tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

pkcs12policy.txt (6681B)

      1 # This Source Code Form is subject to the terms of the Mozilla Public
      2 # License: v. 2.0. If a copy of the MPL was not distributed with this
      3 # file: You can obtain one at http://mozilla.org/MPL/2.0/.
      4 #
      5 # This file enables policy testing
      6 #
      7 # The policy string is set to the config= line in the pkcs11.txt
      8 # it currently has 2 keywords:
      9 #
     10 # disallow= turn off the use of this algorithm by policy. (implies disable)
     11 # allow= allow this algorithm to by used if selected by policy.
     12 # disable= turn off the use of this algorithm even if allowed by policy
     13 #          (application can override)
     14 # enable= turn off this algorithm by default (implies allow)
     15 # flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy:
     16 #  NSS_SetOption: or SSL_SetCipherPolicy
     17 #        ssl-lock: can't change the cipher suite settings with the application.
     18 #
     19 # The syntax is disallow=algorithm{/uses}:algorithm{/uses}
     20 # where {} signifies an optional element
     21 #
     22 # Signatures:
     23 #	DSA
     24 #	RSA-PKCS
     25 #	RSA-PSS
     26 #       ECDSA
     27 # Hashes:
     28 #	MD2
     29 #	MD4
     30 #	MD5
     31 #	SHA1
     32 #	SHA224
     33 #	SHA256
     34 #	SHA384
     35 #	SHA512
     36 #	SHA3_224
     37 #	SHA3_256
     38 #	SHA3_384
     39 #	SHA3_512
     40 # Ciphers:
     41 #	AES128-CBC
     42 #	AES192-CBC
     43 #	AES256-CBC
     44 #	CAMELLIA128-CBC
     45 #	CAMELLIA192-CBC
     46 #	CAMELLIA256-CBC
     47 #	SEED-CBC
     48 #	DES-EDE3-CBC
     49 #	RC2-40-CBC
     50 #	RC2-64-CBC
     51 #	RC2-128-CBC
     52 # Key exchange
     53 #	RSA-PKCS
     54 #	RSA-OAEP
     55 #	DH
     56 #	ECDH
     57 # Include all of the above:
     58 #       ALL
     59 #-----------------------------------------------
     60 # Uses are:
     61 #    pkcs12
     62 #    pkcs12-legacy
     63 #    legacy
     64 #    all (includes all of the above)
     65 #
     66 # error codes from pk12util:
     67 #
     68 # KEY-ENCRYPT-FAILED       28 (PK12UERR_ADDCERTKEY)
     69 # CERT-ENCRYPT-FAILED      27 (PK12UERR_CERTKEYSAFE)
     70 # INTEGRITY-ENCRYPT_FAILED 29 (PK12UERR_ENCODE)
     71 # KEY-DECRYPT-FAILED       19 (PK12UERR_DECODEIMPTBAGS)
     72 # CERT-DECRYPT-FAILED      18 (PK12UERR_DECODEVALIBAGS)
     73 # INTEGRITY-DECRYPT_FAILED 17 (PK12UERR_DECODEVERIFY)
     74 #
     75 # NOTE: pk12util has historically had problems distinguishing between
     76 # CERT-DECRYPT-FAILED and INTEGRITY-DECRYPT_FAILED until it's actually sorted,
     77 # some tests failure codes may change as pk12util gets improved.
     78 #
     79 # The tests below uses the error codes when if forces policy failures
     80 # on particular operations.
     81 #
     82 #exp imp exp_policy imp_policy key_cipher cert_cipher  hash Test Name
     83  0  0 allow=tls  allow=tls AES-128-CBC AES-128-CBC SHA-256  Use default policy and enable
     84  0  0 allow=all  allow=all AES-128-CBC AES-128-CBC SHA-256  allow all
     85 27  x disallow=all_allow=all/legacy disallow_all_allow=all/legacy AES-128-CBC AES-128-CBC SHA-256  Only allow legacy read (write)
     86  0  0 allow=all  disallow=all_allow=all/legacy AES-128-CBC AES-128-CBC SHA-256  Only allow legacy read (read)
     87 28  x disallow=aes128-cbc disallow_all_allow=all/legacy AES-128-CBC AES-256-CBC SHA-256  Disallow AES-128-CBC, key_encrypt=AES-128-CBC (write)
     88  0 19 allow=all disallow=aes128-cbc AES-128-CBC AES-256-CBC SHA-256 Disallow AES-128-CBC, key_decrypt=AES-128-CBC (read)
     89 27  x disallow=aes128-cbc disallow_all_allow=all/legacy AES-256-CBC AES-128-CBC SHA-256  Disallow AES-128-CBC, cert_encrypt=AES-128-CBC (write cert)
     90  0 17 allow=all disallow=aes128-cbc AES-256-CBC AES-128-CBC SHA-256 Disallow AES-128-CBC, cert_decrypt=AES-128-CBC (read cert)
     91  0  0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1  allow all, RC4 and RC2
     92 28  x disallow=rc4 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1  disallow rc4 (write), RC4 and RC2
     93 27  x disallow=rc2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1  disallow rc2 (write), RC4 and RC2
     94  0 19 allow_all disallow=rc4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1  disallow rc4 (read), RC4 and RC2
     95  0 17 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1  disallow rc2 (read), RC4 and RC2
     96 # integrity policy check the various has based controls.
     97 #  NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
     98 # (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
     99 # encryption side. These tests purposefully tests that the default fails to encrypt
    100 # but succeeds when decrypting.
    101 27  x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
    102  0  0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
    103  0  0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
    104 28  x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
    105 27  x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
    106 29  x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
    107  0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
    108  0 17 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
    109  0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
    110  0  0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
    111  0  0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
    112  0  0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
    113  0  0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256 Allow all with hmac
    114 29  x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256 Disallow hmac on write
    115  0 17 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256 Disallow hmac on read