out DIR set DIR as output directory (default '/out')
--mail ADDRESS send mail with test result to ADDRESS
- --nss DIR set NSS directory to DIR (default '~/cvs/nss')
- --nss-hack DIR set hacked NSS directory to DIR (default '~/cvs/nss_hack')
+ --nss DIR set NSS directory to DIR (default '~/niscc-hg/nss')
+ --nss-hack DIR set hacked NSS directory to DIR (default '~/niscc-hg/nss_hack')
--log-store store all the logs (only summary by default)
--no-build-test don't pull and build tested NSS
--no-build-hack don't pull and build hacked NSS
export NISCC_HOME=${NISCC_HOME:-/niscc}
# Base location of NSS
- export CVS=${CVS:-"$HOME/cvs"}
+ export HG=${HG:-"$HOME/niscc-hg"}
# NSS being tested
- export LOCALDIST=${LOCALDIST:-"${CVS}/nss"}
+ export LOCALDIST=${LOCALDIST:-"${HG}/nss"}
# Hacked NSS - built with "NISCC_TEST=1"
- export NSS_HACK=${NSS_HACK:-"${CVS}/nss_hack"}
+ export NSS_HACK=${NSS_HACK:-"${HG}/nss_hack"}
# Hostname of the testmachine
export HOST=${HOST:-127.0.0.1}
}
################################################################################
-# Do a cvs pull of NSS
+# Do a HG pull of NSS
################################################################################
-cvs_pull()
+hg_pull()
{
- # Tested NSS - by default using current CVS HEAD
+ # Tested NSS - by default using HG default tip
if [ "$NO_BUILD_TEST" = "false" ]; then
- echo "cloning NSS sources to be tested from CVS"
+ echo "cloning NSS sources to be tested from HG"
[ ! -d "$LOCALDIST" ] && mkdir -p "$LOCALDIST"
cd "$LOCALDIST"
- cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r HEAD NSPR &>> $TEST_OUTPUT/nisccBuildLog
- cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r HEAD NSS &>> $TEST_OUTPUT/nisccBuildLog
+ [ ! -d "$LOCALDIST/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
+ cd nspr; hg pull; hg update -C -r default; cd ..
+ [ ! -d "$LOCALDIST/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
+ cd nss; hg pull; hg update -C -r default; cd ..
#find . -exec touch {} \;
fi
# Hacked NSS - by default using some RTM version.
# Do not use HEAD for hacked NSS - it needs to be stable and bug-free
if [ "$NO_BUILD_HACK" = "false" ]; then
- echo "cloning NSS sources for a hacked build from CVS"
+ echo "cloning NSS sources for a hacked build from HG"
[ ! -d "$NSS_HACK" ] && mkdir -p "$NSS_HACK"
cd "$NSS_HACK"
- NSPR_TAG=`curl http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | awk '{print $1}'`
- NSS_TAG=`curl http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | awk '{print $1}'`
- cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r $NSPR_TAG NSPR &>> $TEST_OUTPUT/nisccBuildLogHack
- cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r $NSS_TAG NSS &>> $TEST_OUTPUT/nisccBuildLogHack
+ NSPR_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
+ NSS_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
+ [ ! -d "$NSS_HACK/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
+ cd nspr; hg pull; hg update -C -r "$NSPR_TAG"; cd ..
+ [ ! -d "$NSS_HACK/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
+ cd nss; hg pull; hg update -C -r "$NSS_TAG"; cd ..
#find . -exec touch {} \;
fi
}
echo "building NSS to be tested"
cd "$LOCALDIST"
unset NISCC_TEST
- cd mozilla/security/nss
+ cd nss
gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLog
gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLog
fi
echo "building hacked NSS"
cd "$NSS_HACK"
export NISCC_TEST=1
- cd mozilla/security/nss
+ cd nss
gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLogHack
gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLogHack
fi
echo "PATH $PATH" >> "$TEST_OUTPUT/nisccLog00"
# Find out hacked NSS version
- DISTTYPE=`cd "$NSS_HACK/mozilla/security/nss/tests/common"; gmake objdir_name`
+ DISTTYPE=`cd "$NSS_HACK/nss/tests/common"; gmake objdir_name`
echo "NSS_HACK DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
- export HACKBIN="$NSS_HACK/mozilla/dist/$DISTTYPE/bin"
- export HACKLIB="$NSS_HACK/mozilla/dist/$DISTTYPE/lib"
+ export HACKBIN="$NSS_HACK/dist/$DISTTYPE/bin"
+ export HACKLIB="$NSS_HACK/dist/$DISTTYPE/lib"
if [ "$TEST_SYSTEM" = "false" ]; then
# Find out nss version
- DISTTYPE=`cd "$LOCALDIST/mozilla/security/nss/tests/common"; gmake objdir_name`
+ DISTTYPE=`cd "$LOCALDIST/nss/tests/common"; gmake objdir_name`
echo "NSS DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
- export TESTBIN="$LOCALDIST/mozilla/dist/$DISTTYPE/bin"
- export TESTLIB="$LOCALDIST/mozilla/dist/$DISTTYPE/lib"
+ export TESTBIN="$LOCALDIST/dist/$DISTTYPE/bin"
+ export TESTLIB="$LOCALDIST/dist/$DISTTYPE/lib"
export TESTTOOLS="$TESTBIN"
else
# Using system installed NSS
################################################################################
process_args $*
create_environment
-cvs_pull
+hg_pull
build_NSS
init
niscc_smime
projects / platform / upstream / nss.git / commitdiff