commit de64d765182f326737b5f35f7d01c7fbe592b759 parent d30a372778992512d653eb26905b7c868a7fe47f Author: Anna Weine <anna.weine@mozilla.com> Date: Wed, 26 Nov 2025 09:21:29 +0000 Bug 2000871 - upgrade NSS to 28cc2eb89479695ce2b2cb0933dccaae85887697. r=nss-reviewers,jschanck UPGRADE_NSS_RELEASE Differential Revision: https://phabricator.services.mozilla.com/D274019 Diffstat:
48 files changed, 1613 insertions(+), 278 deletions(-)
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -1,16 +0,0 @@ - -1 function with some indirect sub-type change: - - [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes: - parameter 2 of type 'typedef SECOidTag' has sub-type changes: - underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: - type size hasn't changed - 2 enumerator insertions: - '__anonymous_enum__::SEC_OID_SECP256R1MLKEM768' value '394' - '__anonymous_enum__::SEC_OID_SECP384R1MLKEM1024' value '395' - - 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '394' to '396' at secoidt.h:34:1 - - - diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -1,16 +0,0 @@ - -1 function with some indirect sub-type change: - - [C]'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' at nsshash.c:149:1 has some indirect sub-type changes: - return type changed: - underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: - type size hasn't changed - 2 enumerator insertions: - '__anonymous_enum__::SEC_OID_SECP256R1MLKEM768' value '394' - '__anonymous_enum__::SEC_OID_SECP384R1MLKEM1024' value '395' - - 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '394' to '396' at secoidt.h:34:1 - - - diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt @@ -1,45 +0,0 @@ - -1 function with some indirect sub-type change: - - [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes: - parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes: - in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1: - underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed: - type size hasn't changed - 1 data member changes (2 filtered): - type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed: - underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed: - type size hasn't changed - 1 data member changes (3 filtered): - type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed: - in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1: - underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:470:1 changed: - type size hasn't changed - 1 data member changes (1 filtered): - type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed: - in pointed to type 'NSSCMSAttribute*': - in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1: - underlying type 'struct NSSCMSAttributeStr' at cmst.h:489:1 changed: - type size hasn't changed - 1 data member change: - type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed: - in pointed to type 'typedef SECOidData' at secoidt.h:16:1: - underlying type 'struct SECOidDataStr' at secoidt.h:567:1 changed: - type size hasn't changed - 1 data member change: - type of 'SECOidTag SECOidDataStr::offset' changed: - underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: - type size hasn't changed - 2 enumerator insertions: - '__anonymous_enum__::SEC_OID_SECP256R1MLKEM768' value '394' - '__anonymous_enum__::SEC_OID_SECP384R1MLKEM1024' value '395' - - 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '394' to '396' at secoidt.h:34:1 - - - - - - - diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt @@ -1,31 +0,0 @@ - -1 function with some indirect sub-type change: - - [C]'function SECStatus SSL_SetSessionTicketKeyPair(SECKEYPublicKey*, SECKEYPrivateKey*)' at sslsnce.c:1723:1 has some indirect sub-type changes: - parameter 1 of type 'SECKEYPublicKey*' has sub-type changes: - in pointed to type 'typedef SECKEYPublicKey' at keythi.h:221:1: - underlying type 'struct SECKEYPublicKeyStr' at keythi.h:205:1 changed: - type size hasn't changed - 1 data member change: - type of 'union {SECKEYRSAPublicKey rsa; SECKEYDSAPublicKey dsa; SECKEYDHPublicKey dh; SECKEYKEAPublicKey kea; SECKEYFortezzaPublicKey fortezza; SECKEYECPublicKey ec; SECKEYKyberPublicKey kyber; SECKEYMLDSAPublicKey mldsa;} SECKEYPublicKeyStr::u' changed: - type size hasn't changed - 1 data member changes (1 filtered): - type of 'SECKEYMLDSAPublicKey mldsa' changed: - underlying type 'struct SECKEYMLDSAPublicKeyStr' at keythi.h:196:1 changed: - type size hasn't changed - 1 data member change: - type of 'SECOidTag SECKEYMLDSAPublicKeyStr::paramSet' changed: - underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: - type size hasn't changed - 2 enumerator insertions: - '__anonymous_enum__::SEC_OID_SECP256R1MLKEM768' value '394' - '__anonymous_enum__::SEC_OID_SECP384R1MLKEM1024' value '395' - - 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '394' to '396' at secoidt.h:34:1 - - - - - - diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_117_BRANCH +NSS_3_118_BRANCH diff --git a/security/nss/automation/release/README.md b/security/nss/automation/release/README.md @@ -0,0 +1,111 @@ +# NSS Release Documentation and Email Generation Scripts + +This directory contains Python scripts to automate the generation of NSS release documentation and release announcement emails. + +## Scripts + +### 1. `generate_release_doc.py` + +Generates the RST documentation file for an NSS release based on the version number and commit history. + +**Usage:** +```bash +python3 generate_release_doc.py <version> <previous_version> [output_file] +``` + +**Arguments:** +- `<version>`: The version being released (e.g., `3.118` or `3.118.1`) +- `<previous_version>`: The previous release version (e.g., `3.117`) +- `[output_file]`: Optional. Path where to write the RST file. If not provided, defaults to `doc/rst/releases/nss_<version>.rst` + +**Examples:** +```bash +# Generate documentation for NSS 3.118 +python3 automation/release/generate_release_doc.py 3.118 3.117 + +# Generate documentation for NSS 3.118.1 with custom output path +python3 automation/release/generate_release_doc.py 3.118.1 3.118 doc/rst/releases/nss_3_118_1.rst +``` + +**What it does:** +1. Reads the required NSPR version from `automation/release/nspr-version.txt` +2. Extracts bug changes from Mercurial log between the two version tags +3. Generates an RST file following the standard NSS release notes format +4. Includes release date, distribution information, and all bug fixes + +### 2. `generate_release_email.py` + +Generates the release announcement email text based on the version number and commit history. + +**Usage:** +```bash +python3 generate_release_email.py <version> <previous_version> [output_file] +``` + +**Arguments:** +- `<version>`: The version being released (e.g., `3.118` or `3.118.1`) +- `<previous_version>`: The previous release version (e.g., `3.117`) +- `[output_file]`: Optional. Path where to write the email text. If not provided, prints to stdout + +**Examples:** +```bash +# Generate email for NSS 3.118 (print to stdout) +python3 automation/release/generate_release_email.py 3.118 3.117 + +# Generate email for NSS 3.118.1 and save to file +python3 automation/release/generate_release_email.py 3.118.1 3.118 release_email_3.118.1.txt +``` + +**What it does:** +1. Reads the required NSPR version from `automation/release/nspr-version.txt` +2. Extracts bug changes from Mercurial log between the two version tags +3. Generates email text following the standard NSS release announcement format +4. Includes release date, distribution information, all bug fixes, and compatibility notes + +## Requirements + +Both scripts require: +- Python 3 +- Mercurial (`hg` command) +- Must be run from the NSS repository root directory +- Release tags must exist in the repository (e.g., `NSS_3_118_RTM`, `NSS_3_117_RTM`) + +## Complete Release Workflow + +For a complete NSS release (e.g., NSS 3.118), follow these steps: + +1. **Generate the release documentation:** + ```bash + cd /path/to/nss + python3 automation/release/generate_release_doc.py 3.118 3.117 + ``` + +2. **Update the release notes index** (if needed): + - Edit `doc/rst/releases/index.rst` to add the new release at the top of the toctree + - Update the "latest version" note + +3. **Generate the release email:** + ```bash + python3 automation/release/generate_release_email.py 3.118 3.117 > release_email.txt + ``` + +4. **Review and commit:** + - Review the generated documentation + - Commit the new release notes to the repository + - Send the release email to the appropriate mailing list + +## Integration with Existing Tools + +These scripts complement the existing `nss-release-helper.py` script, which provides a complete automated release workflow. You can use these standalone scripts if you need to: +- Regenerate documentation after tags have been created +- Generate release notes for hotfix releases +- Create documentation for past releases +- Test documentation generation before running the full release process + +## Notes + +- The scripts automatically extract the current date for the release date +- Bug entries are automatically formatted and deduplicated +- The scripts read the NSPR version from `automation/release/nspr-version.txt` +- Only commits with "Bug XXXXXX" in the message are included in the changes list + diff --git a/security/nss/automation/release/generate_release_doc.py b/security/nss/automation/release/generate_release_doc.py @@ -0,0 +1,185 @@ +#!/usr/bin/env python3 +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Generate NSS release documentation (RST file) based on version number. + +Usage: python3 generate_release_doc.py <version> <previous_version> [output_file] + +Example: + python3 generate_release_doc.py 3.118 3.117 + python3 generate_release_doc.py 3.118.1 3.118 doc/rst/releases/nss_3_118_1.rst +""" + +import os +import re +import sys +from datetime import datetime +from subprocess import check_output + + +def exit_with_failure(message): + """Exit the script with an error message.""" + print(f"ERROR: {message}", file=sys.stderr) + sys.exit(1) + + +def version_string_to_underscore(version_string): + """Convert version string like '3.118' to '3_118'.""" + return version_string.replace('.', '_') + + +def version_string_to_RTM_tag(version_string): + """Convert version string like '3.118' to 'NSS_3_118_RTM'.""" + parts = version_string.split('.') + return "NSS_" + "_".join(parts) + "_RTM" + + +def get_nspr_version(): + """Read the NSPR version from automation/release/nspr-version.txt.""" + nspr_version_file = "automation/release/nspr-version.txt" + try: + with open(nspr_version_file, 'r') as f: + return f.readline().strip() + except FileNotFoundError: + exit_with_failure(f"Could not find {nspr_version_file}. Are you running from the NSS root directory?") + + +def get_changes_from_hg(current_tag, previous_tag): + """Extract bug changes from Mercurial log between two tags.""" + try: + # Get log entries between previous tag and current tag + command = ["hg", "log", "-r", f"{previous_tag}:{current_tag}", "--template", "{desc|firstline}\\n"] + log_output = check_output(command).decode('utf-8') + except Exception as e: + exit_with_failure(f"Failed to get hg log: {e}") + + # Extract bug numbers and descriptions + bug_lines = [] + for line in reversed(log_output.split('\n')): + if 'Bug' in line or 'bug' in line: + line = line.strip() + # Remove reviewer information + line = line.split("r=")[0].strip() + + # Match patterns like "Bug 1234567 Something" and convert to "Bug 1234567 - Something" + line = re.sub(r'(Bug\s+\d+)\s+([^-])', r'\1 - \2', line, flags=re.IGNORECASE) + + # Clean up punctuation + if line: + line = line.rstrip(',') + + # Add a full stop at the end if there isn't one + if line and not line.endswith('.'): + line = line + '.' + + if line and line not in bug_lines: + bug_lines.append(line) + + return bug_lines + + +def generate_rst_content(version, nspr_version, bug_lines, release_date): + """Generate the RST content for the release notes.""" + version_underscore = version_string_to_underscore(version) + changes_text = "\n".join([f" - {line}" for line in bug_lines]) + + rst_content = f""".. _mozilla_projects_nss_nss_{version_underscore}_release_notes: + +NSS {version} release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) {version} was released on *{release_date}**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_{version_underscore}_RTM. NSS {version} requires NSPR {nspr_version} or newer. + + NSS {version} source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_{version_underscore}_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_{version}: + +`Changes in NSS {version} <#changes_in_nss_{version}>`__ +------------------------------------------------------------------ + +.. container:: + +{changes_text} + +""" + return rst_content + + +def main(): + if len(sys.argv) < 3: + print(__doc__) + sys.exit(1) + + version = sys.argv[1].strip() + previous_version = sys.argv[2].strip() + + # Determine output file + if len(sys.argv) >= 4: + output_file = sys.argv[3].strip() + else: + version_underscore = version_string_to_underscore(version) + output_file = f"doc/rst/releases/nss_{version_underscore}.rst" + + # Get current date + current_date = datetime.now().strftime("%-d %B %Y") + + # Get NSPR version + nspr_version = get_nspr_version() + + # Convert versions to tags + current_tag = version_string_to_RTM_tag(version) + previous_tag = version_string_to_RTM_tag(previous_version) + + print(f"Generating release documentation for NSS {version}") + print(f"Previous version: {previous_version}") + print(f"Current tag: {current_tag}") + print(f"Previous tag: {previous_tag}") + print(f"NSPR version: {nspr_version}") + print(f"Release date: {current_date}") + print() + + # Get changes from Mercurial + print("Extracting changes from Mercurial...") + bug_lines = get_changes_from_hg(current_tag, previous_tag) + print(f"Found {len(bug_lines)} bug entries") + print() + + # Generate RST content + rst_content = generate_rst_content(version, nspr_version, bug_lines, current_date) + + # Write to file + os.makedirs(os.path.dirname(output_file), exist_ok=True) + with open(output_file, 'w') as f: + f.write(rst_content) + + print(f"Release documentation written to: {output_file}") + print() + print("=" * 70) + print("Preview:") + print("=" * 70) + print(rst_content) + + +if __name__ == "__main__": + main() + diff --git a/security/nss/automation/release/generate_release_email.py b/security/nss/automation/release/generate_release_email.py @@ -0,0 +1,167 @@ +#!/usr/bin/env python3 +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Generate NSS release email text based on version number. + +Usage: python3 generate_release_email.py <version> <previous_version> [output_file] + +Example: + python3 generate_release_email.py 3.118 3.117 + python3 generate_release_email.py 3.118.1 3.118 release_email_3.118.1.txt +""" + +import os +import re +import sys +from datetime import datetime +from subprocess import check_output + + +def exit_with_failure(message): + """Exit the script with an error message.""" + print(f"ERROR: {message}", file=sys.stderr) + sys.exit(1) + + +def version_string_to_underscore(version_string): + """Convert version string like '3.118' to '3_118'.""" + return version_string.replace('.', '_') + + +def version_string_to_RTM_tag(version_string): + """Convert version string like '3.118' to 'NSS_3_118_RTM'.""" + parts = version_string.split('.') + return "NSS_" + "_".join(parts) + "_RTM" + + +def get_nspr_version(): + """Read the NSPR version from automation/release/nspr-version.txt.""" + nspr_version_file = "automation/release/nspr-version.txt" + try: + with open(nspr_version_file, 'r') as f: + return f.readline().strip() + except FileNotFoundError: + exit_with_failure(f"Could not find {nspr_version_file}. Are you running from the NSS root directory?") + + +def get_changes_from_hg(current_tag, previous_tag): + """Extract bug changes from Mercurial log between two tags.""" + try: + # Get log entries between previous tag and current tag + command = ["hg", "log", "-r", f"{previous_tag}:{current_tag}", "--template", "{desc|firstline}\\n"] + log_output = check_output(command).decode('utf-8') + except Exception as e: + exit_with_failure(f"Failed to get hg log: {e}") + + # Extract bug numbers and descriptions + bug_lines = [] + for line in reversed(log_output.split('\n')): + if 'Bug' in line or 'bug' in line: + line = line.strip() + # Remove reviewer information + line = line.split("r=")[0].strip() + + # Match patterns like "Bug 1234567 Something" and convert to "Bug 1234567 - Something" + line = re.sub(r'(Bug\s+\d+)\s+([^-])', r'\1 - \2', line, flags=re.IGNORECASE) + + # Clean up punctuation + if line: + line = line.rstrip(',') + + # Add a full stop at the end if there isn't one + if line and not line.endswith('.'): + line = line + '.' + + if line and line not in bug_lines: + bug_lines.append(line) + + return bug_lines + + +def generate_email_content(version, nspr_version, bug_lines, release_date): + """Generate the email content for the release announcement.""" + version_underscore = version_string_to_underscore(version) + changes_text = "\n\n".join([f" {line}" for line in bug_lines]) + + email_content = f"""Network Security Services (NSS) {version} was released on {release_date}. + + + +The HG tag is NSS_{version_underscore}_RTM. This version of NSS requires NSPR {nspr_version} or newer. The latest version of NSPR is {nspr_version}. + +NSS {version} source distributions are available on ftp.mozilla.org for secure HTTPS download: + +<https://ftp.mozilla.org/pub/security/nss/releases/NSS_{version_underscore}_RTM/src/> + +Changes: + +{changes_text} + +NSS {version} shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with this new version of the shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries. + +Bugs discovered should be reported by filing a bug report at <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS> + +Release notes are available at <https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>. +""" + return email_content + + +def main(): + if len(sys.argv) < 3: + print(__doc__) + sys.exit(1) + + version = sys.argv[1].strip() + previous_version = sys.argv[2].strip() + + # Determine output file (optional) + output_file = None + if len(sys.argv) >= 4: + output_file = sys.argv[3].strip() + + # Get current date + current_date = datetime.now().strftime("%-d %B %Y") + + # Get NSPR version + nspr_version = get_nspr_version() + + # Convert versions to tags + current_tag = version_string_to_RTM_tag(version) + previous_tag = version_string_to_RTM_tag(previous_version) + + print(f"Generating release email for NSS {version}") + print(f"Previous version: {previous_version}") + print(f"Current tag: {current_tag}") + print(f"Previous tag: {previous_tag}") + print(f"NSPR version: {nspr_version}") + print(f"Release date: {current_date}") + print() + + # Get changes from Mercurial + print("Extracting changes from Mercurial...") + bug_lines = get_changes_from_hg(current_tag, previous_tag) + print(f"Found {len(bug_lines)} bug entries") + print() + + # Generate email content + email_content = generate_email_content(version, nspr_version, bug_lines, current_date) + + # Write to file if specified, otherwise print to stdout + if output_file: + with open(output_file, 'w') as f: + f.write(email_content) + print(f"Release email written to: {output_file}") + print() + + print("=" * 70) + print("Email Content:") + print("=" * 70) + print(email_content) + + +if __name__ == "__main__": + main() + diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt @@ -1,4 +1,4 @@ -4.37 +4.38.2 # The first line of this file must contain the human readable NSPR # version number, which is the minimum required version of NSPR diff --git a/security/nss/automation/release/nss-release-helper.py b/security/nss/automation/release/nss-release-helper.py @@ -797,7 +797,8 @@ def create_nss_release_archive(args): nss_nspr_tar = "nss-" + nssrel + "-with-nspr-" + nsprrel + ".tar.gz" - check_call_noisy([tar_cmd, "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel]) + check_call_noisy([tar_cmd, "-cz", "-f", nss_nspr_tar, "nss-" + nssrel]) + check_call_noisy(["rm", "-rf", "nss-" + nssrel]) check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True) check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True) print("created directory " + nss_stagedir + " with files:") diff --git a/security/nss/build.sh b/security/nss/build.sh @@ -95,6 +95,7 @@ while [ $# -gt 0 ]; do -m32|--m32) target_arch=ia32; echo 'Warning: use -t instead of -m32' 1>&2 ;; -t|--target) target_arch="$2"; shift ;; --target=*) target_arch="${1#*=}" ;; + --build-tools-cc=*) build_tools_cc="${1#*=}" ;; --clang) export CC=clang; export CCC=clang++; export CXX=clang++; msvc=0 ;; --gcc) export CC=gcc; export CCC=g++; export CXX=g++; msvc=0 ;; --msvc) msvc=1 ;; @@ -170,6 +171,11 @@ else target=Debug fi +# When cross-compiling, system zlib for the target architecture may not be available +if [[ -n "$CC" && -n "$build_tools_cc" && "$CC" != "$build_tools_cc" ]]; then + gyp_params+=(-Duse_system_zlib=0 -Dsign_libs=0) +fi + gyp_params+=(-Denable_sslkeylogfile="$sslkeylogfile") # Do special setup. diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi @@ -144,7 +144,6 @@ 'coverage%': 0, 'softfp_cflags%': '', 'enable_draft_hpke%': 0, - 'force_integrated_as%': 0, 'disable_ckbi%': 0, 'ppc_abi%': 0, 'use_pkcs5_pbkd2_params2_only%': 0, diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep @@ -12,4 +12,3 @@ #error "Do not include this header file." - diff --git a/security/nss/coreconf/nspr.sh b/security/nss/coreconf/nspr.sh @@ -36,10 +36,21 @@ nspr_build() extra_params+=(--enable-64bit) fi + if [[ -n "$CC" && -n "$build_tools_cc" && "$CC" != "$build_tools_cc" ]]; then + # If build_tools_cc is specified, we expect CC to include a target + # triple e.g. "CC=powerpc-linux-gnu-gcc". NSPR, confusingly, uses + # "HOST_CC" to build tools like nsinstall that are called during the + # build process and it uses the parameter "--host" to specify the + # target triple for the build. + HOST_CC="$build_tools_cc" + extra_params+=(--host="${CC%-*}") + fi + echo "NSPR [1/5] configure ..." pushd "$nspr_dir" >/dev/null + CFLAGS="$nspr_cflags" CXXFLAGS="$nspr_cxxflags" \ - LDFLAGS="$nspr_ldflags" CC="$CC" CXX="$CCC" \ + LDFLAGS="$nspr_ldflags" HOST_CC="$HOST_CC" CC="$CC" CXX="$CCC" \ run_verbose ../configure "${extra_params[@]}" "$@" popd >/dev/null echo "NSPR [2/5] make ..." diff --git a/security/nss/cpputil/nss_scoped_ptrs.h b/security/nss/cpputil/nss_scoped_ptrs.h @@ -56,6 +56,15 @@ struct ScopedDelete { void operator()(SEC_PKCS12DecoderContext* dcx) { SEC_PKCS12DecoderFinish(dcx); } + void operator()(SEC_PKCS7DecoderContext* dcx) { + SEC_PKCS7ContentInfo* cinfo = SEC_PKCS7DecoderFinish(dcx); + if (cinfo) { + SEC_PKCS7DestroyContentInfo(cinfo); + } + } + void operator()(SEC_PKCS7ContentInfo* cinfo) { + SEC_PKCS7DestroyContentInfo(cinfo); + } void operator()(NSSInitContext* init) { NSS_ShutdownContext(init); } }; @@ -96,6 +105,8 @@ SCOPED(SECKEYPrivateKeyList); SCOPED(SECKEYPublicKey); SCOPED(SECMODModule); SCOPED(SEC_PKCS12DecoderContext); +SCOPED(SEC_PKCS7DecoderContext); +SCOPED(SEC_PKCS7ContentInfo); #undef SCOPED diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst @@ -8,6 +8,8 @@ Release Notes :glob: :hidden: + nss_3_118_1.rst + nss_3_118.rst nss_3_117.rst nss_3_116.rst nss_3_115_1.rst @@ -95,8 +97,8 @@ Release Notes .. note:: - **NSS 3.117** is the latest version of NSS. - Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_117_release_notes` + **NSS 3.118.1** is the latest version of NSS. + Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_118_1_release_notes` **NSS 3.112.2 (ESR)** is the latest ESR version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_1_release_notes` diff --git a/security/nss/doc/rst/releases/nss_3_118.rst b/security/nss/doc/rst/releases/nss_3_118.rst @@ -0,0 +1,56 @@ +.. _mozilla_projects_nss_nss_3_118_release_notes: + +NSS 3.118 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.118 was released on *18 November 2025**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_118_RTM. NSS 3.118 requires NSPR 4.37 or newer. + + NSS 3.118 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_118_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.118: + +`Changes in NSS 3.118 <#changes_in_nss_3.118>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1994866 - Remove four Commscope root certificates from NSS. + - Bug 1996036 - fix try pushes with --nspr-patch to actually apply the patch. + - Bug 1995512 - Support for NIST Curves compressed points. + - Bug 1985058 - Destroy certificate on error paths. + - Bug 1990242 - Move NSS DB password hash away from SHA-1. + - Bug 1983313 - support secp384r1mlkem1024. + - Bug 1991549 - vendor latest ML-KEM code from libcrux. + - Bug 1991549 - add mlk-kem-1024 tests. + - Bug 1996717 - use the correct directory for FStar_UInt_8_16_32_64.h in source consistency test. + - Bug 1766767 - Move scripts to python3. + - Bug 1983313 - add mlkem1024 support in freebl. + - Bug 1983313 - support secp256r1mlkem768. + - Bug 1983313 - Make mlkem768x25519 the default. + - Bug 1983320 - ML-DSA SGN and VFY interfaces. + - Bug 1988625 - Align FIPS interfaces count with array. + - Bug 1989477 - Ensure CKK_ML_KEM has derive CK_FALSE. + - Bug 1992128 - Add script for tagging an NSS release. + - Bug 1992128 - Remove the globals from nss-release-helper.py. + - Bug 1992128 - Add release helper command for generating the release index. + - Bug 1992128 - Add release helper command for generating a release note. + - Bug 1992128 - Add release helper command for freezing a branch. + + diff --git a/security/nss/doc/rst/releases/nss_3_118_1.rst b/security/nss/doc/rst/releases/nss_3_118_1.rst @@ -0,0 +1,36 @@ +.. _mozilla_projects_nss_nss_3_118_1_release_notes: + +NSS 3.118.1 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.118.1 was released on *18 November 2025**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_118_1_RTM. NSS 3.118.1 requires NSPR 4.37 or newer. + + NSS 3.118.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_118_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.118.1: + +`Changes in NSS 3.118.1 <#changes_in_nss_3.118.1>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM*. + + diff --git a/security/nss/gtests/der_gtest/der_gtest.gyp b/security/nss/gtests/der_gtest/der_gtest.gyp @@ -14,6 +14,7 @@ 'der_getint_unittest.cc', 'der_quickder_unittest.cc', 'p12_import_unittest.cc', + 'p7_import_unittest.cc', 'secasn1decode_unittest.cc', '<(DEPTH)/gtests/common/gtests.cc' ], diff --git a/security/nss/gtests/der_gtest/p12_import_unittest.cc b/security/nss/gtests/der_gtest/p12_import_unittest.cc @@ -231,6 +231,13 @@ static const uint8_t cert_p12[] = { 0x51, 0x04, 0x08, 0xa1, 0x52, 0xdd, 0x64, 0x46, 0xe9, 0x9e, 0x3e, 0x02, 0x02, 0x08, 0x00}; +unsigned char leak_p12[] = { + 0x30, 0x82, 0x20, 0x20, 0x02, 0x01, 0xff, 0x30, 0x82, 0x09, 0x20, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x50, + 0x30, 0x3f, 0x02, 0x01, 0x20, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x30, 0x20, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}; + class PK12ImportTest : public ::testing::Test {}; TEST_F(PK12ImportTest, ImportPK12With2P7) { @@ -248,4 +255,20 @@ TEST_F(PK12ImportTest, ImportPK12With2P7) { ASSERT_EQ(SECFailure, rv); } +TEST_F(PK12ImportTest, FailsToImportButShouldNotLeak) { + SECItem password = {siBuffer, nullptr, 0}; + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedSEC_PKCS12DecoderContext dcx( + SEC_PKCS12DecoderStart(&password, slot.get(), nullptr, nullptr, nullptr, + nullptr, nullptr, nullptr)); + ASSERT_TRUE(dcx); + SECStatus rv = SEC_PKCS12DecoderUpdate( + dcx.get(), const_cast<uint8_t *>(leak_p12), sizeof(leak_p12)); + ASSERT_EQ(SECSuccess, rv); + rv = SEC_PKCS12DecoderVerify(dcx.get()); + // This is not a valid PKCS12 file, so a failing return value is expected. + // However, the implementation shouldn't leak memory as a result. + ASSERT_EQ(SECFailure, rv); +} + } // namespace nss_test diff --git a/security/nss/gtests/der_gtest/p7_import_unittest.cc b/security/nss/gtests/der_gtest/p7_import_unittest.cc @@ -0,0 +1,60 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nss.h" +#include "secpkcs7.h" + +#include "gtest/gtest.h" +#include "nss_scoped_ptrs.h" + +namespace nss_test { + +// This is an invalid PKCS7 message. Among other things, it contains some +// unknown hash OIDs. This should fail to parse, but it should be safe to try. +static const uint8_t p7_with_unknown_hashes[] = { + 0x30, 0x4d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x02, 0xa0, 0x40, 0x30, 0x3e, 0x02, 0x01, 0x20, 0x31, 0x27, 0x30, 0x0b, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, 0x30, + 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, + 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, + 0x04, 0x30, 0x10, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x07, 0x01, 0xa0, 0x03, 0x04, 0x01, 0x00}; + +// This is an invalid PKCS7 message. It contains multiple hash OIDs (that's not +// what makes it invalid). When it fails to parse, the associated digest data +// structures should be freed correctly. +static const uint8_t p7_with_multiple_hashes[] = { + 0x30, 0x4d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x02, 0xa0, 0x40, 0x30, 0x3e, 0x02, 0x01, 0x20, 0x31, 0x27, 0x30, 0x0b, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, + 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, + 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, + 0x04, 0x30, 0x10, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x07, 0x01, 0xa0, 0x03, 0x04, 0x01, 0x00}; + +class P7ImportTest : public ::testing::Test {}; + +TEST_F(P7ImportTest, FailSafeWithUnknownHashes) { + ScopedSEC_PKCS7DecoderContext dcx(SEC_PKCS7DecoderStart( + nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr)); + ASSERT_TRUE(dcx); + SECStatus rv = SEC_PKCS7DecoderUpdate( + dcx.get(), reinterpret_cast<const char*>(p7_with_unknown_hashes), + sizeof(p7_with_unknown_hashes)); + ASSERT_EQ(SECFailure, rv); +} + +TEST_F(P7ImportTest, NoLeakWithMultipleHashes) { + ScopedSEC_PKCS7DecoderContext dcx(SEC_PKCS7DecoderStart( + nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr)); + ASSERT_TRUE(dcx); + SECStatus rv = SEC_PKCS7DecoderUpdate( + dcx.get(), reinterpret_cast<const char*>(p7_with_multiple_hashes), + sizeof(p7_with_multiple_hashes)); + ASSERT_EQ(SECFailure, rv); +} + +} // namespace nss_test diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp @@ -46,7 +46,8 @@ class pkixcheck_CheckExtendedKeyUsage : public ::testing::Test // tlv_id_kp_OCSPSigning and tlv_id_kp_serverAuth are defined in pkixtestutil.h -// tlv_id_kp_clientAuth and tlv_id_kp_codeSigning are defined in pkixgtest.h +// tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, tlv_id_kp_documentSigning and +// tlv_id_kp_documentSigningAdobe are defined in pkixgtest.h // python DottedOIDToCode.py --tlv id_kp_emailProtection 1.3.6.1.5.5.7.3.4 static const uint8_t tlv_id_kp_emailProtection[] = { @@ -104,6 +105,21 @@ TEST_F(pkixcheck_CheckExtendedKeyUsage, none) KeyPurposeId::id_kp_OCSPSigning)); ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr, KeyPurposeId::id_kp_OCSPSigning)); + ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, + nullptr, + KeyPurposeId::id_kp_documentSigning)); + ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr, + KeyPurposeId::id_kp_documentSigning)); + ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, + nullptr, + KeyPurposeId::id_kp_documentSigningAdobe)); + ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr, + KeyPurposeId::id_kp_documentSigningAdobe)); + ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, + nullptr, + KeyPurposeId::id_kp_documentSigningMicrosoft)); + ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr, + KeyPurposeId::id_kp_documentSigningMicrosoft)); } static const Input empty_null; @@ -192,6 +208,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_documentSigningMicrosoft), SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage), SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth), @@ -199,6 +218,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_documentSigningMicrosoft), SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage), SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth), @@ -206,6 +228,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage), SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth), @@ -213,6 +238,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningMicrosoft), // For end-entities, if id-kp-OCSPSigning is present, no usage is allowed // except OCSPSigning. @@ -222,6 +250,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), SINGLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage), SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth), @@ -229,6 +260,39 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningMicrosoft), + + SINGLE_EKU_SUCCESS(tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_SUCCESS(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + SINGLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + SINGLE_EKU_SUCCESS(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_SUCCESS(tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), SINGLE_EKU_SUCCESS(tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -236,6 +300,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), SINGLE_EKU_SUCCESS(tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -243,6 +310,9 @@ static const EKUTestcase EKU_TESTCASES[] = SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth), @@ -250,6 +320,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth), @@ -257,6 +330,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth), @@ -264,6 +340,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth), @@ -271,6 +350,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth), @@ -278,6 +360,39 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -285,6 +400,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -292,6 +410,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth), @@ -299,6 +420,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth), @@ -306,6 +430,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth), @@ -313,6 +440,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth), @@ -320,6 +450,39 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -327,6 +490,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -334,6 +500,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth), @@ -341,6 +510,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth), @@ -348,6 +520,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth), @@ -355,6 +530,39 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -362,6 +570,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -369,6 +580,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth), @@ -376,6 +590,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth), @@ -383,6 +600,39 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -390,6 +640,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -397,6 +650,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth), @@ -404,6 +660,39 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -411,6 +700,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -418,6 +710,39 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigning, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), @@ -425,6 +750,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -432,6 +760,99 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningAdobe, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_id_kp_documentSigningMicrosoft, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningAdobe, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningMicrosoft, tlv_unknownOID, KeyPurposeId::id_kp_documentSigningMicrosoft), + + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_SUCCESS(tlv_id_kp_documentSigningMicrosoft, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), DOUBLE_EKU_SUCCESS(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage), DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth), @@ -439,6 +860,9 @@ static const EKUTestcase EKU_TESTCASES[] = DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning), DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection), DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning), + DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigning), + DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningAdobe), + DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_documentSigningMicrosoft), }; INSTANTIATE_TEST_SUITE_P(pkixcheck_CheckExtendedKeyUsage, diff --git a/security/nss/gtests/mozpkix_gtest/pkixgtest.h b/security/nss/gtests/mozpkix_gtest/pkixgtest.h @@ -240,6 +240,20 @@ const uint8_t tlv_id_kp_codeSigning[] = {0x06, 0x08, 0x2b, 0x06, 0x01, // python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37 const uint8_t tlv_id_ce_extKeyUsage[] = {0x06, 0x03, 0x55, 0x1d, 0x25}; +// python DottedOIDToCode.py --tlv id-kp-documentSigning 1.3.6.1.5.5.7.3.36 +static const uint8_t tlv_id_kp_documentSigning[] = { + 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x24}; + +// python DottedOIDToCode.py --tlv +// id-kp-documentSigningAdobe 1.2.840.113583.1.1.5 +static const uint8_t tlv_id_kp_documentSigningAdobe[] = { + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x2f, 0x01, 0x01, 0x05}; + +// python DottedOIDToCode.py --tlv +// id-kp-documentSigningMicrosoft 1.3.6.1.4.1.311.10.3.12 +static const uint8_t tlv_id_kp_documentSigningMicrosoft[] = { + 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x0c}; + inline ByteString CreateEKUExtension(ByteString ekuOIDs) { return TLV(der::SEQUENCE, BytesToByteString(tlv_id_ce_extKeyUsage) + diff --git a/security/nss/gtests/pk11_gtest/pk11_kem_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_kem_unittest.cc @@ -114,6 +114,8 @@ TEST_P(Pkcs11KEMTest, KemConsistencyTest) { ScopedPK11SlotInfo slot(PK11_GetBestSlot(encapsMech(), nullptr)); ASSERT_NE(nullptr, slot); + std::string name = PK11_GetSlotName(slot.get()); + ASSERT_EQ(name, "NSS Internal Cryptographic Services"); ASSERT_NE((unsigned int)CK_INVALID_HANDLE, PK11_ImportPublicKey(slot.get(), pubCopy.get(), PR_FALSE)); @@ -151,10 +153,10 @@ TEST_P(Pkcs11KEMTest, KemConsistencyTest) { #ifndef NSS_DISABLE_KYBER INSTANTIATE_TEST_SUITE_P(Pkcs11KEMTest, Pkcs11KEMTest, ::testing::Values(CKP_NSS_KYBER_768_ROUND3, - CKP_NSS_ML_KEM_768)); + CKP_NSS_ML_KEM_768, CKP_ML_KEM_768)); #else INSTANTIATE_TEST_SUITE_P(Pkcs11KEMTest, Pkcs11KEMTest, - ::testing::Values(CKP_NSS_ML_KEM_768)); + ::testing::Values(CKP_NSS_ML_KEM_768, CKP_ML_KEM_768)); #endif } // namespace nss_test diff --git a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc @@ -17,6 +17,69 @@ namespace nss_test { +// NSS doesn't support DTLS1.2 HelloVerifyRequest so we have to inject it +// ourselves. Inject a DTLS 1.2 HelloVerifyRequest to the client, carrying a +// simple cookie. +static void SendHelloVerifyRequest(const std::shared_ptr<TlsAgent>& server, + uint8_t cookie_len = 8) { + // struct { ProtocolVersion server_version; opaque cookie<0..2^8-1>; } HVR; + DataBuffer hvr_body; + size_t off = 0; + off = hvr_body.Write(off, SSL_LIBRARY_VERSION_DTLS_1_0_WIRE, 2); + + DataBuffer cookie; + cookie.Allocate(cookie_len); + for (uint8_t i = 0; i < cookie_len; ++i) { + cookie.Write(i, 0xA0 + i, 1); + } + WriteVariable(&hvr_body, off, cookie, 1); + + // Handshake header (DTLS): type, length, message_seq, frag_off, frag_len + DataBuffer hvr; + off = 0; + off = hvr.Write(off, ssl_hs_hello_verify_request, 1); + off = hvr.Write(off, hvr_body.len(), 3); + off = hvr.Write(off, static_cast<uint32_t>(0), 2); + off = hvr.Write(off, static_cast<uint32_t>(0), 3); + off = hvr.Write(off, hvr_body.len(), 3); + off = hvr.Write(off, hvr_body); + + // Send as a DTLS 1.2 handshake record. + TlsRecordHeader rec(ssl_variant_datagram, SSL_LIBRARY_VERSION_DTLS_1_0, + ssl_ct_handshake, 0 /* epoch 0, seq 0 */); + DataBuffer record; + rec.Write(&record, 0, hvr); + server->SendDirect(record); +} + +// After HelloVerifyRequest (DTLS 1.2), the client must not include the TLS 1.3 +// cookie extension in the second ClientHello. The cookie only belongs in the +// DTLS ClientHello legacy cookie field in this case. +TEST_F(DtlsConnectTest, NoTls13CookieExtensionAfterHelloVerifyRequest) { + EnsureTlsSetup(); + client_->SetVersionRange(SSL_LIBRARY_VERSION_DTLS_1_0, + SSL_LIBRARY_VERSION_DTLS_1_3); + server_->SetVersionRange(SSL_LIBRARY_VERSION_DTLS_1_0, + SSL_LIBRARY_VERSION_DTLS_1_3); + + auto cookie_xtn_capture = + MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_cookie_xtn, true); + + StartConnect(); + client_->Handshake(); // Send initial ClientHello. + + // Inject HVR from server with a dummy cookie. + SendHelloVerifyRequest(server_); + + // Client sends second ClientHello in response to HVR. + client_->Handshake(); + + // Ensure the TLS 1.3 cookie extension is absent in CH2. + EXPECT_FALSE(cookie_xtn_capture->captured()) + << "TLS 1.3 cookie extension must NOT be included after " + "HelloVerifyRequest"; +} + TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) { const char* k0RttData = "Such is life"; const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData)); diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile @@ -215,8 +215,6 @@ else endif endif else - # -DMP_NO_MP_WORD - DEFINES += -DMP_IS_LITTLE_ENDIAN ifdef NS_USE_GCC # Ideally, we should use amd64 assembly code, but it's not yet mingw-w64 # compatible. @@ -253,7 +251,7 @@ endif ifeq ($(OS_TARGET),Darwin) ifeq ($(CPU_ARCH),x86_64) ASFILES = mpi_amd64_common.s - DEFINES += -DMPI_AMD64 -DMP_IS_LITTLE_ENDIAN + DEFINES += -DMPI_AMD64 DEFINES += -DMP_ASSEMBLY_MULTIPLY -DNSS_USE_COMBA MPI_SRCS += mpi_amd64.c mp_comba.c else ifeq ($(CPU_ARCH),x86) @@ -271,7 +269,6 @@ ifeq ($(CPU_ARCH),x86_64) ASFLAGS += -fPIC -Wa,--noexecstack DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY DEFINES += -DNSS_USE_COMBA - DEFINES += -DMP_IS_LITTLE_ENDIAN # DEFINES += -DMPI_AMD64_ADD # comment the next four lines to turn off Intel HW acceleration. DEFINES += -DUSE_HW_AES -DINTEL_GCM @@ -284,7 +281,6 @@ ifeq ($(CPU_ARCH),x86) ASFILES = mpi_x86.s DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT - DEFINES += -DMP_IS_LITTLE_ENDIAN endif ifeq ($(CPU_ARCH),arm) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE @@ -533,7 +529,7 @@ else # Intel acceleration for GCM does not build currently with Studio endif DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY - DEFINES += -DNSS_USE_COMBA -DMP_IS_LITTLE_ENDIAN + DEFINES += -DNSS_USE_COMBA # comment the next two lines to turn off Intel HW acceleration DEFINES += -DUSE_HW_AES ASFILES += intel-aes.s @@ -741,15 +737,6 @@ ifdef INTEL_GCM # GCM binary needs -mssse3 # $(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3 - -# The integrated assembler in Clang 3.2 does not support % in the -# expression of a .set directive. intel-gcm.s uses .set to give -# symbolic names to registers, for example, -# .set Htbl, %rdi -# So we can't use Clang's integrated assembler with intel-gcm.s. -ifdef CC_IS_CLANG -$(OBJDIR)/$(PROG_PREFIX)intel-gcm$(OBJ_SUFFIX): CFLAGS += -no-integrated-as -endif endif ifdef INTEL_GCM_CLANG_CL diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp @@ -16,19 +16,6 @@ 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports' ], - 'conditions': [ - [ 'cc_is_clang==1 and force_integrated_as!=1', { - 'cflags': [ - '-no-integrated-as', - ], - 'cflags_mozilla': [ - '-no-integrated-as', - ], - 'asflags_mozilla': [ - '-no-integrated-as', - ], - }], - ], }, { 'target_name': 'intel-gcm-wrap_c_lib', @@ -36,9 +23,34 @@ 'sources': [ 'intel-gcm-wrap.c', ], + 'conditions': [ + [ '(OS=="linux" or OS=="android") and target_arch=="x64"', { + 'dependencies': [ + 'intel-gcm-s_lib', + ], + }], + ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports' ], + 'cflags': [ + '-mssse3', + ], + 'cflags_mozilla': [ + '-mssse3' + ], + # Remove FREEBL_NO_DEPEND so intel-gcm-wrap.c uses real NSS utility + # functions instead of stubs. This is needed for static builds. + 'defines!': [ + 'FREEBL_NO_DEPEND', + ], + }, + { + 'target_name': 'intel-gcm-wrap-nodepend_c_lib', + 'type': 'static_library', + 'sources': [ + 'intel-gcm-wrap.c', + ], 'conditions': [ [ '(OS=="linux" or OS=="android") and target_arch=="x64"', { 'dependencies': [ @@ -46,6 +58,9 @@ ], }], ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ], 'cflags': [ '-mssse3', ], @@ -313,11 +328,6 @@ '-maltivec' ], }], - [ 'ppc_abi==2', { - 'sources': [ - 'sha512-p8.s', - ], - }], ] }, { @@ -329,19 +339,6 @@ 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports' ], - 'conditions': [ - [ 'cc_is_clang==1 and force_integrated_as!=1', { - 'cflags': [ - '-no-integrated-as', - ], - 'cflags_mozilla': [ - '-no-integrated-as', - ], - 'asflags_mozilla': [ - '-no-integrated-as', - ], - }], - ], }, { 'target_name': 'ppc-gcm-wrap-nodepend_c_lib', @@ -369,7 +366,7 @@ ], }, { - 'target_name': 'gcm-sha512-nodepend-ppc_c_lib', + 'target_name': 'sha512-nodepend-ppc_c_lib', 'type': 'static_library', 'sources': [ 'sha512.c', @@ -378,6 +375,11 @@ '<(DEPTH)/exports.gyp:nss_exports' ], 'conditions': [ + [ 'ppc_abi==2', { + 'sources': [ + 'sha512-p8.s', + ], + }], [ 'disable_crypto_vsx==0', { 'cflags': [ '-mcrypto', @@ -408,7 +410,7 @@ ] }, { - 'target_name': 'gcm-sha512-ppc_c_lib', + 'target_name': 'sha512-ppc_c_lib', 'type': 'static_library', 'sources': [ 'sha512.c', @@ -417,6 +419,11 @@ '<(DEPTH)/exports.gyp:nss_exports' ], 'conditions': [ + [ 'ppc_abi==2', { + 'sources': [ + 'sha512-p8.s', + ], + }], [ 'disable_crypto_vsx==0', { 'cflags': [ '-mcrypto', @@ -518,8 +525,10 @@ [ 'target_arch=="ia32" or target_arch=="x64"', { 'dependencies': [ 'gcm-aes-x86_c_lib', + 'intel-gcm-wrap_c_lib', ], - }, '(disable_arm_hw_aes==0 or disable_arm_hw_sha1==0 or disable_arm_hw_sha2==0) and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', { + }], + [ '(disable_arm_hw_aes==0 or disable_arm_hw_sha1==0 or disable_arm_hw_sha2==0) and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', { 'dependencies': [ 'armv8_c_lib' ], @@ -547,24 +556,24 @@ [ 'disable_altivec==0 and target_arch=="ppc64"', { 'dependencies': [ 'gcm-aes-ppc_c_lib', - 'gcm-sha512-ppc_c_lib', + 'sha512-ppc_c_lib', ], }], [ 'disable_altivec==0 and target_arch=="ppc64le"', { 'dependencies': [ 'gcm-aes-ppc_c_lib', - 'gcm-sha512-ppc_c_lib', + 'sha512-ppc_c_lib', 'chacha20-ppc_lib', 'ppc-gcm-wrap_c_lib', ], }], [ 'disable_altivec==1 and (target_arch=="ppc64" or target_arch=="ppc64le")', { - 'defines!': [ + 'defines': [ 'NSS_DISABLE_ALTIVEC', ], }], [ 'disable_crypto_vsx==1 and (target_arch=="ppc" or target_arch=="ppc64" or target_arch=="ppc64le")', { - 'defines!': [ + 'defines': [ 'NSS_DISABLE_CRYPTO_VSX', ], }], @@ -572,20 +581,6 @@ 'defines!': [ 'FREEBL_NO_DEPEND', 'FREEBL_LOWHASH', - 'USE_HW_AES', - 'INTEL_GCM', - 'PPC_GCM', - ], - 'conditions': [ - [ 'target_arch=="x64"', { - # The AES assembler code doesn't work in static builds. - # The linker complains about non-relocatable code, and I - # currently don't know how to fix this properly. - 'sources!': [ - 'intel-aes.s', - 'intel-gcm.s', - ], - }], ], }], ], @@ -605,8 +600,10 @@ [ 'target_arch=="ia32" or target_arch=="x64"', { 'dependencies': [ 'gcm-aes-x86_c_lib', + 'intel-gcm-wrap-nodepend_c_lib', ] - }, 'target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64"', { + }], + [ 'target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64"', { 'dependencies': [ 'armv8_c_lib', ], @@ -636,24 +633,24 @@ [ 'target_arch=="ppc64"', { 'dependencies': [ 'gcm-aes-ppc_c_lib', - 'gcm-sha512-nodepend-ppc_c_lib', + 'sha512-nodepend-ppc_c_lib', ], }, 'target_arch=="ppc64le"', { 'dependencies': [ 'gcm-aes-ppc_c_lib', - 'gcm-sha512-nodepend-ppc_c_lib', + 'sha512-nodepend-ppc_c_lib', 'ppc-gcm-wrap-nodepend_c_lib', ], }], ], }], [ 'disable_altivec==1 and (target_arch=="ppc64" or target_arch=="ppc64le")', { - 'defines!': [ + 'defines': [ 'NSS_DISABLE_ALTIVEC', ], }], [ 'disable_crypto_vsx==1 and (target_arch=="ppc" or target_arch=="ppc64" or target_arch=="ppc64le")', { - 'defines!': [ + 'defines': [ 'NSS_DISABLE_CRYPTO_VSX', ], }], @@ -670,16 +667,6 @@ }], ], }], - [ '(OS=="linux" or OS=="android") and target_arch=="x64"', { - 'dependencies': [ - 'intel-gcm-wrap_c_lib', - ], - }], - [ 'OS=="win" and (target_arch=="ia32" or target_arch=="x64") and cc_is_clang==1', { - 'dependencies': [ - 'intel-gcm-wrap_c_lib', - ], - }], [ 'OS=="linux"', { 'sources': [ 'nsslowhash.c', @@ -808,7 +795,6 @@ #TODO: -Ox optimize flags 'PreprocessorDefinitions': [ # Should be copied to mingw defines below - 'MP_IS_LITTLE_ENDIAN', 'NSS_BEVAND_ARCFOUR', 'MPI_AMD64', 'MP_ASSEMBLY_MULTIPLY', @@ -839,12 +825,6 @@ 'USE_HW_SHA2', ], }], - [ 'cc_use_gnu_ld==1 and OS=="win" and target_arch=="x64"', { - # mingw x64 - 'defines': [ - 'MP_IS_LITTLE_ENDIAN', - ], - }], # Poly1305_256 requires the flag to run ['target_arch=="x64"', { 'defines':[ @@ -883,7 +863,6 @@ 'conditions': [ [ 'target_arch=="x64"', { 'defines': [ - 'MP_IS_LITTLE_ENDIAN', 'NSS_BEVAND_ARCFOUR', 'MPI_AMD64', 'MP_ASSEMBLY_MULTIPLY', @@ -898,7 +877,6 @@ }], [ 'target_arch=="ia32"', { 'defines': [ - 'MP_IS_LITTLE_ENDIAN', 'MP_ASSEMBLY_MULTIPLY', 'MP_ASSEMBLY_SQUARE', 'MP_ASSEMBLY_DIV_2DX1D', diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi @@ -83,19 +83,6 @@ 'mpi/mpi_amd64_common.S', 'mpi/mp_comba.c', ], - 'conditions': [ - [ 'cc_is_clang==1 and fuzz!=1 and coverage!=1 and force_integrated_as!=1', { - 'cflags': [ - '-no-integrated-as', - ], - 'cflags_mozilla': [ - '-no-integrated-as', - ], - 'asflags_mozilla': [ - '-no-integrated-as', - ], - }], - ], }], [ 'target_arch=="ia32"', { 'sources': [ @@ -232,7 +219,6 @@ 'mpi/mp_comba.c', ], 'defines': [ - 'MP_IS_LITTLE_ENDIAN', 'MPI_AMD64', 'MP_ASSEMBLY_MULTIPLY', 'NSS_USE_COMBA', diff --git a/security/nss/lib/freebl/intel-gcm.s b/security/nss/lib/freebl/intel-gcm.s @@ -5,6 +5,7 @@ ################################################################################ # Copyright(c) 2012, Intel Corp. +.section .rodata .align 16 .Lone: .quad 1,0 @@ -17,6 +18,7 @@ .Lpoly: .quad 0x1, 0xc200000000000000 +.section .text ################################################################################ # Generates the final GCM tag diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h @@ -74,6 +74,12 @@ enum class KeyPurposeId { id_kp_codeSigning = 3, // id-kp-codeSigning id_kp_emailProtection = 4, // id-kp-emailProtection id_kp_OCSPSigning = 9, // id-kp-OCSPSigning + // RFC 9336 - X.509 Certificate General-Purpose Extended Key Usage (EKU) for + // Document Signing + id_kp_documentSigning = 36, // id-kp-documentSigning + // Adobe Authentic Documents Trust (1.2.840.113583.1.1.5) + id_kp_documentSigningAdobe, + id_kp_documentSigningMicrosoft, }; struct CertPolicyId final { diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp @@ -746,6 +746,15 @@ MatchEKU(Reader& value, KeyPurposeId requiredEKU, static const uint8_t code [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 3 }; static const uint8_t email [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 4 }; static const uint8_t ocsp [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 9 }; + // RFC 9336 - X.509 Certificate General-Purpose Extended Key Usage (EKU) for + // Document Signing id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp 36 } + static const uint8_t documentSigning[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 36 }; + // 1.2.840.113583.1.1.5 (Adobe Authentic Documents Trust) + // {iso(1) member-body(2) us(840) adbe(113583) acrobat(1) security(1) 5} + static const uint8_t documentSigningAdobe[] = { (40*1)+2, 128+6, 72, 128+6, 128+119, 47, 1, 1, 5 }; + // 1.3.6.1.4.1.311.10.3.12 (Microsoft Document Signing OID) + // {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) 311 10 3 12} + static const uint8_t documentSigningMicrosoft[] = { (40*1)+3, 6, 1, 4, 1, 128+2, 55, 10, 3, 12 }; bool match = false; @@ -771,6 +780,18 @@ MatchEKU(Reader& value, KeyPurposeId requiredEKU, match = value.MatchRest(ocsp); break; + case KeyPurposeId::id_kp_documentSigning: + match = value.MatchRest(documentSigning); + break; + + case KeyPurposeId::id_kp_documentSigningAdobe: + match = value.MatchRest(documentSigningAdobe); + break; + + case KeyPurposeId::id_kp_documentSigningMicrosoft: + match = value.MatchRest(documentSigningMicrosoft); + break; + case KeyPurposeId::anyExtendedKeyUsage: return NotReached("anyExtendedKeyUsage should start with found==true", Result::FATAL_ERROR_LIBRARY_FAILURE); diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h @@ -22,9 +22,9 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.118" _NSS_CUSTOMIZED " Beta" +#define NSS_VERSION "3.119" _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 -#define NSS_VMINOR 118 +#define NSS_VMINOR 119 #define NSS_VPATCH 0 #define NSS_VBUILD 0 #define NSS_BETA PR_TRUE diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c @@ -979,6 +979,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type) case CKM_NSS_KYBER: case CKM_NSS_ML_KEM_KEY_PAIR_GEN: /* Bug 1893029 */ case CKM_NSS_ML_KEM: + case CKM_ML_KEM_KEY_PAIR_GEN: /* Bug 1893029 */ + case CKM_ML_KEM: return &pk11_ecSlotList; case CKM_SSL3_PRE_MASTER_KEY_GEN: case CKM_SSL3_MASTER_KEY_DERIVE: diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c @@ -1518,12 +1518,20 @@ SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx) if (safeContentsCtx) { nested = safeContentsCtx->nestedSafeContentsCtx; while (nested) { + if (nested->currentSafeBagA1Dcx) { + SEC_ASN1DecoderFinish(nested->currentSafeBagA1Dcx); + nested->currentSafeBagA1Dcx = NULL; + } if (nested->safeContentsA1Dcx) { SEC_ASN1DecoderFinish(nested->safeContentsA1Dcx); nested->safeContentsA1Dcx = NULL; } nested = nested->nestedSafeContentsCtx; } + if (safeContentsCtx->currentSafeBagA1Dcx) { + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + } if (safeContentsCtx->safeContentsA1Dcx) { SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx); safeContentsCtx->safeContentsA1Dcx = NULL; diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c @@ -66,6 +66,7 @@ sec_pkcs7_decoder_work_data(SEC_PKCS7DecoderContext *p7dcx, PRBool final) { unsigned char *buf = NULL; + PRBool freeBuf = PR_FALSE; SECStatus rv; int i; @@ -113,6 +114,7 @@ sec_pkcs7_decoder_work_data(SEC_PKCS7DecoderContext *p7dcx, if (p7dcx->cb != NULL) { buf = (unsigned char *)PORT_Alloc(buflen); + freeBuf = PR_TRUE; plain = NULL; } else { unsigned long oldlen; @@ -145,7 +147,7 @@ sec_pkcs7_decoder_work_data(SEC_PKCS7DecoderContext *p7dcx, data, inlen, final); if (rv != SECSuccess) { p7dcx->error = PORT_GetError(); - return; /* XXX indicate error? */ + goto cleanup; /* XXX indicate error? */ } if (plain != NULL) { PORT_Assert(final || outlen == buflen); @@ -170,10 +172,11 @@ sec_pkcs7_decoder_work_data(SEC_PKCS7DecoderContext *p7dcx, if (p7dcx->cb != NULL) { if (len) (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len); - if (worker->decryptobj != NULL) { - PORT_Assert(buf != NULL); - PORT_Free(buf); - } + } + +cleanup: + if (freeBuf && buf != NULL) { + PORT_Free(buf); } } @@ -230,6 +233,8 @@ sec_pkcs7_decoder_start_digests(SEC_PKCS7DecoderContext *p7dcx, int depth, { int i, digcnt; + p7dcx->worker.digcnt = 0; + if (digestalgs == NULL) return SECSuccess; @@ -257,7 +262,6 @@ sec_pkcs7_decoder_start_digests(SEC_PKCS7DecoderContext *p7dcx, int depth, } p7dcx->worker.depth = depth; - p7dcx->worker.digcnt = 0; /* * Create a digest context for each algorithm. @@ -277,7 +281,6 @@ sec_pkcs7_decoder_start_digests(SEC_PKCS7DecoderContext *p7dcx, int depth, * but we cannot know that until later. */ if (digobj == NULL) { - p7dcx->worker.digcnt--; continue; } @@ -298,6 +301,27 @@ sec_pkcs7_decoder_start_digests(SEC_PKCS7DecoderContext *p7dcx, int depth, return SECSuccess; } +/* destroy any active digest contexts without harvesting results */ +static void +sec_pkcs7_decoder_abort_digests(struct sec_pkcs7_decoder_worker *worker) +{ + int i; + + if (!worker || worker->digcnt <= 0 || !worker->digcxs || !worker->digobjs) { + worker->digcnt = 0; + return; + } + + for (i = 0; i < worker->digcnt; i++) { + if (worker->digcxs[i] && worker->digobjs[i]) { + (*worker->digobjs[i]->destroy)(worker->digcxs[i], PR_TRUE); + } + worker->digcxs[i] = NULL; + } + + worker->digcnt = 0; +} + /* * Close out all of the digest contexts, storing the results in "digestsp". */ @@ -306,25 +330,19 @@ sec_pkcs7_decoder_finish_digests(SEC_PKCS7DecoderContext *p7dcx, PLArenaPool *poolp, SECItem ***digestsp) { - struct sec_pkcs7_decoder_worker *worker; - const SECHashObject *digobj; - void *digcx; - SECItem **digests, *digest; - int i; - void *mark; - /* * XXX Handling nested contents would mean that there is a chain * of workers -- one per each level of content. The following * would want to find the last worker in the chain. */ - worker = &(p7dcx->worker); + struct sec_pkcs7_decoder_worker *worker = &(p7dcx->worker); /* * If no digests, then we have nothing to do. */ - if (worker->digcnt == 0) + if (worker->digcnt == 0) { return SECSuccess; + } /* * No matter what happens after this, we want to stop filtering. @@ -340,46 +358,44 @@ sec_pkcs7_decoder_finish_digests(SEC_PKCS7DecoderContext *p7dcx, * was digested. */ if (!worker->saw_contents) { - for (i = 0; i < worker->digcnt; i++) { - digcx = worker->digcxs[i]; - digobj = worker->digobjs[i]; - (*digobj->destroy)(digcx, PR_TRUE); - } + sec_pkcs7_decoder_abort_digests(worker); return SECSuccess; } - mark = PORT_ArenaMark(poolp); + void *mark = PORT_ArenaMark(poolp); /* * Close out each digest context, saving digest away. */ - digests = - (SECItem **)PORT_ArenaAlloc(poolp, (worker->digcnt + 1) * sizeof(SECItem *)); - digest = (SECItem *)PORT_ArenaAlloc(poolp, worker->digcnt * sizeof(SECItem)); - if (digests == NULL || digest == NULL) { + SECItem **digests = + (SECItem **)PORT_ArenaZAlloc(poolp, (worker->digcnt + 1) * sizeof(SECItem *)); + if (digests == NULL) { p7dcx->error = PORT_GetError(); + sec_pkcs7_decoder_abort_digests(worker); PORT_ArenaRelease(poolp, mark); return SECFailure; } - for (i = 0; i < worker->digcnt; i++, digest++) { - digcx = worker->digcxs[i]; - digobj = worker->digobjs[i]; - - digest->data = (unsigned char *)PORT_ArenaAlloc(poolp, digobj->length); - if (digest->data == NULL) { + for (int i = 0; i < worker->digcnt; i++) { + const SECHashObject *digobj = worker->digobjs[i]; + digests[i] = SECITEM_AllocItem(poolp, NULL, digobj->length); + if (!digests[i]) { p7dcx->error = PORT_GetError(); + sec_pkcs7_decoder_abort_digests(worker); PORT_ArenaRelease(poolp, mark); return SECFailure; } + } - digest->len = digobj->length; - (*digobj->end)(digcx, digest->data, &(digest->len), digest->len); - (*digobj->destroy)(digcx, PR_TRUE); + for (int i = 0; i < worker->digcnt; i++) { + void *digcx = worker->digcxs[i]; + const SECHashObject *digobj = worker->digobjs[i]; - digests[i] = digest; + (*digobj->end)(digcx, digests[i]->data, &(digests[i]->len), digests[i]->len); + (*digobj->destroy)(digcx, PR_TRUE); + worker->digcxs[i] = NULL; } - digests[i] = NULL; + worker->digcnt = 0; *digestsp = digests; PORT_ArenaUnmark(poolp, mark); @@ -612,10 +628,13 @@ sec_pkcs7_decoder_finish_decrypt(SEC_PKCS7DecoderContext *p7dcx, sec_pkcs7_decoder_work_data(p7dcx, worker, NULL, 0, PR_TRUE); /* - * All done, destroy it. + * The callback invoked from work_data may have aborted and already + * torn down the decrypt context, so only destroy if it is still set. */ - sec_PKCS7DestroyDecryptObject(worker->decryptobj); - worker->decryptobj = NULL; + if (worker->decryptobj) { + sec_PKCS7DestroyDecryptObject(worker->decryptobj); + worker->decryptobj = NULL; + } return SECSuccess; } @@ -1053,6 +1072,11 @@ SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx, } if (p7dcx->error) { + sec_pkcs7_decoder_abort_digests(&p7dcx->worker); + if (p7dcx->worker.decryptobj) { + sec_PKCS7DestroyDecryptObject(p7dcx->worker.decryptobj); + p7dcx->worker.decryptobj = NULL; + } if (p7dcx->dcx != NULL) { (void)SEC_ASN1DecoderFinish(p7dcx->dcx); p7dcx->dcx = NULL; @@ -1073,6 +1097,7 @@ SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx) { SEC_PKCS7ContentInfo *cinfo; + sec_pkcs7_decoder_abort_digests(&p7dcx->worker); cinfo = p7dcx->cinfo; if (p7dcx->dcx != NULL) { if (SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess) { @@ -1083,7 +1108,9 @@ SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx) /* free any NSS data structures */ if (p7dcx->worker.decryptobj) { sec_PKCS7DestroyDecryptObject(p7dcx->worker.decryptobj); + p7dcx->worker.decryptobj = NULL; } + PORT_FreeArena(p7dcx->tmp_poolp, PR_FALSE); PORT_Free(p7dcx); return cinfo; @@ -1116,6 +1143,17 @@ void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error) { PORT_Assert(p7dcx); + if (!p7dcx) { + return; + } + + /* ensure any streaming helpers are torn down */ + sec_pkcs7_decoder_abort_digests(&p7dcx->worker); + if (p7dcx->worker.decryptobj) { + sec_PKCS7DestroyDecryptObject(p7dcx->worker.decryptobj); + p7dcx->worker.decryptobj = NULL; + } + SEC_ASN1DecoderAbort(p7dcx->dcx, error); } diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h @@ -17,9 +17,9 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.118" SOFTOKEN_ECC_STRING " Beta" +#define SOFTOKEN_VERSION "3.119" SOFTOKEN_ECC_STRING " Beta" #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 118 +#define SOFTOKEN_VMINOR 119 #define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_TRUE diff --git a/security/nss/lib/ssl/tls13exthandle.c b/security/nss/lib/ssl/tls13exthandle.c @@ -1069,8 +1069,13 @@ tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, { SECStatus rv; + /* Only send the TLS 1.3 Cookie extension in response to a + * HelloRetryRequest. If we are replying to a DTLS 1.2 + * HelloVerifyRequest, the cookie must be carried in the DTLS + * ClientHello cookie field, not as a TLS 1.3 extension. + */ if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || - !ss->ssl3.hs.cookie.len) { + !ss->ssl3.hs.cookie.len || !ss->ssl3.hs.helloRetry) { return SECSuccess; } diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h @@ -19,9 +19,9 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.118 Beta" +#define NSSUTIL_VERSION "3.119 Beta" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 118 +#define NSSUTIL_VMINOR 119 #define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_TRUE diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c @@ -2533,8 +2533,10 @@ sec_asn1d_before_choice(sec_asn1d_state *state) state->dest = (char *)dest + state->theTemplate->offset; } + char *dest = state->dest ? (char *)state->dest - state->theTemplate->offset : NULL; + child = sec_asn1d_push_state(state->top, state->theTemplate + 1, - (char *)state->dest - state->theTemplate->offset, + dest, PR_FALSE); if ((sec_asn1d_state *)NULL == child) { return (sec_asn1d_state *)NULL; @@ -2585,7 +2587,7 @@ sec_asn1d_during_choice(sec_asn1d_state *state) return NULL; } - dest = (char *)child->dest - child->theTemplate->offset; + dest = child->dest ? (char *)child->dest - child->theTemplate->offset : NULL; child->theTemplate++; if (0 == child->theTemplate->kind) { @@ -2594,7 +2596,7 @@ sec_asn1d_during_choice(sec_asn1d_state *state) state->top->status = decodeError; return (sec_asn1d_state *)NULL; } - child->dest = (char *)dest + child->theTemplate->offset; + child->dest = dest ? (char *)dest + child->theTemplate->offset : NULL; /* cargo'd from next_in_sequence innards */ if (state->pending) { diff --git a/security/nss/moz.yaml b/security/nss/moz.yaml @@ -9,8 +9,8 @@ origin: description: nss url: https://hg-edge.mozilla.org/projects/nss - release: cd2ce1a24014a9afaff0df7b484f6065d845de7a (2025-10-29T01:57:49Z). - revision: cd2ce1a24014a9afaff0df7b484f6065d845de7a + release: 28cc2eb89479695ce2b2cb0933dccaae85887697 (2025-11-24T20:15:29Z). + revision: 28cc2eb89479695ce2b2cb0933dccaae85887697 license: MPL-2.0 license-file: COPYING diff --git a/security/nss/taskcluster/docker/builds/Dockerfile b/security/nss/taskcluster/docker/builds/Dockerfile @@ -11,7 +11,6 @@ VOLUME /builds/worker/.cache ADD bionic.list /etc/apt/sources.list.d/bionic.list RUN apt-get update \ && apt-get install -y --no-install-recommends \ - clang-4.0 \ clang-10 \ clang-18 \ cmake \ diff --git a/security/nss/taskcluster/docker/tlsinterop/Dockerfile b/security/nss/taskcluster/docker/tlsinterop/Dockerfile @@ -0,0 +1,76 @@ +# Lean image for running the bulk of the NSS CI tests on taskcluster. +FROM ubuntu:jammy + +VOLUME /builds/worker/checkouts +VOLUME /builds/worker/.cache +VOLUME /builds/worker/workspace + +# %include-run-task + +ENV DEBIAN_FRONTEND noninteractive +RUN dpkg --add-architecture i386 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + build-essential \ + ca-certificates \ + clang \ + curl \ + g++-multilib \ + git \ + gyp \ + libxml2-utils \ + lib32z1-dev \ + linux-libc-dev:i386 \ + llvm-dev \ + locales \ + mercurial \ + ninja-build \ + pkg-config \ + sqlite3 \ + zlib1g-dev \ + python3 \ + python3-pip \ + rsync \ + iproute2 \ + libnss3-tools \ + expect \ + gnutls-bin \ + crypto-policies \ + && rm -rf /var/lib/apt/lists/* \ + && apt-get autoremove -y && apt-get clean -y + +ENV SHELL /bin/bash +ENV USER worker +ENV LOGNAME $USER +ENV HOME /builds/worker +ENV LANG en_US.UTF-8 +ENV LC_ALL $LANG +ENV HOST localhost +ENV DOMSUF localdomain + +RUN locale-gen $LANG \ + && dpkg-reconfigure locales + +RUN useradd -d $HOME -s $SHELL -m $USER && \ + mkdir -p /builds/worker/workspace && \ + mkdir -p /builds/worker/artifacts && \ + chown -R $USER /builds/worker && \ + pip install tmt && \ + echo '#!/bin/bash\n\nexit 0' >/usr/bin/fakedora && \ + chmod +x /usr/bin/fakedora && \ + ln -s /usr/bin/fakedora /usr/bin/rpm && \ + ln -s /usr/bin/fakedora /usr/bin/dnf && \ + ln -s /usr/bin/fakedora /usr/local/bin/rhts-report-result && \ + ln -s /usr/bin/fakedora /usr/local/bin/tmt-file-submit && \ + ln -s /usr/bin/python3 /usr/bin/python && \ + update-crypto-policies --set DEFAULT && \ + cd $HOME && \ + curl -L -o beakerlib.tgz 'https://github.com/beakerlib/beakerlib/archive/refs/tags/1.31.4.tar.gz' && \ + tar xf beakerlib.tgz && \ + cd beakerlib-* && \ + make install && \ + echo done +WORKDIR $HOME + +# Set a default command for debugging. +CMD ["/bin/bash", "--login"] diff --git a/security/nss/taskcluster/kinds/docker-image/kind.yml b/security/nss/taskcluster/kinds/docker-image/kind.yml @@ -25,3 +25,6 @@ tasks: parent: base fuzz: symbol: I(fuzz) + tlsinterop: + symbol: I(tlsinterop) + parent: base diff --git a/security/nss/taskcluster/kinds/test/kind.yml b/security/nss/taskcluster/kinds/test/kind.yml @@ -139,6 +139,58 @@ tasks: treeherder: symbol: tlsfuzzer + tlsinterop-gnutls: + description: tlsinterop-gnutls tests + from-deps: + kinds: + - build + with-attributes: + build_platform: + - linux64 + - linux64-make + build_type: + - opt + - opt-make + nspr: [false] + dbm: [false] + cc: [false] + modular: [false] + fuzz: [false] + worker: + docker-image: {in-tree: tlsinterop} + env: + TC_PARENT_TASK_ID: {task-reference: "<build>"} + NSS_CYCLES: standard + NSS_TESTS: tlsinterop-gnutls + treeherder: + symbol: tlsinterop-gnutls + + tlsinterop-openssl: + description: tlsinterop-openssl tests + from-deps: + kinds: + - build + with-attributes: + build_platform: + - linux64 + - linux64-make + build_type: + - opt + - opt-make + nspr: [false] + dbm: [false] + cc: [false] + modular: [false] + fuzz: [false] + worker: + docker-image: {in-tree: tlsinterop} + env: + TC_PARENT_TASK_ID: {task-reference: "<build>"} + NSS_CYCLES: standard + NSS_TESTS: tlsinterop-openssl + treeherder: + symbol: tlsinterop-openssl + mpi: description: MPI tests treeherder: diff --git a/security/nss/taskcluster/nss_taskgraph/transforms/build.py b/security/nss/taskcluster/nss_taskgraph/transforms/build.py @@ -27,7 +27,6 @@ def set_build_attributes(config, jobs): EXTRA_COMPILERS = { - "clang-4": {"CC": "clang-4.0", "CCC": "clang++-4.0"}, "clang-10": {"CC": "clang-10", "CCC": "clang++-10"}, "clang-18": {"CC": "clang-18", "CCC": "clang++-18"}, # gcc-4.6 introduced nullptr. diff --git a/security/nss/tests/tlsinterop-gnutls/tlsinterop-gnutls.sh b/security/nss/tests/tlsinterop-gnutls/tlsinterop-gnutls.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/tlsinterop/tlsinterop-openssl.sh +# +# Script to drive openssl tls interop tests +# +######################################################################## + +echo "PATH: $(pwd)" +cd $(dirname $0)/../tlsinterop +source tlsinterop.sh + +tlsinterop_init +tlsinterop_run_tests "gnutls" +tlsinterop_cleanup diff --git a/security/nss/tests/tlsinterop-openssl/tlsinterop-openssl.sh b/security/nss/tests/tlsinterop-openssl/tlsinterop-openssl.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/tlsinterop/tlsinterop-openssl.sh +# +# Script to drive openssl tls interop tests +# +######################################################################## + +echo "PATH: $(pwd)" +cd $(dirname $0)/../tlsinterop +source tlsinterop.sh + +tlsinterop_init +tlsinterop_run_tests "openssl" +tlsinterop_cleanup diff --git a/security/nss/tests/tlsinterop/tlsinterop.sh b/security/nss/tests/tlsinterop/tlsinterop.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/tlsinterop/tlsinterop.sh +# +# Script to drive the tls interop tests +# +######################################################################## + +tlsinterop_init() +{ + SCRIPTNAME="tlsinterop.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + + gnutls-cli --version + openssl version + + export PATH=$BINDIR:$PATH + export SERVER_UTIL=${BINDIR}/selfserv + export CLIENT_UTIL=${BINDIR}/tstclnt + export STRSCLNT_UTIL=${BINDIR}/strsclnt + + cd ${HOSTDIR} + TLSINTEROP=${TLSINTEROP:=tlsinterop} + REF="8c2eff51a86fadec3141f199b32763dd99bfb226" + if [ ! -d "$TLSINTEROP" ]; then + ${QADIR}/../fuzz/config/git-copy.sh https://gitlab.com/redhat-crypto/tests/interop/ $REF "$TLSINTEROP" + fi + + cd ${HOSTDIR}/${TLSINTEROP} + echo "list tests" + tmt tests ls -f 'tag:interop-nss' -f 'tag:-interop-nss-broken' + echo "discover tests" + tmt run plan -n interop tests -f 'tag:interop-nss' -f 'tag:-interop-nss-broken' discover -v + + html_head "tlsinterop test" +} + +tlsinterop_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +tlsinterop_run_tests() +{ + extra_arg="" + if [[ -n $1 ]]; then + extra_arg="-f 'tag:interop-$1'" + fi + cd ${HOSTDIR}/${TLSINTEROP} + eval tmt tests ls -f 'tag:interop-nss' -f 'tag:-interop-nss-broken' $extra_arg + for t in $(eval tmt tests ls -f 'tag:interop-nss' -f 'tag:-interop-nss-broken' $extra_arg); do + tmt run -av plans -n interop provision -h local --feeling-safe execute -h tmt --interactive tests -n "$t" + html_msg $? 0 "tlsinterop" "$t" + done +} +