KotJohansson/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 14:54:25 +00:00
Code Issues Projects Releases Wiki Activity

Update NSS to 3.41

Browse Source
This commit is contained in:
wolfbeast
2018-12-15 01:42:53 +01:00
committed by Roy Tam
parent d5f6e64f43
commit 5f0986e66f
540 changed files with 47311 additions and 8374 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nsprpub/pr/tests/abstract.c
+157
View File
@@ -0,0 +1,157 @@
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <stdio.h>
#if defined(LINUX)
#include <string.h>
#include "nspr.h"
static const char abstractSocketName[] = "\0testsocket";
static void
ClientThread(void* aArg)
{
PRFileDesc* socket;
PRNetAddr addr;
PRUint8 buf[1024];
PRInt32 len;
PRInt32 total;
addr.local.family = PR_AF_LOCAL;
memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
socket = PR_OpenTCPSocket(addr.raw.family);
if (!socket) {
fprintf(stderr, "PR_OpenTCPSokcet failed\n");
exit(1);
}
if (PR_Connect(socket, &addr, PR_INTERVAL_NO_TIMEOUT) == PR_FAILURE) {
fprintf(stderr, "PR_Connect failed\n");
exit(1);
}
total = 0;
while (total < sizeof(buf)) {
len = PR_Recv(socket, buf + total, sizeof(buf) - total, 0,
PR_INTERVAL_NO_TIMEOUT);
if (len < 1) {
fprintf(stderr, "PR_Recv failed\n");
exit(1);
}
total += len;
}
total = 0;
while (total < sizeof(buf)) {
len = PR_Send(socket, buf + total, sizeof(buf) - total, 0,
PR_INTERVAL_NO_TIMEOUT);
if (len < 1) {
fprintf(stderr, "PR_Send failed\n");
exit(1);
}
total += len;
}
if (PR_Close(socket) == PR_FAILURE) {
fprintf(stderr, "PR_Close failed\n");
exit(1);
}
}
int
main()
{
PRFileDesc* socket;
PRFileDesc* acceptSocket;
PRThread* thread;
PRNetAddr addr;
PRUint8 buf[1024];
PRInt32 len;
PRInt32 total;
addr.local.family = PR_AF_LOCAL;
memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
socket = PR_OpenTCPSocket(addr.raw.family);
if (!socket) {
fprintf(stderr, "PR_OpenTCPSocket failed\n");
exit(1);
}
if (PR_Bind(socket, &addr) == PR_FAILURE) {
fprintf(stderr, "PR_Bind failed\n");
exit(1);
}
if (PR_Listen(socket, 5) == PR_FAILURE) {
fprintf(stderr, "PR_Listen failed\n");
exit(1);
}
thread = PR_CreateThread(PR_USER_THREAD, ClientThread, 0, PR_PRIORITY_NORMAL,
PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
if (!thread) {
fprintf(stderr, "PR_CreateThread failed");
exit(1);
}
acceptSocket = PR_Accept(socket, NULL, PR_INTERVAL_NO_TIMEOUT);
if (!acceptSocket) {
fprintf(stderr, "PR_Accept failed\n");
exit(1);
}
memset(buf, 'A', sizeof(buf));
total = 0;
while (total < sizeof(buf)) {
len = PR_Send(acceptSocket, buf + total, sizeof(buf) - total, 0,
PR_INTERVAL_NO_TIMEOUT);
if (len < 1) {
fprintf(stderr, "PR_Send failed\n");
exit(1);
}
total += len;
}
total = 0;
while (total < sizeof(buf)) {
len = PR_Recv(acceptSocket, buf + total, sizeof(buf) - total, 0,
PR_INTERVAL_NO_TIMEOUT);
if (len < 1) {
fprintf(stderr, "PR_Recv failed\n");
exit(1);
}
total += len;
}
if (PR_Close(acceptSocket) == PR_FAILURE) {
fprintf(stderr, "PR_Close failed\n");
exit(1);
}
if (PR_JoinThread(thread) == PR_FAILURE) {
fprintf(stderr, "PR_JoinThread failed\n");
exit(1);
}
if (PR_Close(socket) == PR_FAILURE) {
fprintf(stderr, "PR_Close failed\n");
exit(1);
}
printf("PASS\n");
return 0;
}
#else
int
main()
{
prinf("PASS\n");
return 0;
}
#endif
old-configure.in
+1 -1
View File
@@ -2049,7 +2049,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
_USE_SYSTEM_NSS=1 )
if test -n "$_USE_SYSTEM_NSS"; then
AM_PATH_NSS(3.38, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
AM_PATH_NSS(3.41, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
fi
if test -z "$MOZ_SYSTEM_NSS"; then
security/nss/TAG-INFO
-1
View File
@@ -1 +0,0 @@
NSS_3_38_RTM
security/nss/automation/abi-check/expected-report-libnss3.so.txt
+18
View File
@@ -0,0 +1,18 @@
1 function with some indirect sub-type change:
[C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2203:1 has some indirect sub-type changes:
parameter 2 of type 'typedef SECOidTag' has sub-type changes:
underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
type size hasn't changed
4 enumerator insertions:
'__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
'__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
'__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
'__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
1 enumerator change:
'__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+16 -2
View File
@@ -1,4 +1,18 @@
1 Added function:
1 function with some indirect sub-type change:
[C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2217:1 has some indirect sub-type changes:
parameter 1 of type 'typedef SECOidTag' has sub-type changes:
underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
type size hasn't changed
4 enumerator insertions:
'__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
'__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
'__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
'__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
1 enumerator change:
'__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)' {SECITEM_MakeItem@@NSSUTIL_3.38}
security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+48
View File
@@ -0,0 +1,48 @@
1 function with some indirect sub-type change:
[C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:363:1 has some indirect sub-type changes:
parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
type size hasn't changed
1 data member changes (2 filtered):
type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
type size hasn't changed
1 data member changes (3 filtered):
type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
type size hasn't changed
1 data member changes (1 filtered):
type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
in pointed to type 'NSSCMSAttribute*':
in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
type size hasn't changed
1 data member change:
type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
underlying type 'struct SECOidDataStr' at secoidt.h:513:1 changed:
type size hasn't changed
1 data member change:
type of 'SECOidTag SECOidDataStr::offset' changed:
underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
type size hasn't changed
4 enumerator insertions:
'__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
'__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
'__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
'__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
1 enumerator change:
'__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
security/nss/automation/abi-check/previous-nss-release
+1 -1
View File
@@ -1 +1 @@
NSS_3_37_BRANCH
NSS_3_40_BRANCH
security/nss/automation/clang-format/Dockerfile
+24 -15
View File
@@ -1,26 +1,35 @@
FROM ubuntu:16.04
MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
# Minimal image with clang-format 3.9.
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
clang-format-3.9 \
locales \
mercurial \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
RUN update-alternatives --install /usr/bin/clang-format \
clang-format $(which clang-format-3.9) 10
# Change user.
USER worker
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV HOSTNAME taskcluster-worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
# Entrypoint.
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
USER $USER
# Entrypoint - which only works if /home/worker/nss is mounted.
ENTRYPOINT ["/home/worker/nss/automation/clang-format/run_clang_format.sh"]
security/nss/automation/clang-format/setup.sh
-44
View File
@@ -1,44 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Install packages.
apt_packages=()
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('xz-utils')
apt_packages+=('mercurial')
apt_packages+=('git')
apt_packages+=('locales')
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Download clang.
curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
# Verify the signature.
gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg --verify clang.tar.xz.sig
# Install into /usr/local/.
tar xJvf *.tar.xz -C /usr/local --strip-components=1
# Cleanup.
function cleanup() {
rm -f clang.tar.xz clang.tar.xz.sig
}
trap cleanup ERR EXIT
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
# We're done. Remove this script.
rm $0
security/nss/automation/release/nspr-version.txt
+1 -1
View File
@@ -1,4 +1,4 @@
4.19
4.20
# The first line of this file must contain the human readable NSPR
# version number, which is the minimum required version of NSPR
security/nss/automation/taskcluster/docker-aarch64/Dockerfile
-1
View File
@@ -20,7 +20,6 @@ ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV HOST localhost
security/nss/automation/taskcluster/docker-arm/Dockerfile
-1
View File
@@ -17,7 +17,6 @@ ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV HOST localhost
security/nss/automation/taskcluster/docker-builds/Dockerfile
+75
View File
@@ -0,0 +1,75 @@
# Dockerfile for building extra builds. This includes more tools than the
# default image, so it's a fair bit bigger. Only use this for builds where
# the smaller docker image is missing something. These builds will run on
# the leaner configuration.
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
clang-4.0 \
clang \
cmake \
curl \
g++-4.8-multilib \
g++-5-multilib \
g++-6-multilib \
g++-multilib \
git \
gyp \
libelf-dev \
libdw-dev \
libssl-dev \
libssl-dev:i386 \
libxml2-utils \
lib32z1-dev \
linux-libc-dev:i386 \
llvm-dev \
locales \
mercurial \
ninja-build \
pkg-config \
valgrind \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Latest version of abigail-tools
RUN apt-get update \
&& apt-get install -y --no-install-recommends automake libtool libxml2-dev \
&& git clone git://sourceware.org/git/libabigail.git /tmp/libabigail \
&& cd /tmp/libabigail \
&& autoreconf -fi \
&& ./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual \
&& make && make install \
&& rm -rf /tmp/libabigail \
&& apt-get remove -y automake libtool libxml2-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh → security/nss/automation/taskcluster/docker-builds/bin/checkout.sh
View File
security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
-30
View File
@@ -1,30 +0,0 @@
FROM ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Change user.
USER worker
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV HOST localhost
ENV DOMSUF localdomain
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
-46
View File
@@ -1,46 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Need this to add keys for PPAs below.
apt-get install -y --no-install-recommends apt-utils
apt_packages=()
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('locales')
apt_packages+=('xz-utils')
# Latest Mercurial.
apt_packages+=('mercurial')
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
# Install packages.
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Download clang.
curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
# Verify the signature.
gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg --verify *.tar.xz.sig
# Install into /usr/local/.
tar xJvf *.tar.xz -C /usr/local --strip-components=1
# Cleanup.
rm *.tar.xz*
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0
security/nss/automation/taskcluster/docker-clang-format/Dockerfile
+38
View File
@@ -0,0 +1,38 @@
# Minimal image with clang-format 3.9.
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
clang-format-3.9 \
locales \
mercurial \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
RUN update-alternatives --install /usr/bin/clang-format \
clang-format $(which clang-format-3.9) 10
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1
security/nss/automation/taskcluster/docker-decision/Dockerfile
+27 -20
View File
@@ -1,30 +1,37 @@
FROM ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
# Minimal image for running the decision task.
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
curl \
locales \
mercurial \
nodejs \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Change user.
USER worker
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-decision/setup.sh
-31
View File
@@ -1,31 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Need those to install newer packages below.
apt-get install -y --no-install-recommends apt-utils curl ca-certificates locales
# Latest Mercurial.
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
# Install packages.
apt-get -y update && apt-get install -y --no-install-recommends mercurial
# Latest Node.JS.
curl -sL https://deb.nodesource.com/setup_6.x | bash -
apt-get install -y --no-install-recommends nodejs
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0
security/nss/automation/taskcluster/docker-fuzz/Dockerfile
+48 -22
View File
@@ -1,33 +1,59 @@
FROM ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
# Dockerfile for running fuzzing tests.
#
# Note that when running this, you need to add `--cap-add SYS_PTRACE` to the
# docker invocation or ASAN won't work.
# On taskcluster use `features: ["allowPtrace"]`.
# See https://github.com/google/sanitizers/issues/764#issuecomment-276700920
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
clang \
clang-tools \
curl \
g++-multilib \
git \
gyp \
libssl-dev \
libssl-dev:i386 \
libxml2-utils \
lib32z1-dev \
linux-libc-dev:i386 \
llvm-dev \
locales \
mercurial \
ninja-build \
pkg-config \
valgrind \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Change user.
USER worker
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
# LLVM 4.0
ENV PATH "${PATH}:/home/worker/third_party/llvm-build/Release+Asserts/bin/"
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
# Change user.
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-fuzz/setup.sh
-58
View File
@@ -1,58 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Need this to add keys for PPAs below.
apt-get install -y --no-install-recommends apt-utils
apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('git')
apt_packages+=('gyp')
apt_packages+=('libssl-dev')
apt_packages+=('libxml2-utils')
apt_packages+=('locales')
apt_packages+=('ninja-build')
apt_packages+=('pkg-config')
apt_packages+=('zlib1g-dev')
# 32-bit builds
apt_packages+=('gcc-multilib')
apt_packages+=('g++-multilib')
# Latest Mercurial.
apt_packages+=('mercurial')
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
# Install packages.
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
# 32-bit builds
dpkg --add-architecture i386
apt-get -y update
apt-get install -y --no-install-recommends libssl-dev:i386
# Install LLVM/clang-4.0.
mkdir clang-tmp
git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang
git -C clang-tmp/clang checkout HEAD scripts/update.py
clang-tmp/clang/scripts/update.py
rm -fr clang-tmp
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0
security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
+73
View File
@@ -0,0 +1,73 @@
# Dockerfile for running fuzzing tests on linux32.
#
# This is a temporary workaround for bugs in clang that make it incompatible
# with Ubuntu 18.04 (see bug 1488148). This image can be removed once a new
# release of LLVM includes the necessary fixes.
FROM ubuntu:16.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
curl \
g++-multilib \
git \
gyp \
libssl-dev \
libssl-dev:i386 \
libxml2-utils \
lib32z1-dev \
linux-libc-dev:i386 \
locales \
mercurial \
ninja-build \
pkg-config \
software-properties-common \
valgrind \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Install clang and tools from the LLVM PPA.
RUN curl -sf https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - \
&& apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-6.0 main" \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
clang-6.0 \
clang-tools-6.0 \
llvm-6.0-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Alias all the clang commands.
RUN for i in $(dpkg -L clang-6.0 clang-tools-6.0 | grep '^/usr/bin/' | xargs -i basename {} -6.0); do \
update-alternatives --install "/usr/bin/$i" "$i" "/usr/bin/${i}-6.0" 10; \
done
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
# Change user.
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1
security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
+28 -19
View File
@@ -1,30 +1,39 @@
FROM ubuntu:14.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
g++-4.4 \
gcc-4.4 \
locales \
make \
mercurial \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Change user.
USER worker
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh
-30
View File
@@ -1,30 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
apt_packages=()
apt_packages+=('ca-certificates')
apt_packages+=('g++-4.4')
apt_packages+=('gcc-4.4')
apt_packages+=('locales')
apt_packages+=('make')
apt_packages+=('mercurial')
apt_packages+=('zlib1g-dev')
# Install packages.
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0
security/nss/automation/taskcluster/docker-interop/Dockerfile
+56
View File
@@ -0,0 +1,56 @@
# Dockerfile for running interop tests.
# This includes Rust, golang, and nodejs.
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
clang \
cmake \
curl \
g++-multilib \
git \
golang \
gyp \
libxml2-utils \
lib32z1-dev \
linux-libc-dev:i386 \
llvm-dev \
locales \
mercurial \
ninja-build \
npm \
pkg-config \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Install Rust stable as $USER.
RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker-interop/bin/checkout.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1
security/nss/automation/taskcluster/docker/Dockerfile
+38 -19
View File
@@ -1,30 +1,49 @@
FROM ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
# Lean image for running the bulk of the NSS CI tests on taskcluster.
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
clang \
curl \
g++-multilib \
git \
gyp \
libxml2-utils \
lib32z1-dev \
linux-libc-dev:i386 \
llvm-dev \
locales \
mercurial \
ninja-build \
pkg-config \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV HOSTNAME taskcluster-worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
# Rust + Go
ENV PATH "${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
security/nss/automation/taskcluster/docker/setup.sh
-74
View File
@@ -1,74 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Update packages.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Need this to add keys for PPAs below.
apt-get install -y --no-install-recommends apt-utils
apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('clang-5.0')
apt_packages+=('curl')
apt_packages+=('npm')
apt_packages+=('git')
apt_packages+=('golang-1.6')
apt_packages+=('libxml2-utils')
apt_packages+=('locales')
apt_packages+=('ninja-build')
apt_packages+=('pkg-config')
apt_packages+=('zlib1g-dev')
# 32-bit builds
apt_packages+=('lib32z1-dev')
apt_packages+=('gcc-multilib')
apt_packages+=('g++-multilib')
# ct-verif and sanitizers
apt_packages+=('valgrind')
# Latest Mercurial.
apt_packages+=('mercurial')
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
# gcc 4.8 and 6
apt_packages+=('g++-6')
apt_packages+=('g++-4.8')
apt_packages+=('g++-6-multilib')
apt_packages+=('g++-4.8-multilib')
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F
echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list
# Install packages.
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Latest version of abigail-tools
apt-get install -y libxml2-dev autoconf libelf-dev libdw-dev libtool
git clone git://sourceware.org/git/libabigail.git
cd ./libabigail
autoreconf -fi
./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual
make
make install
cd ..
apt-get remove -y libxml2-dev autoconf libtool
rm -rf libabigail
# Install latest Rust (stable).
su worker -c "curl https://sh.rustup.rs -sSf | sh -s -- -y"
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0
security/nss/automation/taskcluster/graph/src/extend.js
+116 -60
View File
@@ -10,9 +10,19 @@ const LINUX_IMAGE = {
path: "automation/taskcluster/docker"
};
const LINUX_CLANG39_IMAGE = {
name: "linux-clang-3.9",
path: "automation/taskcluster/docker-clang-3.9"
const LINUX_BUILDS_IMAGE = {
name: "linux-builds",
path: "automation/taskcluster/docker-builds"
};
const LINUX_INTEROP_IMAGE = {
name: "linux-interop",
path: "automation/taskcluster/docker-interop"
};
const CLANG_FORMAT_IMAGE = {
name: "clang-format",
path: "automation/taskcluster/docker-clang-format"
};
const LINUX_GCC44_IMAGE = {
@@ -25,6 +35,12 @@ const FUZZ_IMAGE = {
path: "automation/taskcluster/docker-fuzz"
};
// Bug 1488148 - temporary image for fuzzing 32-bit builds.
const FUZZ_IMAGE_32 = {
name: "fuzz32",
path: "automation/taskcluster/docker-fuzz32"
};
const HACL_GEN_IMAGE = {
name: "hacl",
path: "automation/taskcluster/docker-hacl"
@@ -59,7 +75,7 @@ queue.filter(task => {
}
}
if (task.tests == "bogo" || task.tests == "interop") {
if (task.tests == "bogo" || task.tests == "interop" || task.tests == "tlsfuzzer") {
// No windows
if (task.platform == "windows2012-64" ||
task.platform == "windows2012-32") {
@@ -89,7 +105,9 @@ queue.filter(task => {
if (task.group == "Test") {
// Don't run test builds on old make platforms, and not for fips gyp.
if (task.collection == "make" || task.collection == "fips") {
// Disable on aarch64, see bug 1488331.
if (task.collection == "make" || task.collection == "fips"
|| task.platform == "aarch64") {
return false;
}
}
@@ -134,13 +152,13 @@ export default async function main() {
await scheduleLinux("Linux 32 (opt)", {
platform: "linux32",
image: LINUX_IMAGE
}, "-m32 --opt");
}, "-t ia32 --opt");
await scheduleLinux("Linux 32 (debug)", {
platform: "linux32",
collection: "debug",
image: LINUX_IMAGE
}, "-m32");
}, "-t ia32");
await scheduleLinux("Linux 64 (opt)", {
platform: "linux64",
@@ -193,8 +211,8 @@ export default async function main() {
UBSAN_OPTIONS: "print_stacktrace=1",
NSS_DISABLE_ARENA_FREE_LIST: "1",
NSS_DISABLE_UNLOAD: "1",
CC: "clang-5.0",
CCC: "clang++-5.0",
CC: "clang",
CCC: "clang++",
},
platform: "linux64",
collection: "asan",
@@ -230,12 +248,12 @@ export default async function main() {
await scheduleWindows("Windows 2012 32 (opt)", {
platform: "windows2012-32",
}, "build_gyp.sh --opt -m32");
}, "build_gyp.sh --opt -t ia32");
await scheduleWindows("Windows 2012 32 (debug)", {
platform: "windows2012-32",
collection: "debug"
}, "build_gyp.sh -m32");
}, "build_gyp.sh -t ia32");
await scheduleFuzzing();
await scheduleFuzzing32();
@@ -251,29 +269,29 @@ export default async function main() {
};
await scheduleLinux("Linux AArch64 (debug)",
merge({
merge(aarch64_base, {
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
],
collection: "debug",
}, aarch64_base)
})
);
await scheduleLinux("Linux AArch64 (opt)",
merge({
merge(aarch64_base, {
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt"
],
collection: "opt",
}, aarch64_base)
})
);
await scheduleLinux("Linux AArch64 (debug, make)",
merge({
merge(aarch64_base, {
env: {USE_64: "1"},
command: [
"/bin/bash",
@@ -281,7 +299,7 @@ export default async function main() {
"bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
],
collection: "make",
}, aarch64_base)
})
);
await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
@@ -303,7 +321,7 @@ async function scheduleMac(name, base, args = "") {
});
// Build base definition.
let build_base = merge({
let build_base = merge(mac_base, {
command: [
MAC_CHECKOUT_CMD,
["bash", "-c",
@@ -320,7 +338,7 @@ async function scheduleMac(name, base, args = "") {
}],
kind: "build",
symbol: "B"
}, mac_base);
});
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -351,14 +369,18 @@ async function scheduleMac(name, base, args = "") {
/*****************************************************************************/
async function scheduleLinux(name, base, args = "") {
// Build base definition.
let build_base = merge({
async function scheduleLinux(name, overrides, args = "") {
// Construct a base definition. This takes |overrides| second because
// callers expect to be able to overwrite the |command| key.
let base = merge({
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh " + args
],
}, overrides);
// The base for building.
let build_base = merge(base, {
artifacts: {
public: {
expires: 24 * 7,
@@ -367,8 +389,8 @@ async function scheduleLinux(name, base, args = "") {
}
},
kind: "build",
symbol: "B"
}, base);
symbol: "B",
});
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -434,14 +456,17 @@ async function scheduleLinux(name, base, args = "") {
}));
// Extra builds.
let extra_base = merge({group: "Builds"}, build_base);
let extra_base = merge(build_base, {
group: "Builds",
image: LINUX_BUILDS_IMAGE,
});
queue.scheduleTask(merge(extra_base, {
name: `${name} w/ clang-5.0`,
name: `${name} w/ clang-4`,
env: {
CC: "clang-5.0",
CCC: "clang++-5.0",
CC: "clang-4.0",
CCC: "clang++-4.0",
},
symbol: "clang-5.0"
symbol: "clang-4"
}));
queue.scheduleTask(merge(extra_base, {
@@ -474,16 +499,26 @@ async function scheduleLinux(name, base, args = "") {
}));
queue.scheduleTask(merge(extra_base, {
name: `${name} w/ gcc-6.1`,
name: `${name} w/ gcc-5`,
env: {
CC: "gcc-5",
CCC: "g++-5"
},
symbol: "gcc-5"
}));
queue.scheduleTask(merge(extra_base, {
name: `${name} w/ gcc-6`,
env: {
CC: "gcc-6",
CCC: "g++-6"
},
symbol: "gcc-6.1"
symbol: "gcc-6"
}));
queue.scheduleTask(merge(extra_base, {
name: `${name} w/ modular builds`,
image: LINUX_IMAGE,
env: {NSS_BUILD_MODULAR: "1"},
command: [
"/bin/bash",
@@ -493,7 +528,7 @@ async function scheduleLinux(name, base, args = "") {
symbol: "modular"
}));
await scheduleTestBuilds(merge(base, {group: "Test"}), args);
await scheduleTestBuilds(name + " Test", merge(base, {group: "Test"}), args);
return queue.submit();
}
@@ -534,7 +569,7 @@ async function scheduleFuzzing() {
};
// Build base definition.
let build_base = merge({
let build_base = merge(base, {
command: [
"/bin/bash",
"-c",
@@ -550,7 +585,7 @@ async function scheduleFuzzing() {
},
kind: "build",
symbol: "B"
}, base);
});
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {
@@ -635,16 +670,16 @@ async function scheduleFuzzing32() {
features: ["allowPtrace"],
platform: "linux32",
collection: "fuzz",
image: FUZZ_IMAGE
image: FUZZ_IMAGE_32
};
// Build base definition.
let build_base = merge({
let build_base = merge(base, {
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && " +
"nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -m32"
"nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -t ia32"
],
artifacts: {
public: {
@@ -655,7 +690,7 @@ async function scheduleFuzzing32() {
},
kind: "build",
symbol: "B"
}, base);
});
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {
@@ -671,7 +706,7 @@ async function scheduleFuzzing32() {
"/bin/bash",
"-c",
"bin/checkout.sh && " +
"nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -m32"
"nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -t ia32"
],
}));
@@ -728,9 +763,9 @@ async function scheduleFuzzing32() {
/*****************************************************************************/
async function scheduleTestBuilds(base, args = "") {
async function scheduleTestBuilds(name, base, args = "") {
// Build base definition.
let build = merge({
let build = merge(base, {
command: [
"/bin/bash",
"-c",
@@ -746,8 +781,15 @@ async function scheduleTestBuilds(base, args = "") {
},
kind: "build",
symbol: "B",
name: "Linux 64 (debug, test)"
}, base);
name: `${name} build`,
});
// On linux we have a specialized build image for building.
if (build.platform === "linux32" || build.platform === "linux64") {
build = merge(build, {
image: LINUX_BUILDS_IMAGE,
});
}
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(build);
@@ -755,7 +797,7 @@ async function scheduleTestBuilds(base, args = "") {
// Schedule tests.
queue.scheduleTask(merge(base, {
parent: task_build,
name: "mpi",
name: `${name} mpi tests`,
command: [
"/bin/bash",
"-c",
@@ -773,7 +815,7 @@ async function scheduleTestBuilds(base, args = "") {
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
],
name: "Gtests",
name: `${name} gtests`,
symbol: "Gtest",
tests: "gtests",
cycle: "standard",
@@ -790,12 +832,12 @@ async function scheduleWindows(name, base, build_script) {
base = merge(base, {
workerType: "nss-win2012r2",
env: {
PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;" +
"c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;" +
"c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;" +
"c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;" +
"c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;" +
"c:\\mozilla-build\\wget",
PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
"c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
"c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
"c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
"c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
DOMSUF: "localdomain",
HOST: "localhost",
}
@@ -881,7 +923,7 @@ async function scheduleWindows(name, base, build_script) {
/*****************************************************************************/
function scheduleTests(task_build, task_cert, test_base) {
test_base = merge({kind: "test"}, test_base);
test_base = merge(test_base, {kind: "test"});
// Schedule tests that do NOT need certificates.
let no_cert_base = merge(test_base, {parent: task_build});
@@ -889,10 +931,21 @@ function scheduleTests(task_build, task_cert, test_base) {
name: "Gtests", symbol: "Gtest", tests: "ssl_gtests gtests", cycle: "standard"
}));
queue.scheduleTask(merge(no_cert_base, {
name: "Bogo tests", symbol: "Bogo", tests: "bogo", cycle: "standard"
name: "Bogo tests",
symbol: "Bogo",
tests: "bogo",
cycle: "standard",
image: LINUX_INTEROP_IMAGE,
}));
queue.scheduleTask(merge(no_cert_base, {
name: "Interop tests", symbol: "Interop", tests: "interop", cycle: "standard"
name: "Interop tests",
symbol: "Interop",
tests: "interop",
cycle: "standard",
image: LINUX_INTEROP_IMAGE,
}));
queue.scheduleTask(merge(no_cert_base, {
name: "tlsfuzzer tests", symbol: "tlsfuzzer", tests: "tlsfuzzer", cycle: "standard"
}));
queue.scheduleTask(merge(no_cert_base, {
name: "Chains tests", symbol: "Chains", tests: "chains"
@@ -928,6 +981,9 @@ function scheduleTests(task_build, task_cert, test_base) {
queue.scheduleTask(merge(no_cert_base, {
name: "SDR tests", symbol: "SDR", tests: "sdr"
}));
queue.scheduleTask(merge(no_cert_base, {
name: "Policy tests", symbol: "Policy", tests: "policy"
}));
// Schedule tests that need certificates.
let cert_base = merge(test_base, {parent: task_cert});
@@ -971,11 +1027,11 @@ async function scheduleTools() {
kind: "test"
};
//ABI check task
// ABI check task
queue.scheduleTask(merge(base, {
symbol: "abi",
name: "abi",
image: LINUX_IMAGE,
image: LINUX_BUILDS_IMAGE,
command: [
"/bin/bash",
"-c",
@@ -984,9 +1040,9 @@ async function scheduleTools() {
}));
queue.scheduleTask(merge(base, {
symbol: "clang-format-3.9",
name: "clang-format-3.9",
image: LINUX_CLANG39_IMAGE,
symbol: "clang-format",
name: "clang-format",
image: CLANG_FORMAT_IMAGE,
command: [
"/bin/bash",
"-c",
@@ -1049,7 +1105,7 @@ async function scheduleTools() {
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --disable-tests --emit-llvm -m32"
"bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --disable-tests --emit-llvm -t ia32"
]
}));
security/nss/automation/taskcluster/graph/src/try_syntax.js
+1 -1
View File
@@ -37,7 +37,7 @@ function parseOptions(opts) {
let aliases = {"gtests": "gtest"};
let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
"gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
"ssl", "mpi", "scert", "spki"];
"ssl", "mpi", "scert", "spki", "policy", "tlsfuzzer"];
let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
return aliases[t] || t;
}), allUnitTests);
security/nss/automation/taskcluster/scripts/build_image.sh
+4 -4
View File
@@ -13,12 +13,12 @@ raise_error() {
test -n "$PROJECT" || raise_error "Project must be provided."
test -n "$HASH" || raise_error "Context Hash must be provided."
CONTEXT_PATH=/home/worker/nss/$CONTEXT_PATH
CONTEXT_PATH="/home/worker/nss/$CONTEXT_PATH"
test -d $CONTEXT_PATH || raise_error "Context Path $CONTEXT_PATH does not exist."
test -d "$CONTEXT_PATH" || raise_error "Context Path $CONTEXT_PATH does not exist."
test -f "$CONTEXT_PATH/Dockerfile" || raise_error "Dockerfile must be present in $CONTEXT_PATH."
docker build -t $PROJECT:$HASH $CONTEXT_PATH
docker build -t "$PROJECT:$HASH" "$CONTEXT_PATH"
mkdir /artifacts
docker save $PROJECT:$HASH > /artifacts/image.tar
docker save "$PROJECT:$HASH" > /artifacts/image.tar
security/nss/automation/taskcluster/scripts/tools.sh
+4 -5
View File
@@ -2,12 +2,11 @@
set -v -e -x
# Assert that we're not running as root.
if [[ $(id -u) -eq 0 ]]; then
# Stupid Docker. It works without sometimes... But not always.
echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
# Drop privileges by re-running this script.
# Note: this mangles arguments, better to avoid running scripts as root.
# This exec is still needed until aarch64 images are updated (Bug 1488325).
# Remove when images are updated. Until then, assert that things are good.
[[ $(uname -m) == aarch64 ]]
exec su worker -c "$0 $*"
fi
security/nss/automation/taskcluster/windows/build.sh
+4 -4
View File
@@ -2,12 +2,12 @@
set -v -e -x
# Set up the toolchain.
if [ "$USE_64" = 1 ]; then
source $(dirname $0)/setup64.sh
if [[ "$USE_64" == 1 ]]; then
m=x64
else
source $(dirname $0)/setup32.sh
m=x86
fi
source "$(dirname "$0")/setup.sh"
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr nspr default
security/nss/automation/taskcluster/windows/build_gyp.sh
+18 -14
View File
@@ -2,33 +2,37 @@
set -v -e -x
# Set up the toolchain.
if [[ "$@" == *"-m32"* ]]; then
source $(dirname $0)/setup32.sh
else
source $(dirname $0)/setup64.sh
fi
# Parse for the -t option.
m=x64
for i in "$@"; do
case "$i" in
-t|--target) m= ;;
--target=*) m="${i#*=}" ;;
*) [[ -z "$m" ]] && m="$i" ;;
esac
done
[[ "$m" == "ia32" ]] && m=x86
source "$(dirname "$0")/setup.sh"
# Install GYP.
cd gyp
pushd gyp
python -m virtualenv test-env
test-env/Scripts/python setup.py install
test-env/Scripts/python -m pip install --upgrade pip
test-env/Scripts/pip install --upgrade setuptools
cd ..
export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
export GYP_MSVS_VERSION="2015"
export GYP="${PWD}/gyp/test-env/Scripts/gyp"
# Fool GYP.
touch "${VSPATH}/VC/vcvarsall.bat"
export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
export GYP_MSVS_VERSION=2015
popd
export PATH="${PATH}:${PWD}/ninja/bin:${PWD}/gyp/test-env/Scripts"
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr nspr default
# Build with gyp.
GYP=${GYP} ./nss/build.sh -g -v "$@"
./nss/build.sh -g -v "$@"
# Package.
7z a public/build/dist.7z dist
security/nss/automation/taskcluster/windows/setup.sh
+39 -9
View File
@@ -2,13 +2,6 @@
set -v -e -x
export VSPATH="$(pwd)/vs2017_15.4.2"
export NINJA_PATH="$(pwd)/ninja/bin"
export WINDOWSSDKDIR="${VSPATH}/SDK"
export VS90COMNTOOLS="${VSPATH}/VC"
export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.15063.0/ucrt:${VSPATH}/SDK/Include/10.0.15063.0/shared:${VSPATH}/SDK/Include/10.0.15063.0/um"
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1
@@ -22,5 +15,42 @@ hg_clone() {
exit 1
}
hg_clone https://hg.mozilla.org/build/tools tools default
tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
hg_clone https://hg.mozilla.org/build/tools tools b8d7c263dfc3
tools/scripts/tooltool/tooltool_wrapper.sh \
$(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ \
non-existant-file.sh /c/mozilla-build/python/python.exe \
/c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok \
-c /c/builds/tooltool_cache
# This needs $m to be set.
[[ -n "$m" ]]
# Setup MSVC paths.
export VSPATH="${PWD}/vs2017_15.4.2"
UCRTVersion="10.0.15063.0"
export WINDOWSSDKDIR="${VSPATH}/SDK"
export VS90COMNTOOLS="${VSPATH}/VC"
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/${m}/Microsoft.VC141.CRT"
export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/${m}"
if [ "$m" == "x86" ]; then
PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x86"
PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x64"
fi
PATH="${PATH}:${VSPATH}/VC/bin/Host${m}/${m}"
PATH="${PATH}:${WIN32_REDIST_DIR}"
PATH="${PATH}:${WIN_UCRT_REDIST_DIR}"
PATH="${PATH}:${VSPATH}/SDK/bin/${UCRTVersion}/x64"
export PATH
LIB="${LIB}:${VSPATH}/VC/lib/${m}"
LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/ucrt/${m}"
LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/um/${m}"
export LIB
INCLUDE="${INCLUDE}:${VSPATH}/VC/include"
INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/ucrt"
INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/shared"
INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/um"
export INCLUDE
security/nss/automation/taskcluster/windows/setup32.sh
-10
View File
@@ -1,10 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
source $(dirname $0)/setup.sh
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT"
export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x86"
export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x86:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${PATH}"
export LIB="${VSPATH}/VC/lib/x86:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.15063.0/um/x86"
security/nss/automation/taskcluster/windows/setup64.sh
-10
View File
@@ -1,10 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
source $(dirname $0)/setup.sh
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT"
export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/bin/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
export LIB="${VSPATH}/VC/lib/x64:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.15063.0/um/x64"
security/nss/build.sh
+55 -47
View File
@@ -50,75 +50,86 @@ fuzz=0
fuzz_tls=0
fuzz_oss=0
no_local_nspr=0
armhf=0
gyp_params=(--depth="$cwd" --generator-output=".")
nspr_params=()
ninja_params=()
# try to guess sensible defaults
arch=$(python "$cwd"/coreconf/detect_host_arch.py)
if [ "$arch" = "x64" -o "$arch" = "aarch64" ]; then
build_64=1
elif [ "$arch" = "arm" ]; then
armhf=1
# Assume that the target architecture is the same as the host by default.
host_arch=$(python "$cwd"/coreconf/detect_host_arch.py)
target_arch=$host_arch
# Assume that MSVC is wanted if this is running on windows.
platform=$(uname -s)
if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" ]; then
msvc=1
fi
# parse command line arguments
# Parse command line arguments.
while [ $# -gt 0 ]; do
case $1 in
case "$1" in
-c) clean=1 ;;
-cc) clean_only=1 ;;
--gyp|-g) rebuild_gyp=1 ;;
--nspr) nspr_clean; rebuild_nspr=1 ;;
-j) ninja_params+=(-j "$2"); shift ;;
-v) ninja_params+=(-v); verbose=1 ;;
--test) gyp_params+=(-Dtest_build=1) ;;
--clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;;
--gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;;
--fuzz) fuzz=1 ;;
--fuzz=oss) fuzz=1; fuzz_oss=1 ;;
--fuzz=tls) fuzz=1; fuzz_tls=1 ;;
-j) ninja_params+=(-j "$2"); shift ;;
--gyp|-g) rebuild_gyp=1 ;;
--opt|-o) opt_build=1 ;;
-m32|--m32) target_arch=ia32; echo 'Warning: use -t instead of -m32' 1>&2 ;;
-t|--target) target_arch="$2"; shift ;;
--target=*) target_arch="${1#*=}" ;;
--clang) export CC=clang; export CCC=clang++; export CXX=clang++; msvc=0 ;;
--gcc) export CC=gcc; export CCC=g++; export CXX=g++; msvc=0 ;;
--msvc) msvc=1 ;;
--scan-build) enable_scanbuild ;;
--scan-build=?*) enable_scanbuild "${1#*=}" ;;
--opt|-o) opt_build=1 ;;
-m32|--m32) build_64=0 ;;
--disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
--pprof) gyp_params+=(-Duse_pprof=1) ;;
--asan) enable_sanitizer asan ;;
--msan) enable_sanitizer msan ;;
--ubsan) enable_ubsan ;;
--ubsan=?*) enable_ubsan "${1#*=}" ;;
--fuzz) fuzz=1 ;;
--fuzz=oss) fuzz=1; fuzz_oss=1 ;;
--fuzz=tls) fuzz=1; fuzz_tls=1 ;;
--sancov) enable_sancov ;;
--sancov=?*) enable_sancov "${1#*=}" ;;
--pprof) gyp_params+=(-Duse_pprof=1) ;;
--ct-verif) gyp_params+=(-Dct_verif=1) ;;
--emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
--disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
--no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
--system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
--test) gyp_params+=(-Dtest_build=1) ;;
--ct-verif) gyp_params+=(-Dct_verif=1) ;;
--nspr) nspr_clean; rebuild_nspr=1 ;;
--with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
--system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
--enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
--system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
--enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
--enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
--mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
*) show_help; exit 2 ;;
esac
shift
done
# Set the target architecture and build type.
gyp_params+=(-Dtarget_arch="$target_arch")
if [ "$opt_build" = 1 ]; then
target=Release
else
target=Debug
fi
if [ "$build_64" = 1 ]; then
nspr_params+=(--enable-64bit)
elif [ ! "$armhf" = 1 ]; then
gyp_params+=(-Dtarget_arch=ia32)
fi
# Do special setup.
if [ "$fuzz" = 1 ]; then
source "$cwd"/coreconf/fuzz.sh
fi
nspr_set_flags $sanitizer_flags
if [ ! -z "$sanitizer_flags" ]; then
gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
fi
# set paths
if [ "$msvc" = 1 ]; then
source "$cwd"/coreconf/msvc.sh
fi
# Setup build paths.
target_dir="$cwd"/out/$target
mkdir -p "$target_dir"
dist_dir="$cwd"/../dist
@@ -149,6 +160,7 @@ check_config()
echo CC="$CC" >"$newconf"
echo CCC="$CCC" >>"$newconf"
echo CXX="$CXX" >>"$newconf"
echo target_arch="$target_arch" >>"$newconf"
for i in "$@"; do echo $i; done | sort >>"$newconf"
# Note: The following diff fails if $oldconf isn't there as well, which
@@ -159,6 +171,7 @@ check_config()
gyp_config="$cwd"/out/gyp_config
nspr_config="$cwd"/out/$target/nspr_config
# Now check what needs to be rebuilt.
# If we don't have a build directory make sure that we rebuild.
if [ ! -d "$target_dir" ]; then
rebuild_nspr=1
@@ -167,33 +180,28 @@ elif [ ! -d "$dist_dir"/$target ]; then
rebuild_nspr=1
fi
# Update NSPR ${C,CXX,LD}FLAGS.
nspr_set_flags $sanitizer_flags
if check_config "$nspr_config" "${nspr_params[@]}" \
if check_config "$nspr_config" \
nspr_cflags="$nspr_cflags" \
nspr_cxxflags="$nspr_cxxflags" \
nspr_ldflags="$nspr_ldflags"; then
rebuild_nspr=1
fi
# Forward sanitizer flags.
if [ ! -z "$sanitizer_flags" ]; then
gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
fi
if check_config "$gyp_config" "${gyp_params[@]}"; then
rebuild_gyp=1
fi
# save the chosen target
# Save the chosen target.
mkdir -p "$dist_dir"
echo $target > "$dist_dir"/latest
# Build.
# NSPR.
if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then
nspr_build "${nspr_params[@]}"
nspr_build
mv -f "$nspr_config".new "$nspr_config"
fi
# gyp.
if [ "$rebuild_gyp" = 1 ]; then
if ! hash ${GYP} 2> /dev/null; then
echo "Please install gyp" 1>&2
@@ -211,11 +219,11 @@ if [ "$rebuild_gyp" = 1 ]; then
mv -f "$gyp_config".new "$gyp_config"
fi
# Run ninja.
if hash ninja 2>/dev/null; then
ninja=ninja
elif hash ninja-build 2>/dev/null; then
# ninja.
if hash ninja-build 2>/dev/null; then
ninja=ninja-build
elif hash ninja 2>/dev/null; then
ninja=ninja
else
echo "Please install ninja" 1>&2
exit 1
security/nss/cmd/certutil/certutil.c
+128 -48
View File
@@ -741,6 +741,9 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
case 'V':
usage = certificateUsageSSLServer;
break;
case 'I':
usage = certificateUsageIPsec;
break;
case 'S':
usage = certificateUsageEmailSigner;
break;
@@ -856,41 +859,59 @@ SECItemToHex(const SECItem *item, char *dst)
}
static const char *const keyTypeName[] = {
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss"
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss", "rsaOaep"
};
#define MAX_CKA_ID_BIN_LEN 20
#define MAX_CKA_ID_STR_LEN 40
/* output human readable key ID in buffer, which should have at least
* MAX_CKA_ID_STR_LEN + 3 octets (quotations and a null terminator) */
static void
formatPrivateKeyID(SECKEYPrivateKey *privkey, char *buffer)
{
SECItem *ckaID;
ckaID = PK11_GetLowLevelKeyIDForPrivateKey(privkey);
if (!ckaID) {
strcpy(buffer, "(no CKA_ID)");
} else if (ItemIsPrintableASCII(ckaID)) {
int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
buffer[0] = '"';
memcpy(buffer + 1, ckaID->data, len);
buffer[1 + len] = '"';
buffer[2 + len] = '\0';
} else {
/* print ckaid in hex */
SECItem idItem = *ckaID;
if (idItem.len > MAX_CKA_ID_BIN_LEN)
idItem.len = MAX_CKA_ID_BIN_LEN;
SECItemToHex(&idItem, buffer);
}
SECITEM_ZfreeItem(ckaID, PR_TRUE);
}
/* print key number, key ID (in hex or ASCII), key label (nickname) */
static SECStatus
PrintKey(PRFileDesc *out, const char *nickName, int count,
SECKEYPrivateKey *key, void *pwarg)
{
SECItem *ckaID;
char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
CERTCertificate *cert;
KeyType keyType;
pwarg = NULL;
ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
if (!ckaID) {
strcpy(ckaIDbuf, "(no CKA_ID)");
} else if (ItemIsPrintableASCII(ckaID)) {
int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
ckaIDbuf[0] = '"';
memcpy(ckaIDbuf + 1, ckaID->data, len);
ckaIDbuf[1 + len] = '"';
ckaIDbuf[2 + len] = '\0';
} else {
/* print ckaid in hex */
SECItem idItem = *ckaID;
if (idItem.len > MAX_CKA_ID_BIN_LEN)
idItem.len = MAX_CKA_ID_BIN_LEN;
SECItemToHex(&idItem, ckaIDbuf);
}
formatPrivateKeyID(key, ckaIDbuf);
cert = PK11_GetCertFromPrivateKey(key);
if (cert) {
keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
CERT_DestroyCertificate(cert);
} else {
keyType = key->keyType;
}
PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count,
keyTypeName[key->keyType], ckaIDbuf, nickName);
SECITEM_ZfreeItem(ckaID, PR_TRUE);
keyTypeName[keyType], ckaIDbuf, nickName);
return SECSuccess;
}
@@ -1002,7 +1023,7 @@ ListKeys(PK11SlotInfo *slot, const char *nickName, int index,
}
static SECStatus
DeleteKey(char *nickname, secuPWData *pwdata)
DeleteCertAndKey(char *nickname, secuPWData *pwdata)
{
SECStatus rv;
CERTCertificate *cert;
@@ -1031,6 +1052,61 @@ DeleteKey(char *nickname, secuPWData *pwdata)
return rv;
}
static SECKEYPrivateKey *
findPrivateKeyByID(PK11SlotInfo *slot, const char *ckaID, secuPWData *pwarg)
{
PORTCheapArenaPool arena;
SECItem ckaIDItem = { 0 };
SECKEYPrivateKey *privkey = NULL;
SECStatus rv;
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return NULL;
}
}
if (0 == PL_strncasecmp("0x", ckaID, 2)) {
ckaID += 2; /* skip leading "0x" */
}
PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
if (SECU_HexString2SECItem(&arena.arena, &ckaIDItem, ckaID)) {
privkey = PK11_FindKeyByKeyID(slot, &ckaIDItem, pwarg);
}
PORT_DestroyCheapArena(&arena);
return privkey;
}
static SECStatus
DeleteKey(SECKEYPrivateKey *privkey, secuPWData *pwarg)
{
SECStatus rv;
PK11SlotInfo *slot;
slot = PK11_GetSlotFromPrivateKey(privkey);
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return SECFailure;
}
}
rv = PK11_DeleteTokenPrivateKey(privkey, PR_TRUE);
if (rv != SECSuccess) {
char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
formatPrivateKeyID(privkey, ckaIDbuf);
SECU_PrintError("problem deleting private key \"%s\"\n", ckaIDbuf);
}
PK11_FreeSlot(slot);
return rv;
}
/*
* L i s t M o d u l e s
*
@@ -1100,7 +1176,9 @@ PrintSyntax()
"\t\t [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName);
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
FPS "\t%s -F -n cert-name [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
@@ -1390,6 +1468,8 @@ luF(enum usage_level ul, const char *command)
return;
FPS "%-20s The nickname of the key to delete\n",
" -n cert-name");
FPS "%-20s The key id of the key to delete, obtained using -K\n",
" -k key-id");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
@@ -1629,6 +1709,7 @@ luV(enum usage_level ul, const char *command)
FPS "%-20s Specify certificate usage:\n", " -u certusage");
FPS "%-25s C \t SSL Client\n", "");
FPS "%-25s V \t SSL Server\n", "");
FPS "%-25s I \t IPsec\n", "");
FPS "%-25s L \t SSL CA\n", "");
FPS "%-25s A \t Any CA\n", "");
FPS "%-25s Y \t Verify CA\n", "");
@@ -2944,10 +3025,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
readOnly = !certutil.options[opt_RW].activated;
}
/* -A, -D, -F, -M, -S, -V, and all require -n */
/* -A, -D, -M, -S, -V, and all require -n */
if ((certutil.commands[cmd_AddCert].activated ||
certutil.commands[cmd_DeleteCert].activated ||
certutil.commands[cmd_DeleteKey].activated ||
certutil.commands[cmd_DumpChain].activated ||
certutil.commands[cmd_ModifyCertTrust].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
@@ -3034,6 +3114,16 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255;
}
/* Delete needs a nickname or a key ID */
if (certutil.commands[cmd_DeleteKey].activated &&
!(certutil.options[opt_Nickname].activated || keysource)) {
PR_fprintf(PR_STDERR,
"%s -%c: specify a nickname (-n) or\n"
" a key ID (-k).\n",
commandToRun, progName);
return 255;
}
/* Upgrade/Merge needs a source database and a upgrade id. */
if (certutil.commands[cmd_UpgradeMerge].activated &&
!(certutil.options[opt_SourceDir].activated &&
@@ -3396,7 +3486,19 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
/* Delete key (-F) */
if (certutil.commands[cmd_DeleteKey].activated) {
rv = DeleteKey(name, &pwdata);
if (certutil.options[opt_Nickname].activated) {
rv = DeleteCertAndKey(name, &pwdata);
} else {
privkey = findPrivateKeyByID(slot, keysource, &pwdata);
if (!privkey) {
SECU_PrintError(progName, "%s is not a key-id", keysource);
rv = SECFailure;
} else {
rv = DeleteKey(privkey, &pwdata);
/* already destroyed by PK11_DeleteTokenPrivateKey */
privkey = NULL;
}
}
goto shutdown;
}
/* Modify trust attribute for cert (-M) */
@@ -3468,30 +3570,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (keycert) {
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
} else {
PLArenaPool *arena = NULL;
SECItem keyidItem = { 0 };
char *keysourcePtr = keysource;
/* Interpret keysource as CKA_ID */
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return SECFailure;
}
}
if (0 == PL_strncasecmp("0x", keysource, 2)) {
keysourcePtr = keysource + 2; // skip leading "0x"
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECU_PrintError(progName, "unable to allocate arena");
return SECFailure;
}
if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
}
PORT_FreeArena(arena, PR_FALSE);
privkey = findPrivateKeyByID(slot, keysource, &pwdata);
}
if (!privkey) {
security/nss/cmd/crlutil/crlutil.c
+1 -15
View File
@@ -232,10 +232,6 @@ ImportCRL(CERTCertDBHandle *certHandle, char *url, int type,
SECItem crlDER;
PK11SlotInfo *slot = NULL;
int rv;
#if defined(DEBUG_jp96085)
PRIntervalTime starttime, endtime, elapsed;
PRUint32 mins, secs, msecs;
#endif
crlDER.data = NULL;
@@ -256,19 +252,9 @@ ImportCRL(CERTCertDBHandle *certHandle, char *url, int type,
goto loser;
}
#if defined(DEBUG_jp96085)
starttime = PR_IntervalNow();
#endif
crl = PK11_ImportCRL(slot, &crlDER, url, type,
NULL, importOptions, NULL, decodeOptions);
#if defined(DEBUG_jp96085)
endtime = PR_IntervalNow();
elapsed = endtime - starttime;
mins = PR_IntervalToSeconds(elapsed) / 60;
secs = PR_IntervalToSeconds(elapsed) % 60;
msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
#endif
if (!crl) {
const char *errString;
security/nss/cmd/crmf-cgi/crmfcgi.c
+1 -1
View File
@@ -4,7 +4,7 @@
#include "seccomon.h"
#include "nss.h"
#include "key.h"
#include "keyhi.h"
#include "cert.h"
#include "pk11func.h"
#include "secmod.h"
security/nss/cmd/crmftest/testcrmf.c
+1 -1
View File
@@ -66,7 +66,7 @@
#include "crmf.h"
#include "secerr.h"
#include "pk11func.h"
#include "key.h"
#include "keyhi.h"
#include "cmmf.h"
#include "plgetopt.h"
#include "secutil.h"
security/nss/cmd/dbck/dbrecover.c
+2 -1
View File
@@ -288,7 +288,8 @@ addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info,
/* If user chooses so, ignore expired certificates. */
allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
(oldCert->keyUsage == certUsageSSLServerWithStepUp));
(oldCert->keyUsage == certUsageSSLServerWithStepUp) ||
(oldCert->keyUsage == certUsageIPsec));
validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
/* If cert expired and user wants to delete it, ignore it. */
if ((validity != secCertTimeValid) &&
security/nss/cmd/fipstest/fipstest.c
+990 -44
View File
File diff suppressed because it is too large Load Diff
security/nss/cmd/fipstest/kas.sh
+84
View File
@@ -0,0 +1,84 @@
#!/bin/sh
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# A Bourne shell script for running the NIST DSA Validation System
#
# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
# variables appropriately so that the fipstest command and the NSPR and NSS
# shared libraries/DLLs are on the search path. Then run this script in the
# directory where the REQUEST (.req) files reside. The script generates the
# RESPONSE (.rsp) files in the same directory.
BASEDIR=${1-.}
TESTDIR=${BASEDIR}/KAS
COMMAND=${2-run}
REQDIR=${TESTDIR}/req
RSPDIR=${TESTDIR}/resp
#
if [ ${COMMAND} = "verify" ]; then
#
# need verify for KAS tests
# verify generated keys
# name=KeyPair
# echo ">>>>> $name"
# fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
# verify generated pqg values
# name=PQGGen
# echo ">>>>> $name"
# fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
# verify PQGVer with known answer
# sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
# verify signatures
# name=SigGen
# echo ">>>>> $name"
# fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
# verify SigVer with known answer
# sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
exit 0
fi
request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response
request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response
request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response
fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
security/nss/cmd/fipstest/runtest.sh
+1 -1
View File
@@ -6,7 +6,7 @@
#
TESTDIR=${1-.}
COMMAND=${2-run}
TESTS="aes aesgcm dsa ecdsa hmac tls rng rsa sha tdea"
TESTS="aes aesgcm dsa ecdsa hmac kas tls rng rsa sha tdea"
for i in $TESTS
do
echo "********************Running $i tests"
security/nss/cmd/lib/secutil.c
+101 -15
View File
@@ -3799,7 +3799,7 @@ SECU_ParseSSLVersionRangeString(const char *input,
return SECSuccess;
}
SSLNamedGroup
static SSLNamedGroup
groupNameToNamedGroup(char *name)
{
if (PL_strlen(name) == 4) {
@@ -3837,6 +3837,23 @@ groupNameToNamedGroup(char *name)
return ssl_grp_none;
}
static SECStatus
countItems(const char *arg, unsigned int *numItems)
{
char *str = PORT_Strdup(arg);
if (!str) {
return SECFailure;
}
char *p = strtok(str, ",");
while (p) {
++(*numItems);
p = strtok(NULL, ",");
}
PORT_Free(str);
str = NULL;
return SECSuccess;
}
SECStatus
parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
unsigned int *enabledGroupsCount)
@@ -3847,21 +3864,12 @@ parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
unsigned int numValues = 0;
unsigned int count = 0;
/* Count the number of groups. */
str = PORT_Strdup(arg);
if (!str) {
if (countItems(arg, &numValues) != SECSuccess) {
return SECFailure;
}
p = strtok(str, ",");
while (p) {
++numValues;
p = strtok(NULL, ",");
}
PORT_Free(str);
str = NULL;
groups = PORT_ZNewArray(SSLNamedGroup, numValues);
if (!groups) {
goto done;
return SECFailure;
}
/* Get group names. */
@@ -3881,9 +3889,7 @@ parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
}
done:
if (str) {
PORT_Free(str);
}
PORT_Free(str);
if (!count) {
PORT_Free(groups);
return SECFailure;
@@ -3893,3 +3899,83 @@ done:
*enabledGroups = groups;
return SECSuccess;
}
SSLSignatureScheme
schemeNameToScheme(const char *name)
{
#define compareScheme(x) \
do { \
if (!PORT_Strncmp(name, #x, PORT_Strlen(#x))) { \
return ssl_sig_##x; \
} \
} while (0)
compareScheme(rsa_pkcs1_sha1);
compareScheme(rsa_pkcs1_sha256);
compareScheme(rsa_pkcs1_sha384);
compareScheme(rsa_pkcs1_sha512);
compareScheme(ecdsa_sha1);
compareScheme(ecdsa_secp256r1_sha256);
compareScheme(ecdsa_secp384r1_sha384);
compareScheme(ecdsa_secp521r1_sha512);
compareScheme(rsa_pss_rsae_sha256);
compareScheme(rsa_pss_rsae_sha384);
compareScheme(rsa_pss_rsae_sha512);
compareScheme(ed25519);
compareScheme(ed448);
compareScheme(rsa_pss_pss_sha256);
compareScheme(rsa_pss_pss_sha384);
compareScheme(rsa_pss_pss_sha512);
compareScheme(dsa_sha1);
compareScheme(dsa_sha256);
compareScheme(dsa_sha384);
compareScheme(dsa_sha512);
#undef compareScheme
return ssl_sig_none;
}
SECStatus
parseSigSchemeList(const char *arg, const SSLSignatureScheme **enabledSigSchemes,
unsigned int *enabledSigSchemeCount)
{
SSLSignatureScheme *schemes;
unsigned int numValues = 0;
unsigned int count = 0;
if (countItems(arg, &numValues) != SECSuccess) {
return SECFailure;
}
schemes = PORT_ZNewArray(SSLSignatureScheme, numValues);
if (!schemes) {
return SECFailure;
}
/* Get group names. */
char *str = PORT_Strdup(arg);
if (!str) {
goto done;
}
char *p = strtok(str, ",");
while (p) {
SSLSignatureScheme scheme = schemeNameToScheme(p);
if (scheme == ssl_sig_none) {
count = 0;
goto done;
}
schemes[count++] = scheme;
p = strtok(NULL, ",");
}
done:
PORT_Free(str);
if (!count) {
PORT_Free(schemes);
return SECFailure;
}
*enabledSigSchemeCount = count;
*enabledSigSchemes = schemes;
return SECSuccess;
}
security/nss/cmd/lib/secutil.h
+4 -2
View File
@@ -9,7 +9,7 @@
#include "secport.h"
#include "prerror.h"
#include "base64.h"
#include "key.h"
#include "keyhi.h"
#include "secpkcs7.h"
#include "secasn1.h"
#include "secder.h"
@@ -406,7 +406,9 @@ SECU_ParseSSLVersionRangeString(const char *input,
SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
unsigned int *enabledGroupsCount);
SSLNamedGroup groupNameToNamedGroup(char *name);
SECStatus parseSigSchemeList(const char *arg,
const SSLSignatureScheme **enabledSigSchemes,
unsigned int *enabledSigSchemeCount);
/*
*
security/nss/cmd/manifest.mn
+1
View File
@@ -47,6 +47,7 @@ NSS_SRCDIRS = \
listsuites \
makepqg \
multinit \
nss-policy-check \
ocspclnt \
ocspresp \
oidcalc \
security/nss/cmd/modutil/error.h
+1
View File
@@ -131,6 +131,7 @@ typedef enum {
UNDEFAULT_SUCCESS_MSG,
BROWSER_RUNNING_MSG,
ABORTING_MSG,
P11_KIT_ENABLED_MSG,
LAST_MSG /* must be last */
} Message;
security/nss/cmd/modutil/modutil.c
+27 -1
View File
@@ -138,7 +138,11 @@ char* msgStrings[] = {
"\ncorruption of your security databases. If the browser is currently running,"
"\nyou should exit browser before continuing this operation. Type "
"\n'q <enter>' to abort, or <enter> to continue: ",
"\nAborting...\n"
"\nAborting...\n",
"\nWARNING: Manually adding a module while p11-kit is enabled could cause"
"\nduplicate module registration in your security database. It is suggested "
"\nto configure the module through p11-kit configuration file instead.\n"
"\nType 'q <enter>' to abort, or <enter> to continue: "
};
/* Increment i if doing so would have i still be less than j. If you
@@ -856,6 +860,28 @@ main(int argc, char* argv[])
goto loser;
}
/* Warn if we are adding a module while p11-kit is enabled in the
* database. */
if ((command == ADD_COMMAND || command == RAW_ADD_COMMAND) &&
IsP11KitEnabled()) {
char* response;
PR_fprintf(PR_STDOUT, msgStrings[P11_KIT_ENABLED_MSG]);
if (!PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
errcode = STDIN_READ_ERR;
goto loser;
}
if ((response = strtok(stdinbuf, " \r\n\t"))) {
if (!PL_strcasecmp(response, "q")) {
PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
errcode = SUCCESS;
goto loser;
}
}
PR_fprintf(PR_STDOUT, "\n");
}
/* Execute the command */
switch (command) {
case ADD_COMMAND:
security/nss/cmd/modutil/modutil.h
+1
View File
@@ -36,6 +36,7 @@ Error RawAddModule(char *dbmodulespec, char *modulespec);
Error RawListModule(char *modulespec);
Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
PRBool IsP11KitEnabled(void);
void out_of_memory(void);
#endif /*MODUTIL_H*/
security/nss/cmd/modutil/pk11.c
+49
View File
@@ -259,6 +259,55 @@ getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
return buf;
}
static PRBool
IsP11KitProxyModule(SECMODModule *module)
{
CK_INFO modinfo;
static const char p11KitManufacturerID[33] =
"PKCS#11 Kit ";
static const char p11KitLibraryDescription[33] =
"PKCS#11 Kit Proxy Module ";
if (PK11_GetModInfo(module, &modinfo) == SECSuccess &&
PORT_Memcmp(modinfo.manufacturerID,
p11KitManufacturerID,
sizeof(modinfo.manufacturerID)) == 0 &&
PORT_Memcmp(modinfo.libraryDescription,
p11KitLibraryDescription,
sizeof(modinfo.libraryDescription)) == 0) {
return PR_TRUE;
}
return PR_FALSE;
}
PRBool
IsP11KitEnabled(void)
{
SECMODListLock *lock;
SECMODModuleList *mlp;
PRBool found = PR_FALSE;
lock = SECMOD_GetDefaultModuleListLock();
if (!lock) {
PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
return found;
}
SECMOD_GetReadLock(lock);
mlp = SECMOD_GetDefaultModuleList();
for (; mlp != NULL; mlp = mlp->next) {
if (IsP11KitProxyModule(mlp->module)) {
found = PR_TRUE;
break;
}
}
SECMOD_ReleaseReadLock(lock);
return found;
}
/**********************************************************************
*
* A d d M o d u l e
security/nss/cmd/nss-policy-check/Makefile
+47
View File
@@ -0,0 +1,47 @@
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../platlibs.mk
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
include ../platrules.mk
security/nss/cmd/nss-policy-check/manifest.mn
+15
View File
@@ -0,0 +1,15 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../..
MODULE = nss
CSRCS = nss-policy-check.c
REQUIRES = seccmd
PROGRAM = nss-policy-check
security/nss/cmd/nss-policy-check/nss-policy-check.c
+206
View File
@@ -0,0 +1,206 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* This program can be used to check the validity of a NSS crypto policy
* configuration file, specified using a config= line.
*
* Exit codes:
* failure: 2
* warning: 1
* success: 0
*/
#include <limits.h>
#include <errno.h>
#include <stdio.h>
#include "utilparst.h"
#include "nss.h"
#include "secport.h"
#include "secutil.h"
#include "secmod.h"
#include "ssl.h"
#include "prenv.h"
const char *sWarn = "WARN";
const char *sInfo = "INFO";
void
get_tls_info(SSLProtocolVariant protocolVariant, const char *display)
{
SSLVersionRange vrange_supported, vrange_enabled;
unsigned num_enabled = 0;
PRBool failed = PR_FALSE;
/* We assume SSL v2 is inactive, and therefore SSL_VersionRangeGetDefault
* gives complete information. */
if ((SSL_VersionRangeGetSupported(protocolVariant, &vrange_supported) != SECSuccess) ||
(SSL_VersionRangeGetDefault(protocolVariant, &vrange_enabled) != SECSuccess) ||
!vrange_enabled.min ||
!vrange_enabled.max ||
vrange_enabled.max < vrange_supported.min ||
vrange_enabled.min > vrange_supported.max) {
failed = PR_TRUE;
} else {
if (vrange_enabled.min < vrange_supported.min) {
vrange_enabled.min = vrange_supported.min;
}
if (vrange_enabled.max > vrange_supported.max) {
vrange_enabled.max = vrange_supported.max;
}
if (vrange_enabled.min > vrange_enabled.max) {
failed = PR_TRUE;
}
}
if (failed) {
num_enabled = 0;
} else {
num_enabled = vrange_enabled.max - vrange_enabled.min + 1;
}
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s-VERSIONS: %u\n",
num_enabled ? sInfo : sWarn, display, num_enabled);
if (!num_enabled) {
PR_SetEnv("NSS_POLICY_WARN=1");
}
}
#ifndef PATH_MAX
#define PATH_MAX 1024
#endif
int
main(int argc, char **argv)
{
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i;
SECStatus rv;
SECMODModule *module = NULL;
char path[PATH_MAX];
const char *filename;
char moduleSpec[1024 + PATH_MAX];
unsigned num_enabled = 0;
int result = 0;
int fullPathLen;
if (argc != 2) {
fprintf(stderr, "Syntax: nss-policy-check <path-to-policy-file>\n");
result = 2;
goto loser_no_shutdown;
}
fullPathLen = strlen(argv[1]);
if (!fullPathLen || PR_Access(argv[1], PR_ACCESS_READ_OK) != PR_SUCCESS) {
fprintf(stderr, "Error: cannot read file %s\n", argv[1]);
result = 2;
goto loser_no_shutdown;
}
if (fullPathLen >= PATH_MAX) {
fprintf(stderr, "Error: filename parameter is too long\n");
result = 2;
goto loser_no_shutdown;
}
path[0] = 0;
filename = argv[1] + fullPathLen - 1;
while ((filename > argv[1]) && (*filename != NSSUTIL_PATH_SEPARATOR[0])) {
filename--;
}
if (filename == argv[1]) {
PORT_Strcpy(path, ".");
} else {
filename++; /* Go past the path separator. */
PORT_Strncat(path, argv[1], (filename - argv[1]));
}
PR_SetEnv("NSS_IGNORE_SYSTEM_POLICY=1");
rv = NSS_NoDB_Init(NULL);
if (rv != SECSuccess) {
fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(PR_GetError()));
result = 2;
goto loser_no_shutdown;
}
PR_SetEnv("NSS_POLICY_LOADED=0");
PR_SetEnv("NSS_POLICY_FAIL=0");
PR_SetEnv("NSS_POLICY_WARN=0");
sprintf(moduleSpec,
"name=\"Policy File\" "
"parameters=\"configdir='sql:%s' "
"secmod='%s' "
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical,printPolicyFeedback\"",
path, filename);
module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
if (!module || !module->loaded || atoi(PR_GetEnvSecure("NSS_POLICY_LOADED")) != 1) {
fprintf(stderr, "Error: failed to load policy file\n");
result = 2;
goto loser;
}
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
if (rv != SECSuccess) {
fprintf(stderr, "enable SSL_SECURITY failed: %s\n", PORT_ErrorToString(PR_GetError()));
result = 2;
goto loser;
}
for (i = 0; i < SSL_NumImplementedCiphers; i++) {
PRUint16 suite = cipherSuites[i];
PRBool enabled;
SSLCipherSuiteInfo info;
rv = SSL_CipherPrefGetDefault(suite, &enabled);
if (rv != SECSuccess) {
fprintf(stderr,
"SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
suite, i, PORT_ErrorToString(PR_GetError()));
continue;
}
rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
if (rv != SECSuccess) {
fprintf(stderr,
"SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
suite, i, PORT_ErrorToString(PR_GetError()));
continue;
}
if (enabled) {
++num_enabled;
fprintf(stderr, "NSS-POLICY-INFO: ciphersuite %s is enabled\n", info.cipherSuiteName);
}
}
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CIPHERSUITES: %u\n", num_enabled ? sInfo : sWarn, num_enabled);
if (!num_enabled) {
PR_SetEnv("NSS_POLICY_WARN=1");
}
get_tls_info(ssl_variant_stream, "TLS");
get_tls_info(ssl_variant_datagram, "DTLS");
if (atoi(PR_GetEnvSecure("NSS_POLICY_FAIL")) != 0) {
result = 2;
} else if (atoi(PR_GetEnvSecure("NSS_POLICY_WARN")) != 0) {
result = 1;
}
loser:
if (module) {
SECMOD_DestroyModule(module);
}
rv = NSS_Shutdown();
if (rv != SECSuccess) {
fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(PR_GetError()));
result = 2;
}
loser_no_shutdown:
if (result == 2) {
fprintf(stderr, "NSS-POLICY-FAIL\n");
} else if (result == 1) {
fprintf(stderr, "NSS-POLICY-WARN\n");
}
return result;
}
security/nss/cmd/nss-policy-check/nss-policy-check.gyp
+24
View File
@@ -0,0 +1,24 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
{
'includes': [
'../../coreconf/config.gypi',
'../../cmd/platlibs.gypi'
],
'targets': [
{
'target_name': 'nss-policy-check',
'type': 'executable',
'sources': [
'nss-policy-check.c'
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports'
]
}
],
'variables': {
'module': 'nss'
}
}
security/nss/cmd/ocspclnt/ocspclnt.c
+5
View File
@@ -133,6 +133,8 @@ long_usage(char *progname)
"%-17s c SSL Client\n", "");
PR_fprintf(pr_stderr,
"%-17s s SSL Server\n", "");
PR_fprintf(pr_stderr,
"%-17s I IPsec\n", "");
PR_fprintf(pr_stderr,
"%-17s e Email Recipient\n", "");
PR_fprintf(pr_stderr,
@@ -908,6 +910,9 @@ cert_usage_from_char(const char *cert_usage_str, SECCertUsage *cert_usage)
case 's':
*cert_usage = certUsageSSLServer;
break;
case 'I':
*cert_usage = certUsageIPsec;
break;
case 'e':
*cert_usage = certUsageEmailRecipient;
break;
security/nss/cmd/p7verify/p7verify.c
+1
View File
@@ -117,6 +117,7 @@ Usage(char *progName)
fprintf(stderr, "%-25s 9 - certUsageProtectedObjectSigner\n", " ");
fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
exit(-1);
}
security/nss/cmd/rsaperf/rsaperf.c
+4 -4
View File
@@ -21,8 +21,8 @@
#define DEFAULT_THREADS 1
#define DEFAULT_EXPONENT 0x10001
extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(void);
extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(void);
extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(int);
extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(int);
secuPWData pwData = { PW_NONE, NULL };
@@ -580,9 +580,9 @@ main(int argc, char **argv)
/* use a hardcoded key */
printf("Using hardcoded %ld bits key.\n", keybits);
if (doPub) {
pubKey = getDefaultRSAPublicKey();
pubKey = getDefaultRSAPublicKey(keybits);
} else {
privKey = getDefaultRSAPrivateKey();
privKey = getDefaultRSAPrivateKey(keybits);
}
}
security/nss/cmd/selfserv/selfserv.c
+32 -19
View File
@@ -165,9 +165,8 @@ PrintUsageHeader(const char *progName)
" [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
" [-V [min-version]:[max-version]] [-a sni_name]\n"
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
" [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
" [-e ec_nickname]"
"\n"
" [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
" [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
" -U [0|1] -H [0|1|2] -W [0|1]\n"
"\n",
progName);
@@ -179,7 +178,7 @@ PrintParameterUsage()
fputs(
"-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n"
" All versions are enabled by default.\n"
" Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
" Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3\n"
" Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
"-D means disable Nagle delays in TCP\n"
"-R means disable detection of rollback from TLS to SSL3\n"
@@ -195,7 +194,6 @@ PrintParameterUsage()
"-s means disable SSL socket locking for performance\n"
"-u means enable Session Ticket extension for TLS.\n"
"-v means verbose output\n"
"-z means enable compression.\n"
"-L seconds means log statistics every 'seconds' seconds (default=30).\n"
"-M maxProcs tells how many processes to run in a multi-process server\n"
"-N means do NOT use the server session cache. Incompatible with -M.\n"
@@ -228,6 +226,13 @@ PrintParameterUsage()
"-I comma separated list of enabled groups for TLS key exchange.\n"
" The following values are valid:\n"
" P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n"
"-J comma separated list of enabled signature schemes in preference order.\n"
" The following values are valid:\n"
" rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
" ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
" ecdsa_secp521r1_sha512,\n"
" rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
" rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
"-Z enable 0-RTT (for TLS 1.3; also use -u)\n",
stderr);
}
@@ -795,13 +800,14 @@ PRBool NoReuse = PR_FALSE;
PRBool hasSidCache = PR_FALSE;
PRBool disableLocking = PR_FALSE;
PRBool enableSessionTickets = PR_FALSE;
PRBool enableCompression = PR_FALSE;
PRBool failedToNegotiateName = PR_FALSE;
PRBool enableExtendedMasterSecret = PR_FALSE;
PRBool zeroRTT = PR_FALSE;
PRBool enableALPN = PR_FALSE;
SSLNamedGroup *enabledGroups = NULL;
unsigned int enabledGroupsCount = 0;
const SSLSignatureScheme *enabledSigSchemes = NULL;
unsigned int enabledSigSchemeCount = 0;
static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
static int virtServerNameIndex = 1;
@@ -1857,13 +1863,6 @@ server_main(
}
}
if (enableCompression) {
rv = SSL_OptionSet(model_sock, SSL_ENABLE_DEFLATE, PR_TRUE);
if (rv != SECSuccess) {
errExit("error enabling compression ");
}
}
if (virtServerNameIndex > 1) {
rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig,
(void *)&virtServerNameArray);
@@ -1970,6 +1969,13 @@ server_main(
}
}
if (enabledSigSchemes) {
rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes, enabledSigSchemeCount);
if (rv < 0) {
errExit("SSL_SignatureSchemePrefSet failed");
}
}
/* This cipher is not on by default. The Acceptance test
* would like it to be. Turn this cipher on.
*/
@@ -2214,9 +2220,10 @@ main(int argc, char **argv)
/* please keep this list of options in ASCII collating sequence.
** numbers, then capital letters, then lower case, alphabetical.
** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed
** in 3.28, please leave some time before resuing those. */
** in 3.28, please leave some time before resuing those.
** 'z' was removed in 3.39. */
optstate = PL_CreateOptState(argc, argv,
"2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
"2:A:C:DGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:y");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch (optstate->option) {
@@ -2429,10 +2436,6 @@ main(int argc, char **argv)
debugCache = PR_TRUE;
break;
case 'z':
enableCompression = PR_TRUE;
break;
case 'Z':
zeroRTT = PR_TRUE;
break;
@@ -2451,6 +2454,16 @@ main(int argc, char **argv)
}
break;
case 'J':
rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad signature scheme specified.\n");
fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
exit(5);
}
break;
default:
case '?':
fprintf(stderr, "Unrecognized or bad option specified.\n");
security/nss/cmd/smimetools/cmsutil.c
+1
View File
@@ -115,6 +115,7 @@ Usage(void)
fprintf(stderr, "%-25s 9 - certUsageProtectedObjectSigner\n", " ");
fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
exit(-1);
}
security/nss/cmd/tests/nonspr10.c
-2
View File
@@ -26,9 +26,7 @@
#include "cryptoht.h"
#include "ecl-exp.h"
#include "hasht.h"
#include "key.h"
#include "keyhi.h"
#include "keyt.h"
#include "keythi.h"
#include "nss.h"
#include "nssb64.h"
security/nss/cmd/tstclnt/Makefile
+1 -1
View File
@@ -1,5 +1,5 @@
#! gmake
#
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
security/nss/cmd/tstclnt/tstclnt.c
+110 -24
View File
@@ -28,6 +28,7 @@
#include "prio.h"
#include "prnetdb.h"
#include "nss.h"
#include "nssb64.h"
#include "ocsp.h"
#include "ssl.h"
#include "sslproto.h"
@@ -106,6 +107,45 @@ secuPWData pwdata = { PW_NONE, 0 };
SSLNamedGroup *enabledGroups = NULL;
unsigned int enabledGroupsCount = 0;
const SSLSignatureScheme *enabledSigSchemes = NULL;
unsigned int enabledSigSchemeCount = 0;
const char *
signatureSchemeName(SSLSignatureScheme scheme)
{
switch (scheme) {
#define strcase(x) \
case ssl_sig_##x: \
return #x
strcase(none);
strcase(rsa_pkcs1_sha1);
strcase(rsa_pkcs1_sha256);
strcase(rsa_pkcs1_sha384);
strcase(rsa_pkcs1_sha512);
strcase(ecdsa_sha1);
strcase(ecdsa_secp256r1_sha256);
strcase(ecdsa_secp384r1_sha384);
strcase(ecdsa_secp521r1_sha512);
strcase(rsa_pss_rsae_sha256);
strcase(rsa_pss_rsae_sha384);
strcase(rsa_pss_rsae_sha512);
strcase(ed25519);
strcase(ed448);
strcase(rsa_pss_pss_sha256);
strcase(rsa_pss_pss_sha384);
strcase(rsa_pss_pss_sha512);
strcase(dsa_sha1);
strcase(dsa_sha256);
strcase(dsa_sha384);
strcase(dsa_sha512);
#undef strcase
case ssl_sig_rsa_pkcs1_sha1md5:
return "RSA PKCS#1 SHA1+MD5";
default:
break;
}
return "Unknown Scheme";
}
void
printSecurityInfo(PRFileDesc *fd)
@@ -132,11 +172,13 @@ printSecurityInfo(PRFileDesc *fd)
suite.macBits, suite.macAlgorithmName);
FPRINTF(stderr,
"tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n"
" Compression: %s, Extended Master Secret: %s\n",
" Compression: %s, Extended Master Secret: %s\n"
" Signature Scheme: %s\n",
channel.authKeyBits, suite.authAlgorithmName,
channel.keaKeyBits, suite.keaTypeName,
channel.compressionMethodName,
channel.extendedMasterSecretUsed ? "Yes" : "No");
channel.extendedMasterSecretUsed ? "Yes" : "No",
signatureSchemeName(channel.signatureScheme));
}
}
cert = SSL_RevealCert(fd);
@@ -178,11 +220,13 @@ PrintUsageHeader()
{
fprintf(stderr,
"Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
"[-D | -d certdir] [-C] [-b | -R root-module] \n"
"[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
"[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n"
"[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n"
" [-D | -d certdir] [-C] [-b | -R root-module] \n"
" [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
" [-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
" [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n"
" [-I groups] [-J signatureschemes]\n"
" [-A requestfile] [-L totalconnections] [-P {client,server}]\n"
" [-N encryptedSniKeys] [-Q]\n"
"\n",
progName);
}
@@ -225,7 +269,6 @@ PrintParameterUsage()
fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds");
fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
fprintf(stderr, "%-20s Enable compression.\n", "-z");
fprintf(stderr, "%-20s Enable false start.\n", "-g");
fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
@@ -255,9 +298,19 @@ PrintParameterUsage()
"%-20s The following values are valid:\n"
"%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
"-I", "", "");
fprintf(stderr, "%-20s Comma separated list of signature schemes in preference order.\n"
"%-20s The following values are valid:\n"
"%-20s rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
"%-20s ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
"%-20s ecdsa_secp521r1_sha512,\n"
"%-20s rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
"%-20s rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
"%-20s dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
"-J", "", "", "", "", "", "", "");
fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
fprintf(stderr, "%-20s Encrypted SNI Keys\n", "-N");
}
static void
@@ -906,7 +959,6 @@ int multiplier = 0;
SSLVersionRange enabledVersions;
int disableLocking = 0;
int enableSessionTickets = 0;
int enableCompression = 0;
int enableFalseStart = 0;
int enableCertStatus = 0;
int enableSignedCertTimestamps = 0;
@@ -936,6 +988,7 @@ PRBool stopAfterHandshake = PR_FALSE;
PRBool requestToExit = PR_FALSE;
char *versionString = NULL;
PRBool handshakeComplete = PR_FALSE;
char *encryptedSNIKeys = NULL;
static int
writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb)
@@ -1283,14 +1336,6 @@ run()
goto done;
}
/* enable compression. */
rv = SSL_OptionSet(s, SSL_ENABLE_DEFLATE, enableCompression);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling compression");
error = 1;
goto done;
}
/* enable false start. */
rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
if (rv != SECSuccess) {
@@ -1374,6 +1419,35 @@ run()
}
}
if (enabledSigSchemes) {
rv = SSL_SignatureSchemePrefSet(s, enabledSigSchemes, enabledSigSchemeCount);
if (rv < 0) {
SECU_PrintError(progName, "SSL_SignatureSchemePrefSet failed");
error = 1;
goto done;
}
}
if (encryptedSNIKeys) {
SECItem esniKeysBin = { siBuffer, NULL, 0 };
if (!NSSBase64_DecodeBuffer(NULL, &esniKeysBin, encryptedSNIKeys,
strlen(encryptedSNIKeys))) {
SECU_PrintError(progName, "ESNIKeys record is invalid base64");
error = 1;
goto done;
}
rv = SSL_EnableESNI(s, esniKeysBin.data, esniKeysBin.len,
"dummy.invalid");
SECITEM_FreeItem(&esniKeysBin, PR_FALSE);
if (rv < 0) {
SECU_PrintError(progName, "SSL_EnableESNI failed");
error = 1;
goto done;
}
}
serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
@@ -1628,10 +1702,12 @@ main(int argc, char **argv)
}
}
/* XXX: 'B' was used in the past but removed in 3.28,
* please leave some time before resuing it. */
/* Note: 'B' was used in the past but removed in 3.28
* 'z' was removed in 3.39
* Please leave some time before reusing these.
*/
optstate = PL_CreateOptState(argc, argv,
"46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
"46A:CDFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@@ -1708,6 +1784,10 @@ main(int argc, char **argv)
};
break;
case 'N':
encryptedSNIKeys = PORT_Strdup(optstate->value);
break;
case 'P':
useDTLS = PR_TRUE;
if (!strcmp(optstate->value, "server")) {
@@ -1850,10 +1930,6 @@ main(int argc, char **argv)
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'z':
enableCompression = 1;
break;
case 'I':
rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
if (rv != SECSuccess) {
@@ -1862,6 +1938,15 @@ main(int argc, char **argv)
Usage();
}
break;
case 'J':
rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad signature scheme specified.\n");
Usage();
}
break;
}
}
PL_DestroyOptState(optstate);
@@ -2051,6 +2136,7 @@ done:
PORT_Free(pwdata.data);
PORT_Free(host);
PORT_Free(zeroRttData);
PORT_Free(encryptedSNIKeys);
if (enabledGroups) {
PORT_Free(enabledGroups);
security/nss/cmd/vfychain/vfychain.c
+2 -1
View File
@@ -64,7 +64,8 @@ Usage(const char *progName)
"\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA,\n"
"\t\t\t 12=IPsec\n"
"\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
"\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
"\t\t\t or to trust the database if there are certificates marked -t.)\n"
security/nss/cmd/vfyserv/vfyserv.h
+1 -1
View File
@@ -24,7 +24,7 @@
#include "certt.h"
#include "nss.h"
#include "secder.h"
#include "key.h"
#include "keyhi.h"
#include "sslproto.h"
/* Custom header files */
security/nss/coreconf/config.gypi
+9
View File
@@ -108,8 +108,12 @@
'emit_llvm%': 0,
'nss_public_dist_dir%': '<(nss_dist_dir)/public',
'nss_private_dist_dir%': '<(nss_dist_dir)/private',
# This is only needed when building with --mozpkix-only and might not work
# on all machines.
'nss_include_dir%': '/usr/include/nss',
'only_dev_random%': 1,
'disable_fips%': 1,
'mozpkix_only%': 0,
},
'target_defaults': {
# Settings specific to targets should go here.
@@ -126,6 +130,11 @@
'<(nss_dist_dir)/private/<(module)',
],
'conditions': [
[ 'mozpkix_only==1 and OS=="linux"', {
'include_dirs': [
'<(nss_include_dir)',
],
}],
[ 'disable_fips==1', {
'defines': [
'NSS_FIPS_DISABLED',
security/nss/coreconf/config.mk
+4
View File
@@ -185,6 +185,10 @@ ifdef NSS_SEED_ONLY_DEV_URANDOM
DEFINES += -DSEED_ONLY_DEV_URANDOM
endif
ifdef NSS_PKCS1_AllowMissingParameters
DEFINES += -DNSS_PKCS1_AllowMissingParameters
endif
# Avoid building object leak test code for optimized library
ifndef BUILD_OPT
ifdef PKIX_OBJECT_LEAK_TEST
security/nss/coreconf/coreconf.dep
-1
View File
@@ -10,4 +10,3 @@
*/
#error "Do not include this header file."
security/nss/coreconf/fuzz.sh
+3 -4
View File
@@ -5,8 +5,7 @@ set +e
# Default to clang if CC is not set.
if [ -z "$CC" ]; then
command -v clang &> /dev/null 2>&1
if [ $? != 0 ]; then
if ! command -v clang &> /dev/null 2>&1; then
echo "Fuzzing requires clang!"
exit 1
fi
@@ -24,8 +23,8 @@ if [ "$fuzz_oss" = 1 ]; then
gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
else
enable_sanitizer asan
# Ubsan doesn't build on 32-bit at the moment. Disable it.
if [ "$build_64" = 1 ]; then
# Ubsan only builds on x64 for the moment.
if [ "$target_arch" = "x64" ]; then
enable_ubsan
fi
enable_sancov
security/nss/coreconf/msvc.sh
+106
View File
@@ -0,0 +1,106 @@
#!/bin/bash
# This configures the environment for running MSVC. It uses vswhere, the
# registry, and a little knowledge of how MSVC is laid out.
if ! hash vswhere 2>/dev/null; then
echo "Can't find vswhere on the path, aborting" 1>&2
exit 1
fi
if ! hash reg 2>/dev/null; then
echo "Can't find reg on the path, aborting" 1>&2
exit 1
fi
# Turn a unix-y path into a windows one.
fixpath() {
if hash cygpath 2>/dev/null; then
cygpath --unix "$1"
else # haxx
echo "$1" | sed -e 's,\\,/,g;s,^\(.\):,/\L\1,;s,/$,,'
fi
}
# Query the registry. This takes $1 and tags that on the end of several
# different paths, looking for a value called $2 at that location.
# e.g.,
# regquery Microsoft\Microsoft SDKs\Windows\v10.0 ProductVersion
# looks for a REG_SZ value called ProductVersion at
# HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v10.0
# HKLU\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v10.0
# etc...
regquery() {
search=("HKLM\\SOFTWARE\\Wow6432Node" \
"HKCU\\SOFTWARE\\Wow6432Node" \
"HKLM\\SOFTWARE" \
"HKCU\\SOFTWARE")
for i in "${search[@]}"; do
r=$(reg query "${i}\\${1}" -v "$2" | sed -e 's/ *'"$2"' *REG_SZ *//;t;d')
if [ -n "$r" ]; then
echo "$r"
return 0
fi
done
return 1
}
VSCOMPONENT=Microsoft.VisualStudio.Component.VC.Tools.x86.x64
vsinstall=$(vswhere -latest -requires "$VSCOMPONENT" -property installationPath)
# Attempt to setup paths if vswhere returns something and VSPATH isn't set.
# Otherwise, assume that the env is setup.
if [[ -n "$vsinstall" && -z "$VSPATH" ]]; then
case "$target_arch" in
ia32) m=x86 ;;
x64) m="$target_arch" ;;
*)
echo "No support for target '$target_arch' with MSVC." 1>&2
exit 1
esac
export VSPATH=$(fixpath "$vsinstall")
export WINDOWSSDKDIR="${VSPATH}/SDK"
export VCINSTALLDIR="${VSPATH}/VC"
CRTREG="Microsoft\\Microsoft SDKs\\Windows\\v10.0"
UniversalCRTSdkDir=$(regquery "$CRTREG" InstallationFolder)
UniversalCRTSdkDir=$(fixpath "$UniversalCRTSdkDir")
UCRTVersion=$(regquery "$CRTREG" ProductVersion)
UCRTVersion=$(cd "${UniversalCRTSdkDir}/include"; ls -d "${UCRTVersion}"* | tail -1)
VCVER=$(cat "${VCINSTALLDIR}/Auxiliary/Build/Microsoft.VCToolsVersion.default.txt")
REDISTVER=$(cat "${VCINSTALLDIR}/Auxiliary/Build/Microsoft.VCRedistVersion.default.txt")
export WIN32_REDIST_DIR="${VCINSTALLDIR}/Redist/MSVC/${REDISTVER}/${m}/Microsoft.VC141.CRT"
export WIN_UCRT_REDIST_DIR="${UniversalCRTSdkDir}/Redist/ucrt/DLLs/${m}"
if [ "$m" == "x86" ]; then
PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Hostx64/x64"
PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Hostx64/x86"
fi
PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Host${m}/${m}"
PATH="${PATH}:${UniversalCRTSdkDir}/bin/${UCRTVersion}/${m}"
PATH="${PATH}:${WIN32_REDIST_DIR}"
export PATH
INCLUDE="${VCINSTALLDIR}/Tools/MSVC/${VCVER}/ATLMFC/include"
INCLUDE="${INCLUDE}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/include"
INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/ucrt"
INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/shared"
INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/um"
INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/winrt"
INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/cppwinrt"
export INCLUDE
LIB="${VCINSTALLDIR}/lib/${m}"
LIB="${VCINSTALLDIR}/Tools/MSVC/${VCVER}/lib/${m}"
LIB="${LIB}:${UniversalCRTSdkDir}/lib/${UCRTVersion}/ucrt/${m}"
LIB="${LIB}:${UniversalCRTSdkDir}/lib/${UCRTVersion}/um/${m}"
export LIB
export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
export GYP_MSVS_VERSION=$(vswhere -latest -requires "$VSCOMPONENT" -property catalog_productLineVersion)
else
echo Assuming env setup is already done.
echo VSPATH=$VSPATH
fi
security/nss/coreconf/nspr.sh
+3
View File
@@ -32,6 +32,9 @@ nspr_build()
if [ "$opt_build" = 1 ]; then
extra_params+=(--disable-debug --enable-optimize)
fi
if [ "$target_arch" = "x64" ]; then
extra_params+=(--enable-64bit)
fi
echo "NSPR [1/3] configure ..."
pushd "$nspr_dir" >/dev/null
security/nss/cpputil/databuffer.h
+1 -1
View File
@@ -34,7 +34,7 @@ class DataBuffer {
void Allocate(size_t l) {
delete[] data_;
data_ = new uint8_t[l ? l : 1]; // Don't depend on new [0].
data_ = new uint8_t[l ? l : 1](); // Don't depend on new [0].
len_ = l;
}
security/nss/cpputil/dummy_io.h
+1 -1
View File
@@ -8,7 +8,7 @@
#include "prerror.h"
#include "prio.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
class DummyIOLayerMethods {
public:
security/nss/cpputil/scoped_ptrs.h → security/nss/cpputil/nss_scoped_ptrs.h
+7 -8
View File
@@ -4,8 +4,8 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef scoped_ptrs_h__
#define scoped_ptrs_h__
#ifndef nss_scoped_ptrs_h__
#define nss_scoped_ptrs_h__
#include <memory>
#include "cert.h"
@@ -13,7 +13,6 @@
#include "p12.h"
#include "pk11pub.h"
#include "pkcs11uri.h"
#include "sslexp.h"
struct ScopedDelete {
void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
@@ -29,6 +28,9 @@ struct ScopedDelete {
void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
void operator()(PRFileDesc* fd) { PR_Close(fd); }
void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
void operator()(SECKEYEncryptedPrivateKeyInfo* e) {
SECKEY_DestroyEncryptedPrivateKeyInfo(e, true);
}
void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
@@ -39,9 +41,6 @@ struct ScopedDelete {
void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
void operator()(SSLResumptionTokenInfo* token) {
SSL_DestroyResumptionTokenInfo(token);
}
void operator()(SEC_PKCS12DecoderContext* dcx) {
SEC_PKCS12DecoderFinish(dcx);
}
@@ -69,6 +68,7 @@ SCOPED(PK11SlotInfo);
SCOPED(PK11SymKey);
SCOPED(PRFileDesc);
SCOPED(SECAlgorithmID);
SCOPED(SECKEYEncryptedPrivateKeyInfo);
SCOPED(SECItem);
SCOPED(SECKEYPublicKey);
SCOPED(SECKEYPrivateKey);
@@ -77,10 +77,9 @@ SCOPED(PK11URI);
SCOPED(PLArenaPool);
SCOPED(PK11Context);
SCOPED(PK11GenericObject);
SCOPED(SSLResumptionTokenInfo);
SCOPED(SEC_PKCS12DecoderContext);
SCOPED(CERTDistNames);
#undef SCOPED
#endif // scoped_ptrs_h__
#endif // nss_scoped_ptrs_h__
security/nss/cpputil/scoped_ptrs_ssl.h
+35
View File
@@ -0,0 +1,35 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef scoped_ptrs_ssl_h__
#define scoped_ptrs_ssl_h__
#include <memory>
#include "sslexp.h"
struct ScopedDeleteSSL {
void operator()(SSLResumptionTokenInfo* token) {
SSL_DestroyResumptionTokenInfo(token);
}
};
template <class T>
struct ScopedMaybeDeleteSSL {
void operator()(T* ptr) {
if (ptr) {
ScopedDeleteSSL del;
del(ptr);
}
}
};
#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDeleteSSL<x> > Scoped##x
SCOPED(SSLResumptionTokenInfo);
#undef SCOPED
#endif // scoped_ptrs_ssl_h__
security/nss/cpputil/tls_parser.h
+3 -8
View File
@@ -20,13 +20,6 @@
namespace nss_test {
const uint8_t kTlsChangeCipherSpecType = 20;
const uint8_t kTlsAlertType = 21;
const uint8_t kTlsHandshakeType = 22;
const uint8_t kTlsApplicationDataType = 23;
const uint8_t kTlsAltHandshakeType = 24;
const uint8_t kTlsAckType = 25;
const uint8_t kTlsHandshakeClientHello = 1;
const uint8_t kTlsHandshakeServerHello = 2;
const uint8_t kTlsHandshakeNewSessionTicket = 4;
@@ -48,6 +41,8 @@ const uint8_t kTlsAlertBadRecordMac = 20;
const uint8_t kTlsAlertRecordOverflow = 22;
const uint8_t kTlsAlertHandshakeFailure = 40;
const uint8_t kTlsAlertBadCertificate = 42;
const uint8_t kTlsAlertCertificateRevoked = 44;
const uint8_t kTlsAlertCertificateExpired = 45;
const uint8_t kTlsAlertIllegalParameter = 47;
const uint8_t kTlsAlertDecodeError = 50;
const uint8_t kTlsAlertDecryptError = 51;
@@ -60,7 +55,7 @@ const uint8_t kTlsAlertUnrecognizedName = 112;
const uint8_t kTlsAlertNoApplicationProtocol = 120;
const uint8_t kTlsFakeChangeCipherSpec[] = {
kTlsChangeCipherSpecType, // Type
ssl_ct_change_cipher_spec, // Type
0xfe,
0xff, // Version
0x00,
security/nss/doc/certutil.xml
+8 -4
View File
@@ -84,7 +84,7 @@
<varlistentry>
<term>-F</term>
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
<option>-d</option> argument.
</para>
<para>
@@ -258,7 +258,8 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
<varlistentry>
<term>-h tokenname</term>
<listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem>
<listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para>
<para>The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.</para></listitem>
</varlistentry>
<varlistentry>
@@ -292,7 +293,8 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
<varlistentry>
<term>-n nickname</term>
<listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para></listitem>
<listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para>
<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
</varlistentry>
<varlistentry>
@@ -1017,9 +1019,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services</programlisting>
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203</programlisting>
<para><command>Adding Certificates to the Database</command></para>
<para>
security/nss/doc/html/certutil.html
+9 -7
View File
@@ -1,8 +1,8 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm140440587239488"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm46274732654912"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument.
</p><p>
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.</p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113.
@@ -14,13 +14,13 @@ If this option is not used, the validity check defaults to the current system ti
Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p><p>The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
The valid key type options are rsa, dsa, ec, or all. The default
value is rsa. Specifying the type of key can avoid mistakes caused by
duplicate nicknames. Giving a key type generates a new key pair;
giving the ID of an existing key reuses that key pair (which is
required to renew certificates).
</p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
</p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p><p>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
If a token is available that supports more curves, the foolowing curves are supported as well:
sect163k1, nistk163, sect163r1, sect163r2,
nistb163, sect193r1, sect193r2, sect233k1, nistk233,
@@ -277,9 +277,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the <code class="option">-A</code> command option.
</p><pre class="programlisting">certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]</pre><p>
For example:
security/nss/doc/html/modutil.html
+3 -1
View File
File diff suppressed because one or more lines are too long
security/nss/doc/html/pk12util.html
+2 -2
View File
@@ -1,5 +1,5 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code> [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm139975398059856"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code> [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm45659476549872"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p><p>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS #12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
</p><p>
pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
security/nss/doc/modutil.xml
+2
View File
@@ -322,9 +322,11 @@ Listing of PKCS #11 Modules
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
-----------------------------------------------------------</programlisting>
<para>Passing a specific module name with the <option>-list</option> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</para>
<programlisting> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
security/nss/doc/nroff/certutil.1
+11 -9
View File
@@ -2,12 +2,12 @@
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 27 October 2017
.\" Date: 5 October 2017
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -92,15 +92,11 @@ Add an email certificate to the certificate database\&.
.PP
\-F
.RS 4
Delete a private key from a key database\&. Specify the key to delete with the \-n argument\&. Specify the database from which to delete the key with the
Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the
\fB\-d\fR
argument\&. Use the
\fB\-k\fR
argument to specify explicitly whether to delete a DSA, RSA, or ECC key\&. If you don\*(Aqt use the
\fB\-k\fR
argument, the option looks for an RSA key matching the specified nickname\&.
argument\&.
.sp
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using \-D\&. Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. You can display the public key with the command certutil \-K \-h tokenname\&.
Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&.
.RE
.PP
\-G
@@ -321,6 +317,8 @@ Set a key size to use when generating new public and private key pairs\&. The mi
\-h tokenname
.RS 4
Specify the name of a token to use or act on\&. If not specified the default token is the internal database slot\&.
.sp
The name can also be a PKCS #11 URI\&. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC 7512\&.
.RE
.PP
\-i input_file
@@ -348,6 +346,8 @@ Assign a unique serial number to a certificate being created\&. This operation s
\-n nickname
.RS 4
Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate\&. Bracket the nickname string with quotation marks if it contains spaces\&.
.sp
The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&.
.RE
.PP
\-o output\-file
@@ -1579,9 +1579,11 @@ $ certutil \-U \-d sql:/home/my/sharednssdb
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
.fi
.if n \{\
.RE
security/nss/doc/nroff/modutil.1
+5 -3
View File
@@ -1,13 +1,13 @@
'\" t
.\" Title: MODUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 June 2014
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 5 October 2017
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "MODUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.TH "MODUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -515,9 +515,11 @@ Listing of PKCS #11 Modules
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
.fi
.if n \{\
security/nss/doc/nroff/pk12util.1
+4 -2
View File
@@ -2,12 +2,12 @@
.\" Title: PK12UTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 27 October 2017
.\" Date: 5 October 2017
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
.TH "PK12UTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -113,6 +113,8 @@ Specify the desired length of the symmetric key to be used to encrypt the certif
\-n certname
.RS 4
Specify the nickname of the cert and private key to export\&.
.sp
The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&.
.RE
.PP
\-P prefix
security/nss/doc/pk12util.xml
+2 -1
View File
@@ -114,7 +114,8 @@
<varlistentry>
<term>-n certname</term>
<listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
<listitem><para>Specify the nickname of the cert and private key to export.</para>
<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
</varlistentry>
<varlistentry>
security/nss/exports.gyp
+77 -58
View File
@@ -5,9 +5,82 @@
'includes': [
'coreconf/config.gypi'
],
'conditions': [
[ 'mozpkix_only==0', {
'targets': [
{
'target_name': 'nss_exports',
'type': 'none',
'direct_dependent_settings': {
'include_dirs': [
'<(nss_public_dist_dir)/nss',
]
},
'dependencies': [
'cmd/lib/exports.gyp:cmd_lib_exports',
'lib/base/exports.gyp:lib_base_exports',
'lib/certdb/exports.gyp:lib_certdb_exports',
'lib/certhigh/exports.gyp:lib_certhigh_exports',
'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
'lib/ckfw/exports.gyp:lib_ckfw_exports',
'lib/crmf/exports.gyp:lib_crmf_exports',
'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
'lib/dev/exports.gyp:lib_dev_exports',
'lib/freebl/exports.gyp:lib_freebl_exports',
'lib/jar/exports.gyp:lib_jar_exports',
'lib/nss/exports.gyp:lib_nss_exports',
'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
'lib/pki/exports.gyp:lib_pki_exports',
'lib/smime/exports.gyp:lib_smime_exports',
'lib/softoken/exports.gyp:lib_softoken_exports',
'lib/sqlite/exports.gyp:lib_sqlite_exports',
'lib/ssl/exports.gyp:lib_ssl_exports',
'lib/util/exports.gyp:lib_util_exports',
'lib/zlib/exports.gyp:lib_zlib_exports',
],
'conditions': [
[ 'disable_libpkix==0', {
'dependencies': [
'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
],
}],
],
},
{
'target_name': 'dbm_exports',
'type': 'none',
'conditions': [
['disable_dbm==0', {
'direct_dependent_settings': {
'include_dirs': [
'<(nss_public_dist_dir)/dbm'
]
},
'dependencies': [
'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
],
}],
],
}
],
}],
],
'targets': [
{
'target_name': 'nss_exports',
'target_name': 'nss_mozpkix_exports',
'type': 'none',
'direct_dependent_settings': {
'include_dirs': [
@@ -15,63 +88,9 @@
]
},
'dependencies': [
'cmd/lib/exports.gyp:cmd_lib_exports',
'lib/base/exports.gyp:lib_base_exports',
'lib/certdb/exports.gyp:lib_certdb_exports',
'lib/certhigh/exports.gyp:lib_certhigh_exports',
'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
'lib/ckfw/exports.gyp:lib_ckfw_exports',
'lib/crmf/exports.gyp:lib_crmf_exports',
'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
'lib/dev/exports.gyp:lib_dev_exports',
'lib/freebl/exports.gyp:lib_freebl_exports',
'lib/jar/exports.gyp:lib_jar_exports',
'lib/nss/exports.gyp:lib_nss_exports',
'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
'lib/pki/exports.gyp:lib_pki_exports',
'lib/smime/exports.gyp:lib_smime_exports',
'lib/softoken/exports.gyp:lib_softoken_exports',
'lib/sqlite/exports.gyp:lib_sqlite_exports',
'lib/ssl/exports.gyp:lib_ssl_exports',
'lib/util/exports.gyp:lib_util_exports',
'lib/zlib/exports.gyp:lib_zlib_exports'
],
'conditions': [
[ 'disable_libpkix==0', {
'dependencies': [
'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
],
}],
'lib/mozpkix/exports.gyp:lib_mozpkix_exports',
'lib/mozpkix/exports.gyp:lib_mozpkix_test_exports',
],
},
{
'target_name': 'dbm_exports',
'type': 'none',
'conditions': [
['disable_dbm==0', {
'direct_dependent_settings': {
'include_dirs': [
'<(nss_public_dist_dir)/dbm'
]
},
'dependencies': [
'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
],
}],
],
}
]
],
}
security/nss/fuzz/config/git-copy.sh
+3 -3
View File
@@ -1,6 +1,6 @@
#!/usr/bin/env bash
set -e
set -ex
if [ $# -lt 3 ]; then
echo "Usage: $0 <repo> <branch> <directory>" 1>&2
@@ -28,7 +28,7 @@ fi
rm -rf "$DIR"
git init -q "$DIR"
git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
git -C "$DIR" reset --hard git-copy-tmp
git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT"
git -C "$DIR" reset -q --hard FETCH_HEAD
git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
rm -rf "$DIR"/.git
security/nss/fuzz/tls_server_certs.cc
+1 -1
View File
@@ -8,7 +8,7 @@
#include "ssl.h"
#include "cpputil.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
#include "tls_server_certs.h"
const uint8_t kP256ServerCert[] = {
security/nss/gtests/certdb_gtest/alg1485_unittest.cc
+1 -1
View File
@@ -9,7 +9,7 @@
#include "gtest/gtest.h"
#include "nss.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
#include "prprf.h"
namespace nss_test {
security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
+1 -1
View File
@@ -8,7 +8,7 @@
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
#include "cryptohi.h"
#include "secitem.h"
#include "secerr.h"
security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
+1 -1
View File
@@ -11,7 +11,7 @@
#include "secutil.h"
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
namespace nss_test {
security/nss/gtests/der_gtest/p12_import_unittest.cc
+1 -1
View File
@@ -8,7 +8,7 @@
#include "p12.h"
#include "gtest/gtest.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
namespace nss_test {
security/nss/gtests/freebl_gtest/ecl_unittest.cc
+1 -1
View File
@@ -7,7 +7,7 @@
#include <stdint.h>
#include "blapi.h"
#include "scoped_ptrs.h"
#include "nss_scoped_ptrs.h"
#include "secerr.h"
namespace nss_test {
security/nss/gtests/freebl_gtest/mpi_unittest.cc
+78 -4
View File
@@ -15,7 +15,7 @@
#include "mpi.h"
namespace nss_test {
void gettime(struct timespec *tp) {
void gettime(struct timespec* tp) {
#ifdef __MACH__
clock_serv_t cclock;
mach_timespec_t mts;
@@ -69,6 +69,39 @@ class MPITest : public ::testing::Test {
mp_clear(&b);
mp_clear(&c);
}
void dump(const std::string& prefix, const uint8_t* buf, size_t len) {
auto flags = std::cerr.flags();
std::cerr << prefix << ": [" << std::dec << len << "] ";
for (size_t i = 0; i < len; ++i) {
std::cerr << std::hex << std::setw(2) << std::setfill('0')
<< static_cast<int>(buf[i]);
}
std::cerr << std::endl << std::resetiosflags(flags);
}
void TestToFixedOctets(const std::vector<uint8_t>& ref, size_t len) {
mp_int a;
ASSERT_EQ(MP_OKAY, mp_init(&a));
ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
uint8_t buf[len];
ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, len));
size_t compare;
if (len > ref.size()) {
for (size_t i = 0; i < len - ref.size(); ++i) {
ASSERT_EQ(0U, buf[i]) << "index " << i << " should be zero";
}
compare = ref.size();
} else {
compare = len;
}
dump("value", ref.data(), ref.size());
dump("output", buf, len);
ASSERT_EQ(0, memcmp(buf + len - compare, ref.data() + ref.size() - compare,
compare))
<< "comparing " << compare << " octets";
mp_clear(&a);
}
};
TEST_F(MPITest, MpiCmp01Test) { TestCmp("0", "1", -1); }
@@ -113,6 +146,47 @@ TEST_F(MPITest, MpiCmpUnalignedTest) {
}
#endif
TEST_F(MPITest, MpiFixlenOctetsZero) {
std::vector<uint8_t> zero = {0};
TestToFixedOctets(zero, 1);
TestToFixedOctets(zero, 2);
TestToFixedOctets(zero, sizeof(mp_digit));
TestToFixedOctets(zero, sizeof(mp_digit) + 1);
}
TEST_F(MPITest, MpiFixlenOctetsVarlen) {
std::vector<uint8_t> packed;
for (size_t i = 0; i < sizeof(mp_digit) * 2; ++i) {
packed.push_back(0xa4); // Any non-zero value will do.
TestToFixedOctets(packed, packed.size());
TestToFixedOctets(packed, packed.size() + 1);
TestToFixedOctets(packed, packed.size() + sizeof(mp_digit));
}
}
TEST_F(MPITest, MpiFixlenOctetsTooSmall) {
uint8_t buf[sizeof(mp_digit) * 3];
std::vector<uint8_t> ref;
for (size_t i = 0; i < sizeof(mp_digit) * 2; i++) {
ref.push_back(3); // Any non-zero value will do.
dump("ref", ref.data(), ref.size());
mp_int a;
ASSERT_EQ(MP_OKAY, mp_init(&a));
ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
#ifdef DEBUG
// ARGCHK maps to assert() in a debug build.
EXPECT_DEATH(mp_to_fixlen_octets(&a, buf, ref.size() - 1), "");
#else
EXPECT_EQ(MP_BADARG, mp_to_fixlen_octets(&a, buf, ref.size() - 1));
#endif
ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, ref.size()));
ASSERT_EQ(0, memcmp(buf, ref.data(), ref.size()));
mp_clear(&a);
}
}
// This test is slow. Disable it by default so we can run these tests on CI.
class DISABLED_MPITest : public ::testing::Test {};
@@ -127,17 +201,17 @@ TEST_F(DISABLED_MPITest, MpiCmpConstTest) {
mp_read_radix(
&a,
const_cast<char *>(
const_cast<char*>(
"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
16);
mp_read_radix(
&b,
const_cast<char *>(
const_cast<char*>(
"FF0FFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
16);
mp_read_radix(
&c,
const_cast<char *>(
const_cast<char*>(
"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550"),
16);
security/nss/gtests/freebl_gtest/rsa_unittest.cc
+42 -6
View File
@@ -21,7 +21,7 @@ struct ScopedDelete {
typedef std::unique_ptr<RSAPrivateKey, ScopedDelete<RSAPrivateKey>>
ScopedRSAPrivateKey;
class RSANewKeyTest : public ::testing::Test {
class RSATest : public ::testing::Test {
protected:
RSAPrivateKey* CreateKeyWithExponent(int keySizeInBits,
unsigned char publicExponent) {
@@ -34,24 +34,24 @@ class RSANewKeyTest : public ::testing::Test {
}
};
TEST_F(RSANewKeyTest, expOneTest) {
TEST_F(RSATest, expOneTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x01));
ASSERT_TRUE(key == nullptr);
}
TEST_F(RSANewKeyTest, expTwoTest) {
TEST_F(RSATest, expTwoTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x02));
ASSERT_TRUE(key == nullptr);
}
TEST_F(RSANewKeyTest, expFourTest) {
TEST_F(RSATest, expFourTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x04));
ASSERT_TRUE(key == nullptr);
}
TEST_F(RSANewKeyTest, WrongKeysizeTest) {
TEST_F(RSATest, WrongKeysizeTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2047, 0x03));
ASSERT_TRUE(key == nullptr);
}
TEST_F(RSANewKeyTest, expThreeTest) {
TEST_F(RSATest, expThreeTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
#ifdef NSS_FIPS_DISABLED
ASSERT_TRUE(key != nullptr);
@@ -59,3 +59,39 @@ TEST_F(RSANewKeyTest, expThreeTest) {
ASSERT_TRUE(key == nullptr);
#endif
}
TEST_F(RSATest, DecryptBlockTestErrors) {
unsigned char pubExp[3] = {0x01, 0x00, 0x01};
SECItem exp = {siBuffer, pubExp, 3};
ScopedRSAPrivateKey key(RSA_NewKey(2048, &exp));
ASSERT_TRUE(key);
uint8_t out[10] = {0};
uint8_t in_small[100] = {0};
unsigned int outputLen = 0;
unsigned int maxOutputLen = sizeof(out);
// This should fail because input the same size as the modulus (256).
SECStatus rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen,
in_small, sizeof(in_small));
EXPECT_EQ(SECFailure, rv);
uint8_t in[256] = {0};
// This should fail because the padding checks will fail.
rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen, in,
sizeof(in));
EXPECT_EQ(SECFailure, rv);
// outputLen should be maxOutputLen.
EXPECT_EQ(maxOutputLen, outputLen);
// This should fail because the padding checks will fail.
uint8_t out_long[260] = {0};
maxOutputLen = sizeof(out_long);
rv = RSA_DecryptBlock(key.get(), out_long, &outputLen, maxOutputLen, in,
sizeof(in));
EXPECT_EQ(SECFailure, rv);
// outputLen should <= 256-11=245.
EXPECT_LE(outputLen, 245u);
// Everything over 256 must be 0 in the output.
uint8_t out_long_test[4] = {0};
EXPECT_EQ(0, memcmp(out_long_test, &out_long[256], 4));
}
security/nss/gtests/google_test/VERSION
+2
View File
@@ -0,0 +1,2 @@
release-1.8.1
2fe3bd994b3189899d93f1d5a881e725e046fdc2

Some files were not shown because too many files have changed in this diff Show More