From b397b75d49db00ef58e0cc4a3a456aa7d68d06fb Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Sat, 29 Aug 2020 01:24:10 +0200 Subject: [PATCH] Support for NSS as a TLS backend v10 Daniel Gustafsson, Andrew Dunstan --- configure | 211 ++++ configure.ac | 30 + contrib/Makefile | 2 +- .../postgres_fdw/expected/postgres_fdw.out | 2 +- contrib/sslinfo/sslinfo.c | 164 ++- doc/src/sgml/acronyms.sgml | 43 + doc/src/sgml/config.sgml | 21 +- doc/src/sgml/installation.sgml | 30 +- doc/src/sgml/libpq.sgml | 25 +- doc/src/sgml/runtime.sgml | 78 +- doc/src/sgml/sslinfo.sgml | 14 +- src/Makefile.global.in | 10 + src/backend/libpq/Makefile | 4 + src/backend/libpq/auth.c | 7 + src/backend/libpq/be-secure-nss.c | 1038 +++++++++++++++++ src/backend/libpq/be-secure-openssl.c | 16 +- src/backend/libpq/be-secure.c | 3 + src/backend/utils/misc/guc.c | 20 +- src/include/common/pg_nss.h | 141 +++ src/include/libpq/libpq-be.h | 9 +- src/include/libpq/libpq.h | 3 + src/include/pg_config.h.in | 3 + src/include/pg_config_manual.h | 5 +- src/interfaces/libpq/Makefile | 4 + src/interfaces/libpq/fe-connect.c | 4 + src/interfaces/libpq/fe-secure-nss.c | 984 ++++++++++++++++ src/interfaces/libpq/fe-secure.c | 5 +- src/interfaces/libpq/libpq-fe.h | 11 + src/interfaces/libpq/libpq-int.h | 5 + src/test/Makefile | 2 +- src/test/ssl/Makefile | 172 +++ .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/client-encrypted-pem.pfx | Bin 0 -> 3149 bytes .../cert9.db | Bin 0 -> 28672 bytes .../key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/client-revoked.pfx | Bin 0 -> 3149 bytes src/test/ssl/ssl/nss/client.crl | Bin 0 -> 418 bytes ...ient.crt__client-encrypted-pem.key.db.pass | 1 + .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../nss/client.crt__client.key.db/cert9.db | Bin 0 -> 36864 bytes .../ssl/nss/client.crt__client.key.db/key4.db | Bin 0 -> 45056 bytes .../nss/client.crt__client.key.db/pkcs11.txt | 5 + src/test/ssl/ssl/nss/client.pfx | Bin 0 -> 3149 bytes .../ssl/ssl/nss/client_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes src/test/ssl/ssl/nss/client_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/ssl/nss/client_ca.crt.db/pkcs11.txt | 5 + src/test/ssl/ssl/nss/root+client.crl | Bin 0 -> 393 bytes .../ssl/nss/root+client_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes .../ssl/ssl/nss/root+client_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/nss/root+client_ca.crt.db/pkcs11.txt | 5 + .../ssl/nss/root+server_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes .../ssl/ssl/nss/root+server_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/nss/root+server_ca.crt.db/pkcs11.txt | 5 + .../cert9.db | Bin 0 -> 28672 bytes .../key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + .../cert9.db | Bin 0 -> 28672 bytes .../root+server_ca.crt__server.crl.db/key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/root.crl | Bin 0 -> 393 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../ssl/ssl/nss/server-cn-and-alt-names.pfx | Bin 0 -> 3349 bytes .../cert9.db | Bin 0 -> 28672 bytes .../key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/server-cn-only.pfx | Bin 0 -> 3197 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../ssl/ssl/nss/server-multiple-alt-names.pfx | Bin 0 -> 3325 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/server-no-names.pfx | Bin 0 -> 3109 bytes src/test/ssl/ssl/nss/server-password.pfx | Bin 0 -> 3197 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/server-revoked.pfx | Bin 0 -> 3181 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../ssl/ssl/nss/server-single-alt-name.pfx | Bin 0 -> 3213 bytes src/test/ssl/ssl/nss/server.crl | Bin 0 -> 418 bytes .../ssl/ssl/nss/server_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes src/test/ssl/ssl/nss/server_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/ssl/nss/server_ca.crt.db/pkcs11.txt | 5 + src/test/ssl/t/001_ssltests.pl | 289 ++--- src/test/ssl/t/002_scram.pl | 4 +- src/test/ssl/t/SSL/Backend/NSS.pm | 64 + src/test/ssl/t/SSL/Backend/OpenSSL.pm | 103 ++ .../ssl/t/{SSLServer.pm => SSL/Server.pm} | 80 +- src/tools/msvc/Install.pm | 3 +- src/tools/msvc/Mkvcbuild.pm | 29 +- src/tools/msvc/Solution.pm | 20 + src/tools/msvc/config_default.pl | 1 + 106 files changed, 3479 insertions(+), 266 deletions(-) create mode 100644 src/backend/libpq/be-secure-nss.c create mode 100644 src/include/common/pg_nss.h create mode 100644 src/interfaces/libpq/fe-secure-nss.c create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client-encrypted-pem.pfx create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client-revoked.pfx create mode 100644 src/test/ssl/ssl/nss/client.crl create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client.pfx create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+client.crl create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root.crl create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-cn-only.pfx create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.pfx create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-no-names.pfx create mode 100644 src/test/ssl/ssl/nss/server-password.pfx create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-revoked.pfx create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.pfx create mode 100644 src/test/ssl/ssl/nss/server.crl create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/t/SSL/Backend/NSS.pm create mode 100644 src/test/ssl/t/SSL/Backend/OpenSSL.pm rename src/test/ssl/t/{SSLServer.pm => SSL/Server.pm} (78%) diff --git a/configure b/configure index 19a3cd09a0..55ba9526df 100755 --- a/configure +++ b/configure @@ -711,6 +711,7 @@ with_uuid with_readline with_systemd with_selinux +with_nss with_openssl with_ldap with_krb_srvnam @@ -857,6 +858,7 @@ with_bsd_auth with_ldap with_bonjour with_openssl +with_nss with_selinux with_systemd with_readline @@ -1559,6 +1561,7 @@ Optional Packages: --with-ldap build with LDAP support --with-bonjour build with Bonjour support --with-openssl build with OpenSSL support + --with-nss build with NSS support --with-selinux build with SELinux support --with-systemd build with systemd support --without-readline do not use GNU Readline nor BSD Libedit for editing @@ -8106,6 +8109,41 @@ fi $as_echo "$with_openssl" >&6; } +# +# LibNSS +# +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with NSS support" >&5 +$as_echo_n "checking whether to build with NSS support... " >&6; } + + + +# Check whether --with-nss was given. +if test "${with_nss+set}" = set; then : + withval=$with_nss; + case $withval in + yes) + +$as_echo "#define USE_NSS 1" >>confdefs.h + + ;; + no) + : + ;; + *) + as_fn_error $? "no argument expected for --with-nss option" "$LINENO" 5 + ;; + esac + +else + with_nss=no + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_nss" >&5 +$as_echo "$with_nss" >&6; } + + # # SELinux # @@ -12180,6 +12218,9 @@ fi fi if test "$with_openssl" = yes ; then + if test x"$with_nss" = x"yes" ; then + as_fn_error $? "multiple SSL backends cannot be enabled simultaneously\"" "$LINENO" 5 + fi # Minimum required OpenSSL version is 1.0.1 $as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h @@ -12442,6 +12483,157 @@ done fi +if test "$with_nss" = yes ; then + if test x"$with_openssl" = x"yes" ; then + as_fn_error $? "multiple SSL backends cannot be enabled simultaneously\"" "$LINENO" 5 + fi + CLEANLDFLAGS="$LDFLAGS" + # TODO: document this set of LDFLAGS + LDFLAGS="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5 +$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; } +if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnss3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_VersionRangeSet (); +int +main () +{ +return SSL_VersionRangeSet (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nss3_SSL_VersionRangeSet=yes +else + ac_cv_lib_nss3_SSL_VersionRangeSet=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5 +$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; } +if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSS3 1 +_ACEOF + + LIBS="-lnss3 $LIBS" + +else + as_fn_error $? "library 'nss3' is required for NSS" "$LINENO" 5 +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PR_GetDefaultIOMethods in -lnspr4" >&5 +$as_echo_n "checking for PR_GetDefaultIOMethods in -lnspr4... " >&6; } +if ${ac_cv_lib_nspr4_PR_GetDefaultIOMethods+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnspr4 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char PR_GetDefaultIOMethods (); +int +main () +{ +return PR_GetDefaultIOMethods (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nspr4_PR_GetDefaultIOMethods=yes +else + ac_cv_lib_nspr4_PR_GetDefaultIOMethods=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nspr4_PR_GetDefaultIOMethods" >&5 +$as_echo "$ac_cv_lib_nspr4_PR_GetDefaultIOMethods" >&6; } +if test "x$ac_cv_lib_nspr4_PR_GetDefaultIOMethods" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSPR4 1 +_ACEOF + + LIBS="-lnspr4 $LIBS" + +else + as_fn_error $? "library 'nspr4' is required for NSS" "$LINENO" 5 +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_GetImplementedCiphers in -lssl3" >&5 +$as_echo_n "checking for SSL_GetImplementedCiphers in -lssl3... " >&6; } +if ${ac_cv_lib_ssl3_SSL_GetImplementedCiphers+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_GetImplementedCiphers (); +int +main () +{ +return SSL_GetImplementedCiphers (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl3_SSL_GetImplementedCiphers=yes +else + ac_cv_lib_ssl3_SSL_GetImplementedCiphers=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl3_SSL_GetImplementedCiphers" >&5 +$as_echo "$ac_cv_lib_ssl3_SSL_GetImplementedCiphers" >&6; } +if test "x$ac_cv_lib_ssl3_SSL_GetImplementedCiphers" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSSL3 1 +_ACEOF + + LIBS="-lssl3 $LIBS" + +else + as_fn_error $? "library 'ssl3' is required for NSS" "$LINENO" 5 +fi + + LDFLAGS="$CLEANLDFLAGS" +fi + if test "$with_pam" = yes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 $as_echo_n "checking for pam_start in -lpam... " >&6; } @@ -13344,6 +13536,25 @@ else fi +fi + +if test "$with_nss" = yes ; then + ac_fn_c_check_header_mongrel "$LINENO" "ssl.h" "ac_cv_header_ssl_h" "$ac_includes_default" +if test "x$ac_cv_header_ssl_h" = xyes; then : + +else + as_fn_error $? "header file is required for NSS" "$LINENO" 5 +fi + + + ac_fn_c_check_header_mongrel "$LINENO" "nss.h" "ac_cv_header_nss_h" "$ac_includes_default" +if test "x$ac_cv_header_nss_h" = xyes; then : + +else + as_fn_error $? "header file is required for NSS" "$LINENO" 5 +fi + + fi if test "$with_pam" = yes ; then diff --git a/configure.ac b/configure.ac index 6b9d0487a8..970bebb24a 100644 --- a/configure.ac +++ b/configure.ac @@ -861,6 +861,15 @@ PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support], AC_MSG_RESULT([$with_openssl]) AC_SUBST(with_openssl) +# +# LibNSS +# +AC_MSG_CHECKING([whether to build with NSS support]) +PGAC_ARG_BOOL(with, nss, no, [build with NSS support], + [AC_DEFINE([USE_NSS], 1, [Define to build with NSS support. (--with-nss)])]) +AC_MSG_RESULT([$with_nss]) +AC_SUBST(with_nss) + # # SELinux # @@ -1210,6 +1219,9 @@ if test "$with_gssapi" = yes ; then fi if test "$with_openssl" = yes ; then + if test x"$with_nss" = x"yes" ; then + AC_MSG_ERROR([multiple SSL backends cannot be enabled simultaneously"]) + fi dnl Order matters! # Minimum required OpenSSL version is 1.0.1 AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L], @@ -1235,6 +1247,19 @@ if test "$with_openssl" = yes ; then AC_CHECK_FUNCS([CRYPTO_lock]) fi +if test "$with_nss" = yes ; then + if test x"$with_openssl" = x"yes" ; then + AC_MSG_ERROR([multiple SSL backends cannot be enabled simultaneously"]) + fi + CLEANLDFLAGS="$LDFLAGS" + # TODO: document this set of LDFLAGS + LDFLAGS="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LDFLAGS" + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])]) + AC_CHECK_LIB(nspr4, PR_GetDefaultIOMethods, [], [AC_MSG_ERROR([library 'nspr4' is required for NSS])]) + AC_CHECK_LIB(ssl3, SSL_GetImplementedCiphers, [], [AC_MSG_ERROR([library 'ssl3' is required for NSS])]) + LDFLAGS="$CLEANLDFLAGS" +fi + if test "$with_pam" = yes ; then AC_CHECK_LIB(pam, pam_start, [], [AC_MSG_ERROR([library 'pam' is required for PAM])]) fi @@ -1410,6 +1435,11 @@ if test "$with_openssl" = yes ; then AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) fi +if test "$with_nss" = yes ; then + AC_CHECK_HEADER(ssl.h, [], [AC_MSG_ERROR([header file is required for NSS])]) + AC_CHECK_HEADER(nss.h, [], [AC_MSG_ERROR([header file is required for NSS])]) +fi + if test "$with_pam" = yes ; then AC_CHECK_HEADERS(security/pam_appl.h, [], [AC_CHECK_HEADERS(pam/pam_appl.h, [], diff --git a/contrib/Makefile b/contrib/Makefile index c8d2a16273..57fa998526 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -51,7 +51,7 @@ SUBDIRS = \ unaccent \ vacuumlo -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),yes) SUBDIRS += sslinfo else ALWAYS_SUBDIRS += sslinfo diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index 84bc0ee381..c3693283d2 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -8919,7 +8919,7 @@ DO $d$ END; $d$; ERROR: invalid option "password" -HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size +HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, cert_database, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size CONTEXT: SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')" PL/pgSQL function inline_code_block line 3 at EXECUTE -- If we add a password for our user mapping instead, we should get a different diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c index 5ba3988e27..84bb2c65b8 100644 --- a/contrib/sslinfo/sslinfo.c +++ b/contrib/sslinfo/sslinfo.c @@ -9,9 +9,11 @@ #include "postgres.h" +#ifdef USE_OPENSSL #include #include #include +#endif #include "access/htup_details.h" #include "funcapi.h" @@ -21,8 +23,8 @@ PG_MODULE_MAGIC; +#ifdef USE_OPENSSL static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName); -static Datum X509_NAME_to_text(X509_NAME *name); static Datum ASN1_STRING_to_text(ASN1_STRING *str); /* @@ -32,6 +34,7 @@ typedef struct { TupleDesc tupdesc; } SSLExtensionInfoContext; +#endif /* * Indicates whether current session uses SSL @@ -54,9 +57,16 @@ PG_FUNCTION_INFO_V1(ssl_version); Datum ssl_version(PG_FUNCTION_ARGS) { - if (MyProcPort->ssl == NULL) + const char *version; + + if (!MyProcPort->ssl_in_use) + PG_RETURN_NULL(); + + version = be_tls_get_version(MyProcPort); + if (version == NULL) PG_RETURN_NULL(); - PG_RETURN_TEXT_P(cstring_to_text(SSL_get_version(MyProcPort->ssl))); + + PG_RETURN_TEXT_P(cstring_to_text(version)); } @@ -67,9 +77,16 @@ PG_FUNCTION_INFO_V1(ssl_cipher); Datum ssl_cipher(PG_FUNCTION_ARGS) { - if (MyProcPort->ssl == NULL) + const char *cipher; + + if (!MyProcPort->ssl_in_use) PG_RETURN_NULL(); - PG_RETURN_TEXT_P(cstring_to_text(SSL_get_cipher(MyProcPort->ssl))); + + cipher = be_tls_get_cipher(MyProcPort); + if (cipher == NULL) + PG_RETURN_NULL(); + + PG_RETURN_TEXT_P(cstring_to_text(cipher)); } @@ -83,7 +100,7 @@ PG_FUNCTION_INFO_V1(ssl_client_cert_present); Datum ssl_client_cert_present(PG_FUNCTION_ARGS) { - PG_RETURN_BOOL(MyProcPort->peer != NULL); + PG_RETURN_BOOL(MyProcPort->peer_cert_valid); } @@ -99,29 +116,26 @@ PG_FUNCTION_INFO_V1(ssl_client_serial); Datum ssl_client_serial(PG_FUNCTION_ARGS) { + char decimal[NAMEDATALEN]; Datum result; - Port *port = MyProcPort; - X509 *peer = port->peer; - ASN1_INTEGER *serial = NULL; - BIGNUM *b; - char *decimal; - if (!peer) + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + be_tls_get_peer_serial(MyProcPort, decimal, NAMEDATALEN); + + if (!*decimal) PG_RETURN_NULL(); - serial = X509_get_serialNumber(peer); - b = ASN1_INTEGER_to_BN(serial, NULL); - decimal = BN_bn2dec(b); - BN_free(b); result = DirectFunctionCall3(numeric_in, CStringGetDatum(decimal), ObjectIdGetDatum(0), Int32GetDatum(-1)); - OPENSSL_free(decimal); return result; } +#ifdef USE_OPENSSL /* * Converts OpenSSL ASN1_STRING structure into text * @@ -228,7 +242,7 @@ ssl_client_dn_field(PG_FUNCTION_ARGS) text *fieldname = PG_GETARG_TEXT_PP(0); Datum result; - if (!(MyProcPort->peer)) + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) PG_RETURN_NULL(); result = X509_NAME_field_to_text(X509_get_subject_name(MyProcPort->peer), fieldname); @@ -273,76 +287,23 @@ ssl_issuer_field(PG_FUNCTION_ARGS) else return result; } +#endif /* USE_OPENSSL */ - -/* - * Equivalent of X509_NAME_oneline that respects encoding - * - * This function converts X509_NAME structure to the text variable - * converting all textual data into current database encoding. - * - * Parameter: X509_NAME *name X509_NAME structure to be converted - * - * Returns: text datum which contains string representation of - * X509_NAME - */ -static Datum -X509_NAME_to_text(X509_NAME *name) +#ifdef USE_NSS +PG_FUNCTION_INFO_V1(ssl_client_dn_field); +Datum +ssl_client_dn_field(PG_FUNCTION_ARGS) { - BIO *membuf = BIO_new(BIO_s_mem()); - int i, - nid, - count = X509_NAME_entry_count(name); - X509_NAME_ENTRY *e; - ASN1_STRING *v; - const char *field_name; - size_t size; - char nullterm; - char *sp; - char *dp; - text *result; - - if (membuf == NULL) - ereport(ERROR, - (errcode(ERRCODE_OUT_OF_MEMORY), - errmsg("could not create OpenSSL BIO structure"))); - - (void) BIO_set_close(membuf, BIO_CLOSE); - for (i = 0; i < count; i++) - { - e = X509_NAME_get_entry(name, i); - nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)); - if (nid == NID_undef) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("could not get NID for ASN1_OBJECT object"))); - v = X509_NAME_ENTRY_get_data(e); - field_name = OBJ_nid2sn(nid); - if (field_name == NULL) - field_name = OBJ_nid2ln(nid); - if (field_name == NULL) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid))); - BIO_printf(membuf, "/%s=", field_name); - ASN1_STRING_print_ex(membuf, v, - ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB) - | ASN1_STRFLGS_UTF8_CONVERT)); - } - - /* ensure null termination of the BIO's content */ - nullterm = '\0'; - BIO_write(membuf, &nullterm, 1); - size = BIO_get_mem_data(membuf, &sp); - dp = pg_any_to_server(sp, size - 1, PG_UTF8); - result = cstring_to_text(dp); - if (dp != sp) - pfree(dp); - if (BIO_free(membuf) != 1) - elog(ERROR, "could not free OpenSSL BIO structure"); + PG_RETURN_NULL(); +} - PG_RETURN_TEXT_P(result); +PG_FUNCTION_INFO_V1(ssl_issuer_field); +Datum +ssl_issuer_field(PG_FUNCTION_ARGS) +{ + PG_RETURN_NULL(); } +#endif /* USE_NSS */ /* @@ -358,9 +319,17 @@ PG_FUNCTION_INFO_V1(ssl_client_dn); Datum ssl_client_dn(PG_FUNCTION_ARGS) { - if (!(MyProcPort->peer)) + char subject[NAMEDATALEN]; + + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + be_tls_get_peer_subject_name(MyProcPort, subject, NAMEDATALEN); + + if (!*subject) PG_RETURN_NULL(); - return X509_NAME_to_text(X509_get_subject_name(MyProcPort->peer)); + + PG_RETURN_TEXT_P(cstring_to_text(subject)); } @@ -377,12 +346,21 @@ PG_FUNCTION_INFO_V1(ssl_issuer_dn); Datum ssl_issuer_dn(PG_FUNCTION_ARGS) { - if (!(MyProcPort->peer)) + char issuer[NAMEDATALEN]; + + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + be_tls_get_peer_issuer_name(MyProcPort, issuer, NAMEDATALEN); + + if (!*issuer) PG_RETURN_NULL(); - return X509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer)); + + PG_RETURN_TEXT_P(cstring_to_text(issuer)); } +#ifdef USE_OPENSSL /* * Returns information about available SSL extensions. * @@ -516,3 +494,13 @@ ssl_extension_info(PG_FUNCTION_ARGS) /* All done */ SRF_RETURN_DONE(funcctx); } +#endif /* USE_OPENSSL */ + +#ifdef USE_NSS +PG_FUNCTION_INFO_V1(ssl_extension_info); +Datum +ssl_extension_info(PG_FUNCTION_ARGS) +{ + PG_RETURN_NULL(); +} +#endif /* USE_NSS */ diff --git a/doc/src/sgml/acronyms.sgml b/doc/src/sgml/acronyms.sgml index 4e5ec983c0..4f6f0cf353 100644 --- a/doc/src/sgml/acronyms.sgml +++ b/doc/src/sgml/acronyms.sgml @@ -441,6 +441,28 @@ + + NSPR + + + + Netscape Portable Runtime + + + + + + NSS + + + + Network Security Services + + + + ODBC @@ -539,6 +561,17 @@ + + PKCS#12 + + + + Public-Key Cryptography Standards #12 + + + + PL @@ -684,6 +717,16 @@ + + TLS + + + + Transport Layer Security + + + + TOAST diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 2c75876e32..3859fb39f1 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1208,6 +1208,23 @@ include_dir 'conf.d' + + ssl_database (string) + + ssl_database configuration parameter + + + + + Specifies the name of the file containing the server certificates and + keys when using NSS for SSL + connections. This parameter can only be set in the + postgresql.conf file or on the server command + line. + + + + ssl_ciphers (string) @@ -1224,7 +1241,9 @@ include_dir 'conf.d' connections using TLS version 1.2 and lower are affected. There is currently no setting that controls the cipher choices used by TLS version 1.3 connections. The default value is - HIGH:MEDIUM:+3DES:!aNULL. The default is usually a + HIGH:MEDIUM:+3DES:!aNULL for servers which have + been built with OpenSSL as the + SSL library. The default is usually a reasonable choice unless you have specific security requirements. diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index b585f22408..60cd6ff8de 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -250,7 +250,7 @@ su - postgres - You need OpenSSL, if you want to support + You need a supported SSL library, if you want to support encrypted client connections. OpenSSL is also required for random number generation on platforms that do not have /dev/urandom (except Windows). The minimum @@ -969,6 +969,31 @@ build-postgresql: + + + + NSS + NSPR + SSL + + + + + Build with support for SSL (encrypted) + connections using NSS. This requires the + NSS package to be installed. Additionally, + NSS requires NSPR + to be installed. configure will check for the + required header files and libraries to make sure that your + NSS installation is sufficient before + proceeding. + + + This option is incompatible with --with-openssl. + + + + @@ -985,6 +1010,9 @@ build-postgresql: your OpenSSL installation is sufficient before proceeding. + + This option is incompatible with --with-nss. + diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index b50391caee..cd8e170938 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -2497,9 +2497,14 @@ void *PQsslStruct(const PGconn *conn, const char *struct_name); ]]> - This structure can be used to verify encryption levels, check server - certificates, and more. Refer to the OpenSSL - documentation for information about this structure. + For NSS, there is one struct available under + the name "NSS", and it returns a pointer to the + NSS PRFileDesc. + + + These structures can be used to verify encryption levels, check server + certificates, and more. Refer to the SSL library + documentation for information about these structures. @@ -2526,6 +2531,10 @@ void *PQgetssl(const PGconn *conn); instead, and for more details about the connection, use . + + This function returns NULL when SSL + librariaes other than OpenSSL are used. + @@ -7958,6 +7967,11 @@ void PQinitOpenSSL(int do_ssl, int do_crypto); before first opening a database connection. Also be sure that you have done that initialization before opening a database connection. + + + This function does nothing when using NSS as + the SSL library. + @@ -7984,6 +7998,11 @@ void PQinitSSL(int do_ssl); might be preferable for applications that need to work with older versions of libpq. + + + This function does nothing when using NSS as + the SSL library. + diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index f584231935..bfc8218c7b 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2183,15 +2183,21 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 SSL + TLS PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. This requires that - OpenSSL is installed on both client and + a supported TLS library is installed on both client and server systems and that support in PostgreSQL is enabled at build time (see ). + Supported libraries are OpenSSL and + NSS. The terms SSL and + TLS are often used interchangeably to mean a secure + connection using a TLS protocol, even though + SSL protocols are no longer supported. @@ -2211,8 +2217,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 - To start in SSL mode, files containing the server certificate - and private key must exist. By default, these files are expected to be + To start in SSL mode, a server certificate + and private key must exist. The below sections on the different libraries + will discuss how to configure these. + + + + By default, these files are expected to be named server.crt and server.key, respectively, in the server's data directory, but other names and locations can be specified using the configuration parameters @@ -2302,6 +2313,18 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 + + NSS Configuration + + + PostgreSQL will look for certificates and keys + in the NSS database specified by the parameter + in postgresql.conf. + The paramaters for certificate and key filenames are used to identify the + nicknames in the database. + + + Using Client Certificates @@ -2377,7 +2400,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 - SSL Server File Usage + SSL Server File Parameter Usage summarizes the files that are @@ -2424,6 +2447,14 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 client certificate must not be on this list + + + certificate database + contains server certificates, keys and revocation lists; only + used when PostgreSQL is built with support + for NSS. + + @@ -2551,6 +2582,45 @@ openssl x509 -req -in server.csr -text -days 365 \ + + NSS Certificate Databases + + + When using NSS, all certificates and keys must + be loaded into an NSS certificate database. + + + + To create a new NSS certificate database and + load the certificates created in , + use the following NSS commands: + +certutil -d "sql:server.db" -N --empty-password +certutil -d "sql:server.db" -A -n server.crt -i server.crt -t "CT,C,C" +certutil -d "sql:server.db" -A -n root.crt -i root.crt -t "CT,C,C" + + This will give the certificate the filename as the nickname identifier in + the database which is created as server.db. + + + Then load the server key, which require converting it to + PKCS#12 format using the + OpenSSL tools: + +openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt \ + -certfile root.crt -passout pass: +pk12util -i server.pfx -d server.db -W '' + + + + Finally a certificate revocation list can be loaded with the following + commands: + +crlutil -I -i server.crl -d server.db -B + + + + diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml index e16f61b41d..253bb697af 100644 --- a/doc/src/sgml/sslinfo.sgml +++ b/doc/src/sgml/sslinfo.sgml @@ -22,7 +22,8 @@ This extension won't build at all unless the installation was - configured with --with-openssl. + configured with SSL support, such as --with-openssl + or --with-nss. @@ -54,7 +55,7 @@ Returns the name of the protocol used for the SSL connection (e.g., TLSv1.0 - TLSv1.1, or TLSv1.2). + TLSv1.1, TLSv1.2 or TLSv1.3). @@ -208,6 +209,9 @@ emailAddress the X.500 and X.509 standards, so you cannot just assign arbitrary meaning to them. + + This function is only available when using OpenSSL. + @@ -223,6 +227,9 @@ emailAddress Same as ssl_client_dn_field, but for the certificate issuer rather than the certificate subject. + + This function is only available when using OpenSSL. + @@ -238,6 +245,9 @@ emailAddress Provide information about extensions of client certificate: extension name, extension value, and if it is a critical extension. + + This function is only available when using OpenSSL. + diff --git a/src/Makefile.global.in b/src/Makefile.global.in index 7ca1e9aac5..8946fa696a 100644 --- a/src/Makefile.global.in +++ b/src/Makefile.global.in @@ -184,6 +184,7 @@ with_perl = @with_perl@ with_python = @with_python@ with_tcl = @with_tcl@ with_openssl = @with_openssl@ +with_nss = @with_nss@ with_readline = @with_readline@ with_selinux = @with_selinux@ with_systemd = @with_systemd@ @@ -232,6 +233,15 @@ CLANG = @CLANG@ BITCODE_CFLAGS = @BITCODE_CFLAGS@ BITCODE_CXXFLAGS = @BITCODE_CXXFLAGS@ +ifeq ($(with_openssl),yes) +with_ssl = yes +else ifeq ($(with_nss),yes) +with_ssl = yes +else +with_ssl = no +endif + + ########################################################################## # # Programs and flags diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile index efc5ef760a..191266a426 100644 --- a/src/backend/libpq/Makefile +++ b/src/backend/libpq/Makefile @@ -30,6 +30,10 @@ OBJS = \ ifeq ($(with_openssl),yes) OBJS += be-secure-openssl.o +else +ifeq ($(with_nss),yes) +OBJS += be-secure-nss.o +endif endif ifeq ($(with_gssapi),yes) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 36565df4fc..ea6d97585e 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -2870,7 +2870,14 @@ CheckCertAuth(Port *port) { int status_check_usermap = STATUS_ERROR; +#if defined(USE_OPENSSL) Assert(port->ssl); +#elif defined(USE_NSS) + /* TODO: should we rename pr_fd to ssl, to keep consistency? */ + Assert(port->pr_fd); +#else + Assert(false); +#endif /* Make sure we have received a username in the certificate */ if (port->peer_cn == NULL || diff --git a/src/backend/libpq/be-secure-nss.c b/src/backend/libpq/be-secure-nss.c new file mode 100644 index 0000000000..fe6540852b --- /dev/null +++ b/src/backend/libpq/be-secure-nss.c @@ -0,0 +1,1038 @@ +/*------------------------------------------------------------------------- + * + * be-secure-nss.c + * functions for supporting NSS as a TLS backend + * + * + * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * IDENTIFICATION + * src/backend/libpq/be-secure-nss.c + * + *------------------------------------------------------------------------- + */ + +#include "postgres.h" + +#include + +/* + * BITS_PER_BYTE is also defined in the NSPR header fils, so we need to undef + * our version to avoid compiler warnings on redefinition. + */ +#define pg_BITS_PER_BYTE BITS_PER_BYTE +#undef BITS_PER_BYTE + +/* + * The nspr/obsolete/protypes.h NSPR header typedefs uint64 and int64 with + * colliding definitions from ours, causing a much expected compiler error. + * The definitions are however not actually used in NSPR at all, and are only + * intended for what seems to be backwards compatibility for apps written + * against old versions of NSPR. The following comment is in the referenced + * file, and was added in 1998: + * + * This section typedefs the old 'native' types to the new PRs. + * These definitions are scheduled to be eliminated at the earliest + * possible time. The NSPR API is implemented and documented using + * the new definitions. + * + * As there is no opt-out from pulling in these typedefs, we define the guard + * for the file to exclude it. This is incredibly ugly, but seems to be about + * the only way around it. + */ +#define PROTYPES_H +#include +#undef PROTYPES_H +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef struct +{ + enum + { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* + * Ensure that the colliding definitions match, else throw an error. In case + * NSPR has removed the definition for some reasone, make sure to put ours + * back again. + */ +#if defined(BITS_PER_BYTE) +#if BITS_PER_BYTE != pg_BITS_PER_BYTE +#error "incompatible byte widths between NSPR and postgres" +#endif +#else +#define BITS_PER_BYTE pg_BITS_PER_BYTE +#endif +#undef pg_BITS_PER_BYTE + +#include "common/pg_nss.h" +#include "lib/stringinfo.h" +#include "libpq/libpq.h" +#include "nodes/pg_list.h" +#include "miscadmin.h" +#include "storage/fd.h" +#include "utils/guc.h" +#include "utils/memutils.h" + +static PRDescIdentity pr_id; + +static PRIOMethods pr_iomethods; +static NSSInitContext * nss_context = NULL; +static SSLVersionRange desired_sslver; + +/* + * PR_ImportTCPSocket() is a private API, but very widely used, as it's the + * only way to make NSS use an already set up POSIX file descriptor rather + * than opening one itself. To quote the NSS documentation: + * + * "In theory, code that uses PR_ImportTCPSocket may break when NSPR's + * implementation changes. In practice, this is unlikely to happen because + * NSPR's implementation has been stable for years and because of NSPR's + * strong commitment to backward compatibility." + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket + * + * The function is declared in , but as it is a header marked + * private we declare it here rather than including it. + */ +NSPR_API(PRFileDesc *) PR_ImportTCPSocket(int); + +/* NSS IO layer callback overrides */ +static PRInt32 pg_ssl_read(PRFileDesc * fd, void *buf, PRInt32 amount, + PRIntn flags, PRIntervalTime timeout); +static PRInt32 pg_ssl_write(PRFileDesc * fd, const void *buf, PRInt32 amount, + PRIntn flags, PRIntervalTime timeout); +/* Utility functions */ +static PRFileDesc * init_iolayer(Port *port, int loglevel); +static uint16 ssl_protocol_version_to_nss(int v, const char *guc_name); + +static char *pg_SSLerrmessage(PRErrorCode errcode); +static char *ssl_protocol_version_to_string(int v); +static SECStatus pg_cert_auth_handler(void *arg, PRFileDesc * fd, + PRBool checksig, PRBool isServer); +static SECStatus pg_bad_cert_handler(void *arg, PRFileDesc * fd); + +/* ------------------------------------------------------------ */ +/* Public interface */ +/* ------------------------------------------------------------ */ + +static char * +ssl_passphrase_callback(PK11SlotInfo * slot, PRBool retry, void *arg) +{ + return pstrdup(""); +} + +/* + * be_tls_init + * Initialize the nss TLS library in the postmaster + * + * The majority of the setup needs to happen in be_tls_open_server since the + * NSPR initialization must happen after the forking of the backend. We could + * potentially move some parts in under !isServerStart, but so far this is the + * separation chosen. + */ +int +be_tls_init(bool isServerStart) +{ + SECStatus status; + SSLVersionRange supported_sslver; + + /* + * Set up the connection cache for multi-processing application behavior. + * If we are in ServerStart then we initialize the cache. If the server is + * already started, we inherit the cache such that it can be used for + * connections. Calling SSL_ConfigMPServerSIDCache sets an environment + * variable which contains enough information for the forked child to know + * how to access it. Passing NULL to SSL_InheritMPServerSIDCache will + * make the forked child look it up by the default name SSL_INHERITANCE, + * if env vars aren't inherited then the contents of the variable can be + * passed instead. + */ + if (isServerStart) + { + /* + * SSLv2 and SSLv3 are disabled in this TLS backend, but when setting + * up the required session cache for NSS we still must supply timeout + * values for v2 and The minimum allowed value for both is 5 seconds, + * so opt for that in both cases (the defaults being 100 seconds and + * 24 hours). + * + * Passing NULL as the directory for the session cache will default to + * using /tmp on UNIX and \\temp on Windows. Deciding if we want to + * keep closer control on this directory is left as a TODO. + */ + status = SSL_ConfigMPServerSIDCache(MaxConnections, 5, 5, NULL); + if (status != SECSuccess) + ereport(FATAL, + (errmsg("unable to set up TLS connection cache: %s", + pg_SSLerrmessage(PR_GetError())))); + + } + else + { + status = SSL_InheritMPServerSIDCache(NULL); + if (status != SECSuccess) + { + ereport(LOG, + (errmsg("unable to connect to TLS connection cache: %s", + pg_SSLerrmessage(PR_GetError())))); + return -1; + } + } + + if (!ssl_database || strlen(ssl_database) == 0) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("no certificate database specified"))); + goto error; + } + + /* + * We check for the desired TLS version range here, even though we cannot + * set it until be_open_server such that we can be compatible with how the + * OpenSSL backend reports errors for incompatible range configurations. + * Set either the default supported TLS version range, or the configured + * range from ssl_min_protocol_version and ssl_max_protocol version. In + * case the user hasn't defined the maximum allowed version we fall back + * to the highest version TLS that the library supports. + */ + if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_sslver) != SECSuccess) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("unable to get default protocol support from NSS"))); + goto error; + } + + /* + * Set the fallback versions for the TLS protocol version range to a + * combination of our minimal requirement and the library maximum. + */ + desired_sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; + desired_sslver.max = supported_sslver.max; + + if (ssl_min_protocol_version) + { + int ver = ssl_protocol_version_to_nss(ssl_min_protocol_version, + "ssl_min_protocol_version"); + + if (ver == -1) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("\"%s\" setting \"%s\" not supported by this build", + "ssl_min_protocol_version", + GetConfigOption("ssl_min_protocol_version", + false, false)))); + goto error; + } + + if (ver > 0) + desired_sslver.min = ver; + } + + if (ssl_max_protocol_version) + { + int ver = ssl_protocol_version_to_nss(ssl_max_protocol_version, + "ssl_max_protocol_version"); + + if (ver == -1) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("\"%s\" setting \"%s\" not supported by this build", + "ssl_max_protocol_version", + GetConfigOption("ssl_max_protocol_version", + false, false)))); + goto error; + } + if (ver > 0) + desired_sslver.max = ver; + + if (ver < desired_sslver.min) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("could not set SSL protocol version range"), + errdetail("\"%s\" cannot be higher than \"%s\"", + "ssl_min_protocol_version", + "ssl_max_protocol_version"))); + goto error; + } + } + + return 0; +error: + return -1; +} + +int +be_tls_open_server(Port *port) +{ + SECStatus status; + PRFileDesc *model; + PRFileDesc *pr_fd; + PRFileDesc *layer; + CERTCertificate *server_cert; + SECKEYPrivateKey *private_key; + CERTSignedCrl *crl; + SECItem crlname; + secuPWData pwdata = {PW_NONE, 0}; /* TODO: This is a bogus callback */ + char *cert_database; + NSSInitParameters params; + + /* + * The NSPR documentation states that runtime initialization via PR_Init + * is no longer required, as the first caller into NSPR will perform the + * initialization implicitly. The documentation doesn't however clarify + * from which version this is holds true, so let's perform the potentially + * superfluous initialization anyways to avoid crashing on older versions + * of NSPR, as there is no difference in overhead. The NSS documentation + * still states that PR_Init must be called in some way (implicitly or + * explicitly). + * + * The below parameters are what the implicit initialization would've done + * for us, and should work even for older versions where it might not be + * done automatically. The last parameter, maxPTDs, is set to various + * values in other codebases, but has been unused since NSPR 2.1 which was + * released sometime in 1998. + */ + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0 /* maxPTDs */ ); + + /* + * The certificate path (configdir) must contain a valid NSS database. If + * the certificate path isn't a valid directory, NSS will fall back on the + * system certificate database. If the certificate path is a directory but + * is empty then the initialization will fail. On the client side this can + * be allowed for any sslmode but the verify-xxx ones. + * https://bugzilla.redhat.com/show_bug.cgi?id=728562 For the server side + * we wont allow this to fail however, as we require the certificate and + * key to exist. + * + * The original design of NSS was for a single application to use a single + * copy of it, initialized with NSS_Initialize() which isn't returning any + * handle with which to refer to NSS. NSS initialization and shutdown are + * global for the application, so a shutdown in another NSS enabled + * library would cause NSS to be stopped for libpq as well. The fix has + * been to introduce NSS_InitContext which returns a context handle to + * pass to NSS_ShutdownContext. NSS_InitContext was introduced in NSS + * 3.12, but the use of it is not very well documented. + * https://bugzilla.redhat.com/show_bug.cgi?id=738456 + * + * The InitParameters struct passed can be used to override internal + * values in NSS, but the usage is not documented at all. When using + * NSS_Init initializations, the values are instead set via PK11_Configure + * calls so the PK11_Configure documentation can be used to glean some + * details on these. + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs + */ + memset(¶ms, '\0', sizeof(params)); + params.length = sizeof(params); + + if (!ssl_database || strlen(ssl_database) == 0) + ereport(FATAL, + (errmsg("no certificate database specified"))); + + cert_database = psprintf("sql:%s", ssl_database); + nss_context = NSS_InitContext(cert_database, "", "", "", + ¶ms, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + pfree(cert_database); + + if (!nss_context) + ereport(FATAL, + (errmsg("unable to read certificate database \"%s\": %s", + ssl_database, pg_SSLerrmessage(PR_GetError())))); + + /* + * Set the passphrase callback which will be used both to obtain the + * passphrase from the user, as well as by NSS to obtain the phrase + * repeatedly. + * + * TODO: Figure this out - do note that we are setting another password + * callback below for cert/key as well. Need to make sense of all these. + */ + PK11_SetPasswordFunc(ssl_passphrase_callback); + + /* + * Import the already opened socket as we don't want to use NSPR functions + * for opening the network socket due to how the PostgreSQL protocol works + * with TLS connections. This function is not part of the NSPR public API, + * see the comment at the top of the file for the rationale of still using + * it. + */ + pr_fd = PR_ImportTCPSocket(port->sock); + if (!pr_fd) + ereport(ERROR, + (errmsg("unable to connect to socket"))); + + /* + * Most of the documentation available, and implementations of, NSS/NSPR + * use the PR_NewTCPSocket() function here, which has the drawback that it + * can only create IPv4 sockets. Instead use PR_OpenTCPSocket() which + * copes with IPv6 as well. + */ + model = PR_OpenTCPSocket(port->laddr.addr.ss_family); + if (!model) + ereport(ERROR, + (errmsg("unable to open socket"))); + + /* + * Convert the NSPR socket to an SSL socket. Ensuring the success of this + * operation is critical as NSS SSL_* functions may return SECSuccess on + * the socket even though SSL hasn't been enabled, which introduce a risk + * of silent downgrades. + */ + model = SSL_ImportFD(NULL, model); + if (!model) + ereport(ERROR, + (errmsg("unable to enable TLS on socket"))); + + /* + * Configure basic settings for the connection over the SSL socket in + * order to set it up as a server. + */ + if (SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure TLS connection"))); + + if (SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_TRUE) != SECSuccess || + SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_FALSE) != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure TLS connection as server"))); + + /* + * SSLv2 is disabled by default, and SSLv3 will be excluded from the range + * of allowed protocols further down. Since we really don't want these to + * ever be enabled, let's use belts and suspenders and explicitly turn + * them off as well. + */ + SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE); + SSL_OptionSet(model, SSL_ENABLE_SSL3, PR_FALSE); + +#ifdef SSL_CBC_RANDOM_IV + + /* + * Enable protection against the BEAST attack in case the NSS server has + * support for that. While SSLv3 is disabled, we may still allow TLSv1 + * which is affected. The option isn't documented as an SSL option, but as + * an NSS environment variable. + */ + SSL_OptionSet(model, SSL_CBC_RANDOM_IV, PR_TRUE); +#endif + + /* + * Configure the allowed cipher. If there are no user preferred suites, + * set the domestic policy. TODO: while this code works, the set of + * ciphers which can be set and still end up with a working socket is + * woefully underdocumented for anything more recent than SSLv3 (the code + * for TLS actually calls ssl3 functions under the hood for + * SSL_CipherPrefSet), so it's unclear if this is helpful or not. Using + * the policies works, but may be too coarsely grained. + * + * Another TODO: The SSL_ImplementedCiphers table returned with calling + * SSL_GetImplementedCiphers is sorted in server preference order. Sorting + * SSLCipherSuites according to the order of the ciphers therein could be + * a way to implement ssl_prefer_server_ciphers - if we at all want to use + * cipher selection for NSS like how we do it for OpenSSL that is. + */ + + /* + * If no ciphers are specified, we use the domestic policy + */ + if (!SSLCipherSuites || strlen(SSLCipherSuites) == 0) + { + status = NSS_SetDomesticPolicy(); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to set cipher policy: %s", + pg_SSLerrmessage(PR_GetError())))); + } + else + { + char *ciphers, + *c; + + char *sep = ":;, "; + PRUint16 ciphercode; + const PRUint16 *nss_ciphers; + + /* + * If the user has specified a set of preferred cipher suites we start + * by turning off all the existing suites to avoid the risk of down- + * grades to a weaker cipher than expected. + */ + nss_ciphers = SSL_GetImplementedCiphers(); + for (int i = 0; i < SSL_GetNumImplementedCiphers(); i++) + SSL_CipherPrefSet(model, nss_ciphers[i], PR_FALSE); + + ciphers = pstrdup(SSLCipherSuites); + + for (c = strtok(ciphers, sep); c; c = strtok(NULL, sep)) + { + ciphercode = pg_find_cipher(c); + if (ciphercode != INVALID_CIPHER) + { + status = SSL_CipherPrefSet(model, ciphercode, PR_TRUE); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("invalid cipher-suite specified: %s", c))); + } + } + + pfree(ciphers); + } + + if (SSL_VersionRangeSet(model, &desired_sslver) != SECSuccess) + ereport(ERROR, + (errmsg("unable to set requested SSL protocol version range"))); + + /* + * Set up the custom IO layer. + */ + layer = init_iolayer(port, ERROR); + if (!layer) + goto error; + + /* Store the Port as private data available in callbacks */ + layer->secret = (void *) port; + + if (PR_PushIOLayer(pr_fd, PR_TOP_IO_LAYER, layer) != PR_SUCCESS) + { + PR_Close(layer); + ereport(ERROR, + (errmsg("unable to push IO layer"))); + } + + /* TODO: set the postgres password callback param as callback function */ + server_cert = PK11_FindCertFromNickname(ssl_cert_file, &pwdata /* password callback */ ); + if (!server_cert) + ereport(ERROR, + (errmsg("unable to find certificate for \"%s\": %s", + ssl_cert_file, pg_SSLerrmessage(PR_GetError())))); + + /* TODO: set the postgres password callback param as callback function */ + private_key = PK11_FindKeyByAnyCert(server_cert, &pwdata /* password callback */ ); + if (!private_key) + ereport(ERROR, + (errmsg("unable to find private key for \"%s\": %s", + ssl_cert_file, pg_SSLerrmessage(PR_GetError())))); + + /* + * NSS doesn't use CRL files on disk, so we use the ssl_crl_file guc to + * contain the CRL nickname for the current server certificate in the NSS + * certificate database. The main difference from the OpenSSL backend is + * that NSS will use the CRL regardless, but being able to make sure the + * CRL is loaded seems like a good feature. + */ + if (ssl_crl_file[0]) + { + SECITEM_CopyItem(NULL, &crlname, &server_cert->derSubject); + crl = SEC_FindCrlByName(CERT_GetDefaultCertDB(), &crlname, SEC_CRL_TYPE); + if (!crl) + ereport(ERROR, + (errmsg("specified CRL not found in database"))); + SEC_DestroyCrl(crl); + } + + /* + * Finally we must configure the socket for being a server by setting the + * certificate and key. + */ + status = SSL_ConfigSecureServer(model, server_cert, private_key, kt_rsa); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure secure server: %s", + pg_SSLerrmessage(PR_GetError())))); + status = SSL_ConfigServerCert(model, server_cert, private_key, NULL, 0); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure server for TLS server connections: %s", + pg_SSLerrmessage(PR_GetError())))); + + ssl_loaded_verify_locations = true; + + /* + * At this point, we no longer have use for the certificate and private + * key as they have been copied into the context by NSS. Destroy our + * copies explicitly to clean out the memory as best we can. + */ + CERT_DestroyCertificate(server_cert); + SECKEY_DestroyPrivateKey(private_key); + + status = SSL_AuthCertificateHook(model, pg_cert_auth_handler, (void *) port); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to install authcert hook: %s", + pg_SSLerrmessage(PR_GetError())))); + SSL_BadCertHook(model, pg_bad_cert_handler, (void *) port); + SSL_OptionSet(model, SSL_REQUEST_CERTIFICATE, PR_TRUE); + SSL_OptionSet(model, SSL_REQUIRE_CERTIFICATE, PR_FALSE); + + port->pr_fd = SSL_ImportFD(model, pr_fd); + if (!port->pr_fd) + ereport(ERROR, + (errmsg("unable to initialize"))); + + PR_Close(model); + + /* + * Force a handshake on the next I/O request, the second parameter means + * that we are a server, PR_FALSE would indicate being a client. NSPR + * requires us to call SSL_ResetHandshake since we imported an already + * established socket. + */ + status = SSL_ResetHandshake(port->pr_fd, PR_TRUE); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to initiate handshake: %s", + pg_SSLerrmessage(PR_GetError())))); + status = SSL_ForceHandshake(port->pr_fd); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to handshake: %s", + pg_SSLerrmessage(PR_GetError())))); + + port->ssl_in_use = true; + return 0; + +error: + return 1; +} + +ssize_t +be_tls_read(Port *port, void *ptr, size_t len, int *waitfor) +{ + ssize_t n_read; + PRErrorCode err; + + n_read = PR_Read(port->pr_fd, ptr, len); + + if (n_read < 0) + { + err = PR_GetError(); + + /* XXX: This logic seems potentially bogus? */ + if (err == PR_WOULD_BLOCK_ERROR) + *waitfor = WL_SOCKET_READABLE; + else + *waitfor = WL_SOCKET_WRITEABLE; + } + + return n_read; +} + +ssize_t +be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) +{ + ssize_t n_write; + PRErrorCode err; + + n_write = PR_Send(port->pr_fd, ptr, len, 0, PR_INTERVAL_NO_WAIT); + + if (n_write < 0) + { + err = PR_GetError(); + + if (err == PR_WOULD_BLOCK_ERROR) + *waitfor = WL_SOCKET_WRITEABLE; + else + *waitfor = WL_SOCKET_READABLE; + } + + return n_write; +} + +void +be_tls_close(Port *port) +{ + if (!port) + return; + + if (port->peer_cn) + { + SSL_InvalidateSession(port->pr_fd); + pfree(port->peer_cn); + port->peer_cn = NULL; + } + + PR_Close(port->pr_fd); + port->pr_fd = NULL; + port->ssl_in_use = false; + + if (nss_context) + { + NSS_ShutdownContext(nss_context); + nss_context = NULL; + } +} + +void +be_tls_destroy(void) +{ + /* + * It reads a bit odd to clear a session cache when we are destroying the + * context altogether, but if the session cache isn't cleared before + * shutting down the context it will fail with SEC_ERROR_BUSY. + */ + SSL_ClearSessionCache(); +} + +int +be_tls_get_cipher_bits(Port *port) +{ + SECStatus status; + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + + status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + goto error; + + status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)); + if (status != SECSuccess) + goto error; + + return suite.effectiveKeyBits; + +error: + ereport(WARNING, + (errmsg("unable to extract TLS session information: %s", + pg_SSLerrmessage(PR_GetError())))); + return 0; +} + +/* + * be_tls_get_compression + * + * NSS disabled support for TLS compression in version 3.33 and removed the + * code in a subsequent release. The API for retrieving information about + * compression as well as enabling it is kept for backwards compatibility, but + * we don't need to consult it since it was only available for SSLv3 which we + * don't support. + * + * https://bugzilla.mozilla.org/show_bug.cgi?id=1409587 + */ +bool +be_tls_get_compression(Port *port) +{ + return false; +} + +/* + * be_tls_get_version + * + * Returns the protocol version used for the current connection, or NULL in + * case of errors. + */ +const char * +be_tls_get_version(Port *port) +{ + SECStatus status; + SSLChannelInfo channel; + + status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + { + ereport(WARNING, + (errmsg("unable to extract TLS session information: %s", + pg_SSLerrmessage(PR_GetError())))); + return NULL; + } + + return ssl_protocol_version_to_string(channel.protocolVersion); +} + +const char * +be_tls_get_cipher(Port *port) +{ + SECStatus status; + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + + status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + goto error; + + status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)); + if (status != SECSuccess) + goto error; + + return suite.cipherSuiteName; + +error: + ereport(WARNING, + (errmsg("unable to extract TLS session information: %s", + pg_SSLerrmessage(PR_GetError())))); + return NULL; +} + +void +be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len) +{ + CERTCertificate *certificate; + + certificate = SSL_PeerCertificate(port->pr_fd); + if (certificate) + strlcpy(ptr, CERT_NameToAscii(&certificate->subject), len); + else + ptr[0] = '\0'; +} + +void +be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) +{ + CERTCertificate *certificate; + + certificate = SSL_PeerCertificate(port->pr_fd); + if (certificate) + strlcpy(ptr, CERT_NameToAscii(&certificate->issuer), len); + else + ptr[0] = '\0'; +} + +void +be_tls_get_peer_serial(Port *port, char *ptr, size_t len) +{ + CERTCertificate *certificate; + + certificate = SSL_PeerCertificate(port->pr_fd); + if (certificate) + snprintf(ptr, len, "%li", DER_GetInteger(&(certificate->serialNumber))); + else + ptr[0] = '\0'; +} + +static SECStatus +pg_bad_cert_handler(void *arg, PRFileDesc * fd) +{ + Port *port = (Port *) arg; + + port->peer_cert_valid = false; + return SECFailure; +} + +static SECStatus +pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer) +{ + SECStatus status; + Port *port = (Port *) arg; + CERTCertificate *cert; + char *peer_cn; + int len; + + status = SSL_AuthCertificate(CERT_GetDefaultCertDB(), port->pr_fd, checksig, PR_TRUE); + if (status == SECSuccess) + { + cert = SSL_PeerCertificate(port->pr_fd); + len = strlen(cert->subjectName); + peer_cn = MemoryContextAllocZero(TopMemoryContext, len + 1); + if (strncmp(cert->subjectName, "CN=", 3) == 0) + strlcpy(peer_cn, cert->subjectName + strlen("CN="), len + 1); + else + strlcpy(peer_cn, cert->subjectName, len + 1); + CERT_DestroyCertificate(cert); + + port->peer_cn = peer_cn; + port->peer_cert_valid = true; + } + + return status; +} + +/* ------------------------------------------------------------ */ +/* Internal functions */ +/* ------------------------------------------------------------ */ + +static PRInt32 +pg_ssl_read(PRFileDesc * fd, void *buf, PRInt32 amount, PRIntn flags, + PRIntervalTime timeout) +{ + PRRecvFN read_fn; + PRInt32 n_read; + + read_fn = fd->lower->methods->recv; + n_read = read_fn(fd->lower, buf, amount, flags, timeout); + + return n_read; +} + +static PRInt32 +pg_ssl_write(PRFileDesc * fd, const void *buf, PRInt32 amount, PRIntn flags, + PRIntervalTime timeout) +{ + PRSendFN send_fn; + PRInt32 n_write; + + send_fn = fd->lower->methods->send; + n_write = send_fn(fd->lower, buf, amount, flags, timeout); + + return n_write; +} + +static PRFileDesc * +init_iolayer(Port *port, int loglevel) +{ + const PRIOMethods *default_methods; + PRFileDesc *layer; + + /* + * Start by initializing our layer with all the default methods so that we + * can selectively override the ones we want while still ensuring that we + * have a complete layer specification. + */ + default_methods = PR_GetDefaultIOMethods(); + memcpy(&pr_iomethods, default_methods, sizeof(PRIOMethods)); + + pr_iomethods.recv = pg_ssl_read; + pr_iomethods.send = pg_ssl_write; + + /* + * Each IO layer must be identified by a unique name, where uniqueness is + * per connection. Each connection in a postgres cluster can generate the + * identity from the same string as they will create their IO layers on + * different sockets. Only one layer per socket can have the same name. + */ + pr_id = PR_GetUniqueIdentity("PostgreSQL"); + if (pr_id == PR_INVALID_IO_LAYER) + { + ereport(loglevel, + (errmsg("out of memory when setting up TLS connection"))); + return NULL; + } + + /* + * Create the actual IO layer as a stub such that it can be pushed onto + * the layer stack. The step via a stub is required as we define custom + * callbacks. + */ + layer = PR_CreateIOLayerStub(pr_id, &pr_iomethods); + if (!layer) + { + ereport(loglevel, + (errmsg("unable to create NSS I/O layer"))); + return NULL; + } + + return layer; +} + +static char * +ssl_protocol_version_to_string(int v) +{ + switch (v) + { + /* SSL v2 and v3 are not supported */ + case SSL_LIBRARY_VERSION_2: + case SSL_LIBRARY_VERSION_3_0: + Assert(false); + break; + + case SSL_LIBRARY_VERSION_TLS_1_0: + return pstrdup("TLSv1.0"); + case SSL_LIBRARY_VERSION_TLS_1_1: + return pstrdup("TLSv1.1"); + case SSL_LIBRARY_VERSION_TLS_1_2: + return pstrdup("TLSv1.2"); + case SSL_LIBRARY_VERSION_TLS_1_3: + return pstrdup("TLSv1.3"); + } + + return pstrdup("unknown"); +} + + +/* + * ssl_protocol_version_to_nss + * Translate PostgreSQL TLS version to NSS version + * + * Returns zero in case the requested TLS version is undefined (PG_ANY) and + * should be set by the caller, or -1 on failure. + */ +static uint16 +ssl_protocol_version_to_nss(int v, const char *guc_name) +{ + switch (v) + { + /* + * There is no SSL_LIBRARY_ macro defined in NSS with the value + * zero, so we use this to signal the caller that the highest + * useful version should be set on the connection. + */ + case PG_TLS_ANY: + return 0; + + /* + * No guard is required here as there are no versions of NSS + * without support for TLS1. + */ + case PG_TLS1_VERSION: + return SSL_LIBRARY_VERSION_TLS_1_0; + case PG_TLS1_1_VERSION: +#ifdef SSL_LIBRARY_VERSION_TLS_1_1 + return SSL_LIBRARY_VERSION_TLS_1_1; +#else + break; +#endif + case PG_TLS1_2_VERSION: +#ifdef SSL_LIBRARY_VERSION_TLS_1_2 + return SSL_LIBRARY_VERSION_TLS_1_2; +#else + break; +#endif + case PG_TLS1_3_VERSION: +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + return SSL_LIBRARY_VERSION_TLS_1_3; +#else + break; +#endif + default: + break; + } + + return -1; +} + +/* + * pg_SSLerrmessage + * Create and return a human readable error message given + * the specified error code + * + * PR_ErrorToName only converts the enum identifier of the error to string, + * but that can be quite useful for debugging (and in case PR_ErrorToString is + * unable to render a message then we at least have something). + */ +static char * +pg_SSLerrmessage(PRErrorCode errcode) +{ + char error[128]; + int ret; + + /* TODO: this should perhaps use a StringInfo instead.. */ + ret = pg_snprintf(error, sizeof(error), "%s (%s)", + PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT), + PR_ErrorToName(errcode)); + if (ret) + return pstrdup(error); + + return pstrdup(_("unknown TLS error")); +} diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 8b21ff4065..5962cffc0c 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1298,15 +1298,28 @@ X509_NAME_to_cstring(X509_NAME *name) char *dp; char *result; + if (membuf == NULL) + ereport(ERROR, + (errcode(ERRCODE_OUT_OF_MEMORY), + errmsg("failed to create BIO"))); + (void) BIO_set_close(membuf, BIO_CLOSE); for (i = 0; i < count; i++) { e = X509_NAME_get_entry(name, i); nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)); + if (nid == NID_undef) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("could not get NID for ASN1_OBJECT object"))); v = X509_NAME_ENTRY_get_data(e); field_name = OBJ_nid2sn(nid); if (!field_name) field_name = OBJ_nid2ln(nid); + if (field_name == NULL) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid))); BIO_printf(membuf, "/%s=", field_name); ASN1_STRING_print_ex(membuf, v, ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB) @@ -1322,7 +1335,8 @@ X509_NAME_to_cstring(X509_NAME *name) result = pstrdup(dp); if (dp != sp) pfree(dp); - BIO_free(membuf); + if (BIO_free(membuf) != 1) + elog(ERROR, "could not free OpenSSL BIO structure"); return result; } diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 2ae507a902..f39977b80c 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -49,6 +49,9 @@ bool ssl_passphrase_command_supports_reload; #ifdef USE_SSL bool ssl_loaded_verify_locations = false; #endif +#ifdef USE_NSS +char *ssl_database; +#endif /* GUC variable controlling SSL cipher list */ char *SSLCipherSuites = NULL; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 596bcb7b84..ce6200c851 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4262,7 +4262,11 @@ static struct config_string ConfigureNamesString[] = }, &ssl_library, #ifdef USE_SSL +#if defined(USE_OPENSSL) "OpenSSL", +#elif defined(USE_NSS) + "NSS", +#endif #else "", #endif @@ -4320,6 +4324,18 @@ static struct config_string ConfigureNamesString[] = check_canonical_path, assign_pgstat_temp_directory, NULL }, +#ifdef USE_NSS + { + {"ssl_database", PGC_SIGHUP, CONN_AUTH_SSL, + gettext_noop("Location of the NSS certificate database."), + NULL + }, + &ssl_database, + "", + NULL, NULL, NULL + }, +#endif + { {"synchronous_standby_names", PGC_SIGHUP, REPLICATION_PRIMARY, gettext_noop("Number of synchronous standbys and list of names of potential synchronous ones."), @@ -4348,8 +4364,10 @@ static struct config_string ConfigureNamesString[] = GUC_SUPERUSER_ONLY }, &SSLCipherSuites, -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) "HIGH:MEDIUM:+3DES:!aNULL", +#elif defined (USE_NSS) + "", #else "none", #endif diff --git a/src/include/common/pg_nss.h b/src/include/common/pg_nss.h new file mode 100644 index 0000000000..74298c8bb1 --- /dev/null +++ b/src/include/common/pg_nss.h @@ -0,0 +1,141 @@ +/*------------------------------------------------------------------------- + * + * pg_nss.h + * Support for NSS as a TLS backend + * + * These definitions are used by both frontend and backend code. + * + * Copyright (c) 2020, PostgreSQL Global Development Group + * + * IDENTIFICATION + * src/include/common/pg_nss.h + * + *------------------------------------------------------------------------- + */ +#ifndef PG_NSS_H +#define PG_NSS_H + +#ifdef USE_NSS + +#include + +PRUint16 pg_find_cipher(char *name); + +typedef struct +{ + const char *name; + PRUint16 number; +} NSSCiphers; + +#define INVALID_CIPHER 0xFFFF + +/* + * This list is a partial copy of the ciphers in NSS files lib/ssl/sslproto.h + * in order to provide a human readable version of the ciphers. It would be + * nice to not have to have this, but NSS doesn't provide any API addressing + * the ciphers by name. TODO: do we want more of the ciphers, or perhaps less? + */ +static const NSSCiphers NSS_CipherList[] = { + + {"TLS_NULL_WITH_NULL_NULL", TLS_NULL_WITH_NULL_NULL}, + + {"TLS_RSA_WITH_NULL_MD5", TLS_RSA_WITH_NULL_MD5}, + {"TLS_RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA}, + {"TLS_RSA_WITH_RC4_128_MD5", TLS_RSA_WITH_RC4_128_MD5}, + {"TLS_RSA_WITH_RC4_128_SHA", TLS_RSA_WITH_RC4_128_SHA}, + {"TLS_RSA_WITH_IDEA_CBC_SHA", TLS_RSA_WITH_IDEA_CBC_SHA}, + {"TLS_RSA_WITH_DES_CBC_SHA", TLS_RSA_WITH_DES_CBC_SHA}, + {"TLS_RSA_WITH_3DES_EDE_CBC_SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_DH_DSS_WITH_DES_CBC_SHA", TLS_DH_DSS_WITH_DES_CBC_SHA}, + {"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA}, + {"TLS_DH_RSA_WITH_DES_CBC_SHA", TLS_DH_RSA_WITH_DES_CBC_SHA}, + {"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_DHE_DSS_WITH_DES_CBC_SHA", TLS_DHE_DSS_WITH_DES_CBC_SHA}, + {"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA}, + {"TLS_DHE_RSA_WITH_DES_CBC_SHA", TLS_DHE_RSA_WITH_DES_CBC_SHA}, + {"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_DH_anon_WITH_RC4_128_MD5", TLS_DH_anon_WITH_RC4_128_MD5}, + {"TLS_DH_anon_WITH_DES_CBC_SHA", TLS_DH_anon_WITH_DES_CBC_SHA}, + {"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", TLS_DH_anon_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_RSA_WITH_AES_128_CBC_SHA", TLS_RSA_WITH_AES_128_CBC_SHA}, + {"TLS_DH_DSS_WITH_AES_128_CBC_SHA", TLS_DH_DSS_WITH_AES_128_CBC_SHA}, + {"TLS_DH_RSA_WITH_AES_128_CBC_SHA", TLS_DH_RSA_WITH_AES_128_CBC_SHA}, + {"TLS_DHE_DSS_WITH_AES_128_CBC_SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, + {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, + {"TLS_DH_anon_WITH_AES_128_CBC_SHA", TLS_DH_anon_WITH_AES_128_CBC_SHA}, + + {"TLS_RSA_WITH_AES_256_CBC_SHA", TLS_RSA_WITH_AES_256_CBC_SHA}, + {"TLS_DH_DSS_WITH_AES_256_CBC_SHA", TLS_DH_DSS_WITH_AES_256_CBC_SHA}, + {"TLS_DH_RSA_WITH_AES_256_CBC_SHA", TLS_DH_RSA_WITH_AES_256_CBC_SHA}, + {"TLS_DHE_DSS_WITH_AES_256_CBC_SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, + {"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, + {"TLS_DH_anon_WITH_AES_256_CBC_SHA", TLS_DH_anon_WITH_AES_256_CBC_SHA}, + {"TLS_RSA_WITH_NULL_SHA256", TLS_RSA_WITH_NULL_SHA256}, + {"TLS_RSA_WITH_AES_128_CBC_SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256}, + {"TLS_RSA_WITH_AES_256_CBC_SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256}, + + {"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256}, + {"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA}, + + {"TLS_DHE_DSS_WITH_RC4_128_SHA", TLS_DHE_DSS_WITH_RC4_128_SHA}, + {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}, + {"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256}, + {"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256}, + + {"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA}, + + {"TLS_RSA_WITH_SEED_CBC_SHA", TLS_RSA_WITH_SEED_CBC_SHA}, + + {"TLS_RSA_WITH_AES_128_GCM_SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256}, + {"TLS_RSA_WITH_AES_256_GCM_SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384}, + {"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, + {"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}, + {"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256}, + {"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384}, + + {"TLS_AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256}, + {"TLS_AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384}, + {"TLS_CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256}, + {NULL, 0} +}; + +/* + * pg_find_cipher + * Translate an NSS ciphername to the cipher code + * + * Searches the configured ciphers for the corresponding cipher code to the + * name. Search is performed case insensitive. + */ +PRUint16 +pg_find_cipher(char *name) +{ + const NSSCiphers *cipher_list = NSS_CipherList; + + while (cipher_list->name) + { + if (pg_strcasecmp(cipher_list->name, name) == 0) + return cipher_list->number; + + cipher_list++; + } + + return 0xFFFF; +} + +#endif /* USE_NSS */ + +#endif /* PG_NSS_H */ diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 0a23281ad5..f11ddd6b2e 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -192,13 +192,18 @@ typedef struct Port bool peer_cert_valid; /* - * OpenSSL structures. (Keep these last so that the locations of other - * fields are the same whether or not you build with OpenSSL.) + * SSL backend specific structures. (Keep these last so that the locations + * of other fields are the same whether or not you build with SSL + * enabled.) */ #ifdef USE_OPENSSL SSL *ssl; X509 *peer; #endif + +#ifdef USE_NSS + void *pr_fd; +#endif } Port; #ifdef USE_SSL diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h index b1152475ac..298d87ecae 100644 --- a/src/include/libpq/libpq.h +++ b/src/include/libpq/libpq.h @@ -88,6 +88,9 @@ extern PGDLLIMPORT bool ssl_passphrase_command_supports_reload; #ifdef USE_SSL extern bool ssl_loaded_verify_locations; #endif +#ifdef USE_NSS +extern char *ssl_database; +#endif extern int secure_initialize(bool isServerStart); extern bool secure_loaded_verify_locations(void); diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index fb270df678..31f808398c 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -893,6 +893,9 @@ /* Define to 1 to build with PAM support. (--with-pam) */ #undef USE_PAM +/* Define to build with NSS support (--with-nss) */ +#undef USE_NSS + /* Define to 1 to use software CRC-32C implementation (slicing-by-8). */ #undef USE_SLICING_BY_8_CRC32C diff --git a/src/include/pg_config_manual.h b/src/include/pg_config_manual.h index 705dc69c06..c28b84126d 100644 --- a/src/include/pg_config_manual.h +++ b/src/include/pg_config_manual.h @@ -176,10 +176,9 @@ /* * USE_SSL code should be compiled only when compiling with an SSL - * implementation. (Currently, only OpenSSL is supported, but we might add - * more implementations in the future.) + * implementation. */ -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) || defined(USE_NSS) #define USE_SSL #endif diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile index 4ac5f4b340..ef5f105afc 100644 --- a/src/interfaces/libpq/Makefile +++ b/src/interfaces/libpq/Makefile @@ -57,6 +57,10 @@ OBJS += \ fe-secure-gssapi.o endif +ifeq ($(with_nss), yes) +OBJS += fe-secure-nss.o +endif + ifeq ($(PORTNAME), cygwin) override shlib = cyg$(NAME)$(DLSUFFIX) endif diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 724076a310..0acf521624 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -354,6 +354,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Target-Session-Attrs", "", 11, /* sizeof("read-write") = 11 */ offsetof(struct pg_conn, target_session_attrs)}, + {"cert_database", NULL, NULL, NULL, + "CertificateDatabase", "", 64, + offsetof(struct pg_conn, cert_database)}, + /* Terminating entry --- MUST BE LAST */ {NULL, NULL, NULL, NULL, NULL, NULL, 0} diff --git a/src/interfaces/libpq/fe-secure-nss.c b/src/interfaces/libpq/fe-secure-nss.c new file mode 100644 index 0000000000..778393fc3b --- /dev/null +++ b/src/interfaces/libpq/fe-secure-nss.c @@ -0,0 +1,984 @@ +/*------------------------------------------------------------------------- + * + * fe-secure-nss.c + * functions for supporting NSS as a TLS backend for frontend libpq + * + * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * IDENTIFICATION + * src/interfaces/libpq/fe-secure-nss.c + * + *------------------------------------------------------------------------- + */ + +#include "postgres_fe.h" + +#include "libpq-fe.h" +#include "fe-auth.h" +#include "libpq-int.h" + +/* + * BITS_PER_BYTE is also defined in the NSPR header fils, so we need to undef + * our version to avoid compiler warnings on redefinition. + */ +#define pg_BITS_PER_BYTE BITS_PER_BYTE +#undef BITS_PER_BYTE + +/* + * The nspr/obsolete/protypes.h NSPR header typedefs uint64 and int64 with + * colliding definitions from ours, causing a much expected compiler error. + * The definitions are however not actually used in NSPR at all, and are only + * intended for what seems to be backwards compatibility for apps written + * against old versions of NSPR. The following comment is in the referenced + * file, and was added in 1998: + * + * This section typedefs the old 'native' types to the new PRs. + * These definitions are scheduled to be eliminated at the earliest + * possible time. The NSPR API is implemented and documented using + * the new definitions. + * + * As there is no opt-out from pulling in these typedefs, we define the guard + * for the file to exclude it. This is incredibly ugly, but seems to be about + * the only way around it. + */ +#define PROTYPES_H +#include +#undef PROTYPES_H +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * Ensure that the colliding definitions match, else throw an error. In case + * NSPR remove the definition in a future version (however unlikely that may + * be, make sure to put ours back again. + */ +#if defined(BITS_PER_BYTE) +#if BITS_PER_BYTE != pg_BITS_PER_BYTE +#error "incompatible byte widths between NSPR and PostgreSQL" +#endif +#else +#define BITS_PER_BYTE pg_BITS_PER_BYTE +#endif +#undef pg_BITS_PER_BYTE + +static SECStatus pg_load_nss_module(SECMODModule * *module, const char *library, const char *name); +static SECStatus pg_bad_cert_handler(void *arg, PRFileDesc * fd); +static char *pg_SSLerrmessage(PRErrorCode errcode); +static SECStatus pg_client_auth_handler(void *arg, PRFileDesc * socket, CERTDistNames * caNames, + CERTCertificate * *pRetCert, SECKEYPrivateKey * *pRetKey); +static SECStatus pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer); +static int ssl_protocol_version_to_nss(const char *protocol); +static bool cert_database_has_CA(PGconn *conn); + +static char *PQssl_passwd_cb(PK11SlotInfo * slot, PRBool retry, void *arg); + +/* + * PR_ImportTCPSocket() is a private API, but very widely used, as it's the + * only way to make NSS use an already set up POSIX file descriptor rather + * than opening one itself. To quote the NSS documentation: + * + * "In theory, code that uses PR_ImportTCPSocket may break when NSPR's + * implementation changes. In practice, this is unlikely to happen because + * NSPR's implementation has been stable for years and because of NSPR's + * strong commitment to backward compatibility." + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket + * + * The function is declared in , but as it is a header marked + * private we declare it here rather than including it. + */ +NSPR_API(PRFileDesc *) PR_ImportTCPSocket(int); + +static SECMODModule * ca_trust = NULL; +static NSSInitContext * nss_context = NULL; + +/* + * Track whether the NSS database has a password set or not. There is no API + * function for retrieving password status, so we simply flip this to true in + * case NSS invoked the password callback - as that will only happen in case + * there is a password. The reason for tracking this is that there are calls + * which require a password parameter, but doesn't use the callbacks provided, + * so we must call the callback on behalf of these. + */ +static bool has_password = false; + +#if defined(WIN32) +static const char *ca_trust_name = "nssckbi.dll"; +#elif defined(__darwin__) +static const char *ca_trust_name = "libnssckbi.dylib"; +#else +static const char *ca_trust_name = "libnssckbi.so"; +#endif + +static PQsslKeyPassHook_nss_type PQsslKeyPassHook = NULL; + +/* ------------------------------------------------------------ */ +/* Procedures common to all secure sessions */ +/* ------------------------------------------------------------ */ + +/* + * pgtls_init_library + * + * There is no direct equivalent for PQinitOpenSSL in NSS/NSPR, with PR_Init + * being the closest match there is. PR_Init is however already documented to + * not be required so simply making this a noop seems like the best option. + */ +void +pgtls_init_library(bool do_ssl, int do_crypto) +{ + /* noop */ +} + +int +pgtls_init(PGconn *conn) +{ + conn->ssl_in_use = false; + + return 0; +} + +void +pgtls_close(PGconn *conn) +{ + if (nss_context) + { + NSS_ShutdownContext(nss_context); + nss_context = NULL; + } +} + +PostgresPollingStatusType +pgtls_open_client(PGconn *conn) +{ + SECStatus status; + PRFileDesc *pr_fd; + PRFileDesc *model; + NSSInitParameters params; + SSLVersionRange desired_range; + + /* + * The NSPR documentation states that runtime initialization via PR_Init + * is no longer required, as the first caller into NSPR will perform the + * initialization implicitly. The documentation doesn't however clarify + * from which version this is holds true, so let's perform the potentially + * superfluous initialization anyways to avoid crashing on older versions + * of NSPR, as there is no difference in overhead. The NSS documentation + * still states that PR_Init must be called in some way (implicitly or + * explicitly). + * + * The below parameters are what the implicit initialization would've done + * for us, and should work even for older versions where it might not be + * done automatically. The last parameter, maxPTDs, is set to various + * values in other codebases, but has been unused since NSPR 2.1 which was + * released sometime in 1998. + */ + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + /* + * The original design of NSS was for a single application to use a single + * copy of it, initialized with NSS_Initialize() which isn't returning any + * handle with which to refer to NSS. NSS initialization and shutdown are + * global for the application, so a shutdown in another NSS enabled + * library would cause NSS to be stopped for libpq as well. The fix has + * been to introduce NSS_InitContext which returns a context handle to + * pass to NSS_ShutdownContext. NSS_InitContext was introduced in NSS + * 3.12, but the use of it is not very well documented. + * https://bugzilla.redhat.com/show_bug.cgi?id=738456 + * + * The InitParameters struct passed can be used to override internal + * values in NSS, but the usage is not documented at all. When using + * NSS_Init initializations, the values are instead set via PK11_Configure + * calls so the PK11_Configure documentation can be used to glean some + * details on these. + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs + */ + memset(¶ms, 0, sizeof(params)); + params.length = sizeof(params); + + if (conn->cert_database && strlen(conn->cert_database) > 0) + { + char *cert_database_path = psprintf("sql:%s", conn->cert_database); + + nss_context = NSS_InitContext(cert_database_path, "", "", "", + ¶ms, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + pfree(cert_database_path); + } + else + nss_context = NSS_InitContext("", "", "", "", ¶ms, + NSS_INIT_READONLY | NSS_INIT_NOCERTDB | + NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN | + NSS_INIT_NOROOTINIT | NSS_INIT_PK11RELOAD); + + if (!nss_context) + { + char *err = pg_SSLerrmessage(PR_GetError()); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to %s certificate database: %s"), + conn->cert_database ? "open" : "create", + err); + free(err); + return PGRES_POLLING_FAILED; + } + + /* + * Configure cipher policy. + */ + status = NSS_SetDomesticPolicy(); + if (status != SECSuccess) + { + char *err = pg_SSLerrmessage(PR_GetError()); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to configure cipher policy: %s"), + err); + free(err); + return PGRES_POLLING_FAILED; + } + + /* + * If we don't have a certificate database, the system trust store is the + * fallback we can use. If we fail to initialize that as well, we can + * still attempt a connection as long as the sslmode isn't verify*. + */ + if (!conn->cert_database && conn->sslmode[0] == 'v') + { + status = pg_load_nss_module(&ca_trust, ca_trust_name, "\"Root Certificates\""); + /* status = pg_load_nss_module(&ca_trust, ca_trust_name, "trust"); */ + if (status != SECSuccess) + { + char *err = pg_SSLerrmessage(PR_GetError()); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("WARNING: unable to load NSS trust module \"%s\" : %s"), ca_trust_name, err); + return PGRES_POLLING_FAILED; + } + } + + + PK11_SetPasswordFunc(PQssl_passwd_cb); + + /* + * Import the already opened socket as we don't want to use NSPR functions + * for opening the network socket due to how the PostgreSQL protocol works + * with TLS connections. This function is not part of the NSPR public API, + * see the comment at the top of the file for the rationale of still using + * it. + */ + pr_fd = PR_ImportTCPSocket(conn->sock); + if (!pr_fd) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to attach to socket: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * Most of the documentation available, and implementations of, NSS/NSPR + * use the PR_NewTCPSocket() function here, which has the drawback that it + * can only create IPv4 sockets. Instead use PR_OpenTCPSocket() which + * copes with IPv6 as well. + */ + model = SSL_ImportFD(NULL, PR_OpenTCPSocket(conn->laddr.addr.ss_family)); + if (!model) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to enable TLS: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* Disable old protocol versions (SSLv2 and SSLv3) */ + SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE); + SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE); + SSL_OptionSet(model, SSL_ENABLE_SSL3, PR_FALSE); + +#ifdef SSL_CBC_RANDOM_IV + + /* + * Enable protection against the BEAST attack in case the NSS library has + * support for that. While SSLv3 is disabled, we may still allow TLSv1 + * which is affected. The option isn't documented as an SSL option, but as + * an NSS environment variable. + */ + SSL_OptionSet(model, SSL_CBC_RANDOM_IV, PR_TRUE); +#endif + + /* Set us up as a TLS client for the handshake */ + SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); + + /* + * When setting the available protocols, we either use the user defined + * configuration values, and if missing we accept whatever is the highest + * version supported by the library as the max and only limit the range in + * the other end at TLSv1.0. ssl_variant_stream is a ProtocolVariant enum + * for Stream protocols, rather than datagram. + */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &desired_range); + desired_range.min = SSL_LIBRARY_VERSION_TLS_1_0; + + if (conn->ssl_min_protocol_version && strlen(conn->ssl_min_protocol_version) > 0) + { + int ssl_min_ver = ssl_protocol_version_to_nss(conn->ssl_min_protocol_version); + + if (ssl_min_ver == -1) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"), + conn->ssl_min_protocol_version); + return -1; + } + + desired_range.min = ssl_min_ver; + } + + if (conn->ssl_max_protocol_version && strlen(conn->ssl_max_protocol_version) > 0) + { + int ssl_max_ver = ssl_protocol_version_to_nss(conn->ssl_max_protocol_version); + + if (ssl_max_ver == -1) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"), + conn->ssl_max_protocol_version); + return -1; + } + + desired_range.max = ssl_max_ver; + } + + if (SSL_VersionRangeSet(model, &desired_range) != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to set allowed SSL protocol version range: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * Set up callback for verifying server certificates, as well as for how + * to handle failed verifications. + */ + SSL_AuthCertificateHook(model, pg_cert_auth_handler, (void *) conn); + SSL_BadCertHook(model, pg_bad_cert_handler, (void *) conn); + + /* + * Convert the NSPR socket to an SSL socket. Ensuring the success of this + * operation is critical as NSS SSL_* functions may return SECSuccess on + * the socket even though SSL hasn't been enabled, which introduce a risk + * of silent downgrades. + */ + conn->pr_fd = SSL_ImportFD(model, pr_fd); + if (!conn->pr_fd) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to configure client for TLS: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * The model can now we closed as we've applied the settings of the model + * onto the real socket. From hereon we should only use conn->pr_fd. + */ + PR_Close(model); + + /* Set the private data to be passed to the password callback */ + SSL_SetPKCS11PinArg(conn->pr_fd, (void *) conn); + + /* + * If a CRL file has been specified, verify if it exists in the database + * but don't fail in case it doesn't. + */ + if (conn->sslcrl && strlen(conn->sslcrl) > 0) + { + /* XXX: Implement me.. */ + } + + status = SSL_ResetHandshake(conn->pr_fd, PR_FALSE); + if (status != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to initiate handshake: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * Set callback for client authentication when requested by the server. + */ + SSL_GetClientAuthDataHook(conn->pr_fd, pg_client_auth_handler, (void *) conn); + + /* + * Specify which hostname we are expecting to talk to. This is required, + * albeit mostly applies to when opening a connection to a traditional + * http server it seems. + */ + SSL_SetURL(conn->pr_fd, (conn->connhost[conn->whichhost]).host); + + do + { + status = SSL_ForceHandshake(conn->pr_fd); + } + while (status != SECSuccess && PR_GetError() == PR_WOULD_BLOCK_ERROR); + + if (status != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL error: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + conn->ssl_in_use = true; + return PGRES_POLLING_OK; +} + +ssize_t +pgtls_read(PGconn *conn, void *ptr, size_t len) +{ + PRInt32 nread; + PRErrorCode status; + int read_errno = 0; + + nread = PR_Recv(conn->pr_fd, ptr, len, 0, PR_INTERVAL_NO_WAIT); + + /* + * PR_Recv blocks until there is data to read or the timeout expires. Zero + * is returned for closed connections, while -1 indicates an error within + * the ongoing connection. + */ + if (nread == 0) + { + read_errno = ECONNRESET; + return -1; + } + + if (nread == -1) + { + status = PR_GetError(); + + switch (status) + { + case PR_WOULD_BLOCK_ERROR: + read_errno = EINTR; + break; + + case PR_IO_TIMEOUT_ERROR: + break; + + /* + * The error cases for PR_Recv are not documented, but can be + * reverse engineered from _MD_unix_map_default_error() in the + * NSPR code, defined in pr/src/md/unix/unix_errors.c. + */ + default: + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("TLS read error: %s"), + pg_SSLerrmessage(status)); + break; + } + } + + SOCK_ERRNO_SET(read_errno); + return (ssize_t) nread; +} + +/* + * pgtls_read_pending + * Check for the existence of data to be read. + * + * This is part of the PostgreSQL TLS backend API. + */ +bool +pgtls_read_pending(PGconn *conn) +{ + unsigned char c; + int n; + + /* + * PR_Recv peeks into the stream with the timeount turned off, to see if + * there is another byte to read off the wire. There is an NSS function + * SSL_DataPending() which might seem like a better fit, but it will only + * check already encrypted data in the SSL buffer, not still unencrypted + * data, thus it doesn't guarantee that a subsequent call to + * PR_Read/PR_Recv wont block. + */ + n = PR_Recv(conn->pr_fd, &c, 1, PR_MSG_PEEK, PR_INTERVAL_NO_WAIT); + return (n > 0); +} + +ssize_t +pgtls_write(PGconn *conn, const void *ptr, size_t len) +{ + PRInt32 n; + PRErrorCode status; + int write_errno = 0; + + n = PR_Write(conn->pr_fd, ptr, len); + + if (n < 0) + { + status = PR_GetError(); + + switch (status) + { + case PR_WOULD_BLOCK_ERROR: +#ifdef EAGAIN + write_errno = EAGAIN; +#else + write_errno = EINTR; +#endif + break; + + default: + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("TLS write error: %s"), + pg_SSLerrmessage(status)); + write_errno = ECONNRESET; + break; + } + } + + SOCK_ERRNO_SET(write_errno); + return (ssize_t) n; +} + +/* + * Verify that the server certificate matches the hostname we connected to. + * + * The certificate's Common Name and Subject Alternative Names are considered. + */ +int +pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, + int *names_examined, + char **first_name) +{ + return 1; +} + +/* ------------------------------------------------------------ */ +/* PostgreSQL specific TLS support functions */ +/* ------------------------------------------------------------ */ + +/* + * TODO: this a 99% copy of the same function in the backend, make these share + * a single implementation instead. + */ +static char * +pg_SSLerrmessage(PRErrorCode errcode) +{ + const char *error; + + error = PR_ErrorToName(errcode); + if (error) + return strdup(error); + + return strdup("unknown TLS error"); +} + +static SECStatus +pg_load_nss_module(SECMODModule * *module, const char *library, const char *name) +{ + SECMODModule *mod; + char *modulespec; + + modulespec = psprintf("library=\"%s\", name=\"%s\"", library, name); + + /* + * Attempt to load the specified module. The second parameter is "parent" + * which should always be NULL for application code. The third parameter + * defines if loading should recurse which is only applicable when loading + * a module from within another module. This hierarchy would have to be + * defined in the modulespec, and since we don't support anything but + * directly addressed modules we should pass PR_FALSE. + */ + mod = SECMOD_LoadUserModule(modulespec, NULL, PR_FALSE); + pfree(modulespec); + + if (mod && mod->loaded) + { + *module = mod; + return SECSuccess; + } + + SECMOD_DestroyModule(mod); + return SECFailure; +} + +/* ------------------------------------------------------------ */ +/* NSS Callbacks */ +/* ------------------------------------------------------------ */ + +/* + * pg_cert_auth_handler + * Callback for authenticating server certificate + * + * This is pretty much the same procedure as the SSL_AuthCertificate function + * provided by NSS, with the difference being server hostname validation. With + * SSL_AuthCertificate there is no way to do verify-ca, it only does the -full + * flavor of our sslmodes, so we need our own implementation. + */ +static SECStatus +pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer) +{ + SECStatus status; + PGconn *conn = (PGconn *) arg; + char *server_hostname = NULL; + CERTCertificate *server_cert; + void *pin; + + Assert(!isServer); + + pin = SSL_RevealPinArg(conn->pr_fd); + server_cert = SSL_PeerCertificate(conn->pr_fd); + + status = CERT_VerifyCertificateNow((CERTCertDBHandle *) CERT_GetDefaultCertDB(), server_cert, + checksig, certificateUsageSSLServer, + pin, NULL); + + /* + * If we've already failed validation then there is no point in also + * performing the hostname check for verify-full. + */ + if (status != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to verify certificate: %s"), + pg_SSLerrmessage(PR_GetError())); + goto done; + } + + if (strcmp(conn->sslmode, "verify-full") == 0) + { + server_hostname = SSL_RevealURL(conn->pr_fd); + if (!server_hostname || server_hostname[0] == '\0') + goto done; + + /* + * CERT_VerifyCertName will internally perform RFC 2818 SubjectAltName + * verification. + */ + status = CERT_VerifyCertName(server_cert, server_hostname); + if (status != SECSuccess) + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to verify server hostname: %s"), + pg_SSLerrmessage(PR_GetError())); + + } + +done: + if (server_hostname) + PR_Free(server_hostname); + + CERT_DestroyCertificate(server_cert); + return status; +} + +/* + * pg_client_auth_handler + * Callback for client certificate validation + * + * The client auth callback is not on by default in NSS, so we need to invoke + * it ourselves to ensure we can do cert authentication. A TODO is to support + * running without a specified sslcert parameter. By retrieving all the certs + * via nickname from the cert database and see if we find one which apply with + * NSS_CmpCertChainWCANames() and PK11_FindKeyByAnyCert() we could support + * just running with a ssl database specified. + * + * For now, we use the default client certificate validation which requires a + * defined nickname to identify the cert in the database. + */ +static SECStatus +pg_client_auth_handler(void *arg, PRFileDesc * socket, CERTDistNames * caNames, + CERTCertificate * *pRetCert, SECKEYPrivateKey * *pRetKey) +{ + PGconn *conn = (PGconn *) arg; + + return NSS_GetClientAuthData(conn->sslcert, socket, caNames, pRetCert, pRetKey); +} + +/* + * pg_bad_cert_handler + * Callback for failed certificate validation + * + * The TLS handshake will call this function iff the server certificate failed + * validation. Depending on the sslmode, we allow the connection anyways. + */ +static SECStatus +pg_bad_cert_handler(void *arg, PRFileDesc * fd) +{ + PGconn *conn = (PGconn *) arg; + PRErrorCode err; + + /* + * This really shouldn't happen, as we've the the PGconn object as our + * callback data, and at the callsite we know it will be populated. That + * being said, the NSS code itself performs this check even when it should + * not be required so let's use the same belts with our suspenders. + */ + if (!arg) + return SECFailure; + + /* + * For sslmodes other than verify-full and verify-ca we don't perform peer + * validation, so return immediately. sslmode require with a database + * specified which contains a CA certificate will work like verify-ca to + * be compatible with the OpenSSL implementation. + */ + if (strcmp(conn->sslmode, "require") == 0) + { + if (conn->cert_database && strlen(conn->cert_database) > 0 && cert_database_has_CA(conn)) + return SECFailure; + } + if (conn->sslmode[0] == 'v') + return SECFailure; + + err = PORT_GetError(); + + /* + * TODO: these are relevant error codes that can occur in certificate + * validation, figure out which we dont want for require/prefer etc. + */ + switch (err) + { + case SEC_ERROR_INVALID_AVA: + case SEC_ERROR_INVALID_TIME: + case SEC_ERROR_BAD_SIGNATURE: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_UNTRUSTED_CERT: + case SEC_ERROR_CERT_VALID: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_CRL_EXPIRED: + case SEC_ERROR_CRL_BAD_SIGNATURE: + case SEC_ERROR_EXTENSION_VALUE_INVALID: + case SEC_ERROR_CA_CERT_INVALID: + case SEC_ERROR_CERT_USAGES_INVALID: + case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: + return SECSuccess; + break; + default: + return SECFailure; + break; + } + + /* Unreachable */ + return SECSuccess; +} + +/* ------------------------------------------------------------ */ +/* SSL information functions */ +/* ------------------------------------------------------------ */ + +/* + * PQgetssl + * + * Return NULL as this is legacy and defined to always be equal to calling + * PQsslStruct(conn, "OpenSSL"); This should ideally trigger a logged warning + * somewhere as it's nonsensical to run in a non-OpenSSL build, but the color + * of said bikeshed hasn't yet been determined. + */ +void * +PQgetssl(PGconn *conn) +{ + return NULL; +} + +void * +PQsslStruct(PGconn *conn, const char *struct_name) +{ + if (!conn) + return NULL; + + /* + * Return the underlying PRFileDesc which can be used to access + * information on the connection details. There is no SSL context per se. + */ + if (strcmp(struct_name, "NSS") == 0) + return conn->pr_fd; + return NULL; +} + +const char *const * +PQsslAttributeNames(PGconn *conn) +{ + static const char *const result[] = { + "library", + "cipher", + "protocol", + "key_bits", + "compression", + NULL + }; + + return result; +} + +const char * +PQsslAttribute(PGconn *conn, const char *attribute_name) +{ + SECStatus status; + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + + if (!conn || !conn->pr_fd) + return NULL; + + if (strcmp(attribute_name, "library") == 0) + return "NSS"; + + status = SSL_GetChannelInfo(conn->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + return NULL; + + status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)); + if (status != SECSuccess) + return NULL; + + if (strcmp(attribute_name, "cipher") == 0) + return suite.cipherSuiteName; + + if (strcmp(attribute_name, "key_bits") == 0) + { + static char key_bits_str[8]; + + snprintf(key_bits_str, sizeof(key_bits_str), "%i", suite.effectiveKeyBits); + return key_bits_str; + } + + if (strcmp(attribute_name, "protocol") == 0) + { + switch (channel.protocolVersion) + { +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + case SSL_LIBRARY_VERSION_TLS_1_3: + return "TLSv1.3"; +#endif +#ifdef SSL_LIBRARY_VERSION_TLS_1_2 + case SSL_LIBRARY_VERSION_TLS_1_2: + return "TLSv1.2"; +#endif +#ifdef SSL_LIBRARY_VERSION_TLS_1_1 + case SSL_LIBRARY_VERSION_TLS_1_1: + return "TLSv1.1"; +#endif + case SSL_LIBRARY_VERSION_TLS_1_0: + return "TLSv1.0"; + default: + return "unknown"; + } + } + + /* + * NSS disabled support for compression in version 3.33, and it was only + * available for SSLv3 at that point anyways, so we can safely return off + * here without checking. + */ + if (strcmp(attribute_name, "compression") == 0) + return "off"; + + return NULL; +} + +static int +ssl_protocol_version_to_nss(const char *protocol) +{ + if (pg_strcasecmp("TLSv1", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_0; + +#ifdef SSL_LIBRARY_VERSION_TLS_1_1 + if (pg_strcasecmp("TLSv1.1", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_1; +#endif + +#ifdef SSL_LIBRARY_VERSION_TLS_1_2 + if (pg_strcasecmp("TLSv1.2", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_2; +#endif + +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + if (pg_strcasecmp("TLSv1.3", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_3; +#endif + + return -1; +} + +static bool +cert_database_has_CA(PGconn *conn) +{ + CERTCertList *certificates; + bool hasCA; + + /* + * If the certificate database has a password we must provide it, since + * this API doesn't invoke the standard password callback. + */ + if (has_password) + certificates = PK11_ListCerts(PK11CertListCA, PQssl_passwd_cb(NULL, PR_FALSE, (void *) conn)); + else + certificates = PK11_ListCerts(PK11CertListCA, NULL); + hasCA = !CERT_LIST_EMPTY(certificates); + CERT_DestroyCertList(certificates); + + return hasCA; +} + +PQsslKeyPassHook_nss_type +PQgetSSLKeyPassHook_nss(void) +{ + return PQsslKeyPassHook; +} + +void +PQsetSSLKeyPassHook_nss(PQsslKeyPassHook_nss_type hook) +{ + PQsslKeyPassHook = hook; +} + +/* + * Supply a password to decrypt a client certificate. + * + * This must match NSS type PK11PasswordFunc. + */ +static char * +PQssl_passwd_cb(PK11SlotInfo * slot, PRBool retry, void *arg) +{ + has_password = true; + + if (PQsslKeyPassHook) + return PQsslKeyPassHook(slot, (PRBool) retry, arg); + else + return PQdefaultSSLKeyPassHook_nss(slot, retry, arg); +} + +/* + * The default password handler callback. + */ +char * +PQdefaultSSLKeyPassHook_nss(PK11SlotInfo * slot, PRBool retry, void *arg) +{ + PGconn *conn = (PGconn *) arg; + + /* + * If the password didn't work the first time there is no point in + * retrying as it hasn't changed. + */ + if (retry != PR_TRUE && conn->sslpassword && strlen(conn->sslpassword) > 0) + return PORT_Strdup(conn->sslpassword); + + return NULL; +} diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 3311fd7a5b..b6c92ece11 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -430,6 +430,9 @@ PQsslAttributeNames(PGconn *conn) return result; } +#endif /* USE_SSL */ + +#ifndef USE_OPENSSL PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void) @@ -448,7 +451,7 @@ PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn) { return 0; } -#endif /* USE_SSL */ +#endif /* USE_OPENSSL */ /* Dummy version of GSSAPI information functions, when built without GSS support */ #ifndef ENABLE_GSS diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h index 3b6a9fbce3..27c16e187f 100644 --- a/src/interfaces/libpq/libpq-fe.h +++ b/src/interfaces/libpq/libpq-fe.h @@ -625,6 +625,17 @@ extern PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void); extern void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook); extern int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn); +/* == in fe-secure-nss.c === */ +typedef struct PK11SlotInfoStr PK11SlotInfo; +typedef int PRIntn; +typedef PRIntn PRBool; + +/* Support for overriding sslpassword handling with a callback. */ +typedef char *(*PQsslKeyPassHook_nss_type) (PK11SlotInfo * slot, PRBool retry, void *arg); +extern PQsslKeyPassHook_nss_type PQgetSSLKeyPassHook_nss(void); +extern void PQsetSSLKeyPassHook_nss(PQsslKeyPassHook_nss_type hook); +extern char *PQdefaultSSLKeyPassHook_nss(PK11SlotInfo * slot, PRBool retry, void *arg); + #ifdef __cplusplus } #endif diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 1de91ae295..12717ca720 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -362,6 +362,7 @@ struct pg_conn char *sslpassword; /* client key file password */ char *sslrootcert; /* root certificate filename */ char *sslcrl; /* certificate revocation list filename */ + char *cert_database; char *requirepeer; /* required peer credentials for local sockets */ char *gssencmode; /* GSS mode (require,prefer,disable) */ char *krbsrvname; /* Kerberos service name */ @@ -485,6 +486,10 @@ struct pg_conn * OpenSSL version changes */ #endif #endif /* USE_OPENSSL */ + +#ifdef USE_NSS + void *pr_fd; +#endif /* USE_NSS */ #endif /* USE_SSL */ #ifdef ENABLE_GSS diff --git a/src/test/Makefile b/src/test/Makefile index efb206aa75..d18f5a083b 100644 --- a/src/test/Makefile +++ b/src/test/Makefile @@ -27,7 +27,7 @@ ifneq (,$(filter ldap,$(PG_TEST_EXTRA))) SUBDIRS += ldap endif endif -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),yes) ifneq (,$(filter ssl,$(PG_TEST_EXTRA))) SUBDIRS += ssl endif diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 777ee39413..fe265e2dbd 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -14,6 +14,7 @@ top_builddir = ../../.. include $(top_builddir)/src/Makefile.global export with_openssl +export with_nss CERTIFICATES := server_ca server-cn-and-alt-names \ server-cn-only server-single-alt-name server-multiple-alt-names \ @@ -30,6 +31,32 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ ssl/client+client_ca.crt ssl/client-der.key \ ssl/client-encrypted-pem.key ssl/client-encrypted-der.key +# Even though we in practice could get away with far fewer NSS databases, they +# are generated to mimick the setup for the OpenSSL tests in order to ensure +# we isolate the same behavior between the backends. The database name should +# contain the files included for easier test suite code reading. +NSSFILES := ssl/nss/client_ca.crt.db \ + ssl/nss/server_ca.crt.db \ + ssl/nss/root+server_ca.crt.db \ + ssl/nss/root+client_ca.crt.db \ + ssl/nss/client.crt__client.key.db \ + ssl/nss/client-revoked.crt__client-revoked.key.db \ + ssl/nss/server-cn-only.crt__server-password.key.db \ + ssl/nss/server-cn-only.crt__server-cn-only.key.db \ + ssl/nss/root.crl \ + ssl/nss/server.crl \ + ssl/nss/client.crl \ + ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db \ + ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db \ + ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db \ + ssl/nss/server-no-names.crt__server-no-names.key.db \ + ssl/nss/server-revoked.crt__server-revoked.key.db \ + ssl/nss/root+client.crl \ + ssl/nss/client+client_ca.crt__client.key.db \ + ssl/nss/client.crt__client-encrypted-pem.key.db \ + ssl/nss/root+server_ca.crt__server.crl.db \ + ssl/nss/root+server_ca.crt__root+server.crl.db + # This target re-generates all the key and certificate files. Usually we just # use the ones that are committed to the tree without rebuilding them. # @@ -37,6 +64,10 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ # sslfiles: $(SSLFILES) +# Generate NSS certificate databases corresponding to the OpenSSL certificates. +# This target will fail unless preceded by nssfiles-clean. +nssfiles: $(NSSFILES) + # OpenSSL requires a directory to put all generated certificates in. We don't # use this for anything, but we need a location. ssl/new_certs_dir: @@ -64,6 +95,24 @@ ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir rm ssl/temp_ca.crt ssl/temp_ca_signed.crt echo "01" > ssl/$*_ca.srl +ssl/nss/%_ca.crt.db: ssl/%_ca.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n $*_ca.crt -i ssl/$*_ca.crt -t "CT,C,C" + +ssl/nss/root+server_ca.crt__server.crl.db: ssl/root+server_ca.crt ssl/nss/server.crl + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + crlutil -I -i ssl/nss/server.crl -d $@ -B + +ssl/nss/root+server_ca.crt__root+server.crl.db: ssl/root+server_ca.crt ssl/nss/root.crl ssl/nss/server.crl + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + crlutil -I -i ssl/nss/root.crl -d $@ -B + crlutil -I -i ssl/nss/server.crl -d $@ -B + # Server certificates, signed by server CA: ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config @@ -77,6 +126,74 @@ ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only. openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config rm ssl/server-ss.csr +ssl/nss/server-cn-only.crt__server-password.key.db: ssl/server-cn-only.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-password.pfx -inkey ssl/server-password.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passin 'pass:secret1' -passout pass: + pk12util -i ssl/nss/server-password.pfx -d $@ -W '' + +ssl/nss/server-cn-only.crt__server-cn-only.key.db: ssl/server-cn-only.crt ssl/server-cn-only.key + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-cn-only.pfx -inkey ssl/server-cn-only.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passout pass: + pk12util -i ssl/nss/server-cn-only.pfx -d $@ -W '' + +ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db: ssl/server-multiple-alt-names.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-multiple-alt-names.crt -i ssl/server-multiple-alt-names.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-multiple-alt-names.pfx -inkey ssl/server-multiple-alt-names.key -in ssl/server-multiple-alt-names.crt -certfile ssl/server-multiple-alt-names.crt -passout pass: + pk12util -i ssl/nss/server-multiple-alt-names.pfx -d $@ -W '' + +ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db: ssl/server-single-alt-name.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-single-alt-name.crt -i ssl/server-single-alt-name.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-single-alt-name.pfx -inkey ssl/server-single-alt-name.key -in ssl/server-single-alt-name.crt -certfile ssl/server-single-alt-name.crt -passout pass: + pk12util -i ssl/nss/server-single-alt-name.pfx -d $@ -W '' + +ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db: ssl/server-cn-and-alt-names.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-cn-and-alt-names.crt -i ssl/server-cn-and-alt-names.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-cn-and-alt-names.pfx -inkey ssl/server-cn-and-alt-names.key -in ssl/server-cn-and-alt-names.crt -certfile ssl/server-cn-and-alt-names.crt -passout pass: + pk12util -i ssl/nss/server-cn-and-alt-names.pfx -d $@ -W '' + +ssl/nss/server-no-names.crt__server-no-names.key.db: ssl/server-no-names.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-no-names.crt -i ssl/server-no-names.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-no-names.pfx -inkey ssl/server-no-names.key -in ssl/server-no-names.crt -certfile ssl/server-no-names.crt -passout pass: + pk12util -i ssl/nss/server-no-names.pfx -d $@ -W '' + +ssl/nss/server-revoked.crt__server-revoked.key.db: ssl/server-revoked.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-revoked.crt -i ssl/server-revoked.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-revoked.pfx -inkey ssl/server-revoked.key -in ssl/server-revoked.crt -certfile ssl/server-revoked.crt -passout pass: + pk12util -i ssl/nss/server-revoked.pfx -d $@ -W '' + # Password-protected version of server-cn-only.key ssl/server-password.key: ssl/server-cn-only.key openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1' @@ -88,6 +205,27 @@ ssl/client.crt: ssl/client.key ssl/client_ca.crt openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert rm ssl/client.csr ssl/temp.crt +# Client certificate, signed by client CA +ssl/nss/client.crt__client.key.db: ssl/client.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/client.crt -i ssl/client.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root+client_ca.crt -i ssl/root+client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client.pfx -inkey ssl/client.key -in ssl/client.crt -certfile ssl/client_ca.crt -passout pass: + pk12util -i ssl/nss/client.pfx -d $@ -W '' + +# Client certificate with encrypted key, signed by client CA +ssl/nss/client.crt__client-encrypted-pem.key.db: ssl/client.crt + $(MKDIR_P) $@ + echo 'dUmmyP^#+' > $@.pass + certutil -d "sql:$@" -N -f $@.pass + certutil -d "sql:$@" -A -f $@.pass -n ssl/client.crt -i ssl/client.crt -t "CT,C,C" + certutil -d "sql:$@" -A -f $@.pass -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -f $@.pass -n root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client-encrypted-pem.pfx -inkey ssl/client-encrypted-pem.key -in ssl/client.crt -certfile ssl/client_ca.crt -passin pass:'dUmmyP^#+' -passout pass:'dUmmyP^#+' + pk12util -i ssl/nss/client-encrypted-pem.pfx -d $@ -W 'dUmmyP^#+' -k $@.pass + # Another client certificate, signed by the client CA. This one is revoked. ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config @@ -95,6 +233,14 @@ ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert rm ssl/client-revoked.csr ssl/temp.crt +ssl/nss/client-revoked.crt__client-revoked.key.db: ssl/client-revoked.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/client-revoked.crt -i ssl/client-revoked.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client-revoked.pfx -inkey ssl/client-revoked.key -in ssl/client-revoked.crt -certfile ssl/client_ca.crt -passout pass: + pk12util -i ssl/nss/client-revoked.pfx -d $@ -W '' + # Convert the key to DER, to test our behaviour there too ssl/client-der.key: ssl/client.key openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key @@ -127,19 +273,40 @@ ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt cat $^ > $@ +# Client certificate, signed by client CA +ssl/nss/client+client_ca.crt__client.key.db: ssl/client+client_ca.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/client+client_ca.crt -i ssl/client+client_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client.pfx -inkey ssl/client.key -in ssl/client.crt -certfile ssl/client_ca.crt -passout pass: + pk12util -i ssl/nss/client.pfx -d $@ -W '' + #### CRLs ssl/client.crl: ssl/client-revoked.crt openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl +ssl/nss/client.crl: ssl/client.crl + openssl crl -in $^ -outform der -out $@ + ssl/server.crl: ssl/server-revoked.crt openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl +ssl/nss/server.crl: ssl/server.crl + openssl crl -in $^ -outform der -out $@ + ssl/root.crl: ssl/root_ca.crt openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl +ssl/nss/root.crl: ssl/root.crl + openssl crl -in $^ -outform der -out $@ + +ssl/nss/root+client.crl: ssl/root+client.crl + openssl crl -in $^ -outform der -out $@ + # If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the # chain, even if some of them are empty. ssl/root+server.crl: ssl/root.crl ssl/server.crl @@ -151,9 +318,14 @@ ssl/root+client.crl: ssl/root.crl ssl/client.crl sslfiles-clean: rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt +.PHONY: nssfiles-clean +nssfiles-clean: + rm -rf ssl/nss + clean distclean maintainer-clean: rm -rf tmp_check rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key + rm -rf ssl/nss # Doesn't depend on $(SSLFILES) because we don't rebuild them by default check: diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..e8d1510529438b26c31e0880163aa391bd1870d0 GIT binary patch literal 36864 zcmeI53tSUN9>;g{B0Rz(pdea^ih_W;c|mxnJVXjc3=dIM#1J9|fmo6t*cK(C_-IA& zd>vW@v{=DHMFd|}u7%duS*=*LQn6agDTRuy;;Y`wCLmJnohR4NT{{cA`=6be-_Cq@ z_MgmTHi-z6C^ZW1TvckaOv4pm78s6WzFaPbVQjD(gSBg60)x>N0DHWL{UVc%jV8S~ zL?^~F`2{mGChAQaOqZDYf&f|&0Ym^1Km-s0L;w*$1Q3DWoq#WkWn<%jM=Mj}73uQ% zGG%;Y-GtwTjek z5ymqj`pDiIV&2FcPu$4H!2w_6r;)`aDY~|_0t)Y1O@=?lsy-g|eDP=yT%%_z3lro=E=2OZ7DwlxDC7^N%s9XXnmpc{f zPQ|)YvF=o?yFQlEbf+{usFV~R9tDU`)s#=dynL#re5$lU5-fZkJZvzbu7FA{pi&E{ z)F6^dqE86Z2q{uR5}sQ~krGm*gw$Du)LDhpbrDf{MUYj(Ms$WTbC60(_5aP+V&)f!;pR=|Yl#{n`G2*7s9cBuB7g`W0*C-2 zfCwN0hyWsh2p|G~90Ea%EDN0U<&7hKSoEn3x|t|aq1JFyRVocPzz;sB&XuavnuJtE zM3{sd5h3BGDnLN3R;p6C8kkhA1=HVI3_6B0`$&w@M>_OiMwT^B`ty9rar(-6P?h`l z>LpK7DpE9Dxgu4gro9f7jQc`K|M|Z!MqDBCiR;8h!k1X}$7xNdCWrtcfCwN0hyWsh z2p|H803v`0AOeU$-w^1tEPH<+)#@ZT zRH9WYQuY0REkKigh1rb055CKF05kLeG0Ym^1Km-s0L;w-^lN0c! zFT(%BPyV}y2@Jyp3_H3Q2mSdmaE62{=+LJrQe)+^(ehLc-H?Rp|HCBu83eBSogtCF z|Gy3+t`YUbaiWDNC)WMRuMVm{B7g`W0*C-2fCwN0hyWsh2p|H803z^v5U`~S@kkZ# z+Odq2p~{9I8a`ms!Y+q@oW_C?zB_MU4EWe2LlT7>iQYS2$69kDP(Nh=#4 z`nLwsKDo)>`S^`@*bA!2dmgr6e<* zVQp@1*}EpzmO{)N{9%|mh_%c%!+Is5qI&0gnK1Yk68PhwG#mpHnqWq-d!F;b!2;vJ z|K8QxMi+G)^<^A!jJB=!&ATW%Iby$cRIb=hX3sS%#X~K!hF*2Oes@BC;P)faH##pI zmE?Abx$E3fRl)RmUaTQevFg*;8&qy7pMLrzHMH{DLiX_zPh)mtehFuYR(Gi(WbSUA zS2;gpigYv6@{_9r%-@~-I69mc=l5OqhEWc_TaT=3J2@-l`Q>3T}?AsZe_MFYt1BFpry?v9cn&qu-&BJ#%>#K3liPl+^~!JmsG7!Gz_S zDB<|sX7heHvtixh!I`F3>EYr*DN9$b{HY@^?Ak#x?5l4DZVP!uYgdn-HcWYLmtfq? zzYmSDJ99^lgP&8ybyke0mn_Rd{4&hJ)qJVs)?k4d%!O`n#{^#!^Y@5=2%KnofPtf zhF~9@L5C0RS!|q%(RDb1kviOjrUNkcy>-506=U-oI-k+*x&y6i*jAUXyuR_?={&KynRPiNRuq|mMv4Twt9CyGL7~5-~;6l z*#pOOH*9mA|5h$--Q!_AEIrJ4-GtMvww0>g+GQ&rFsAr^SC})=!8@@&YXO_AU3PQU zhEtDci%+k4cUAr4)~dQHyAi>x`9JdG%kR}~$}M~S%l*2>O_^q{Rk&BZL&$u5&*GLG zNB;o9xZ;>G{xe+#D_2qqd&u)NvR4eoG4x77`b3&4H1!}w8%oBH}w#@k~%dT;NW98J^oNun>MpaKJ z+b$`~7W)m|acDtF$cg&Sc5Uh1)m~e&3ry|Kw=7s5d#3VHn)|1B1*_NDx6V84vvUl? zq~`H~ukGLb_Lxb%ZPEqX&vm1$M(>HrSoUa1)jjQ~!fEWl2b(LRB^Q?Ob9*wI<5|4l zVeZ2_g1qahLwPM*E}e1An58qFK6pt*oXe1Vok!hlM${D+O%BS9DzD9M&T{(ZzH#~$ z=ZJK2JEm=3Xwf#CxrE*XZ>U#qkuSKlUj0Gg=e%Rabu?NJKWyFW<*}EC_*L-b{LQcY zuqy1SAMT4sg~4lVPnQdAjCH9^ThG=xKMEROR+qtVKPl_ybL?}IYU0|VeGHw~Yh~Uu zF6PMb4Cr=!u+?tB?LI@n=fCcCRZ_s!;B}w(xh3$qCxJKGOT+PAH(g&m72V6jik|hb zq8TrmO$|!)+kW%U{x*m5o4qa=Z#qRfl zOb(m-ubai9cwqOsw@0>bodxxE! zRn68h#YVxaTcy^k3a9N66nh)Frra|7h1dtZNME#Ect5;gs{eD}fy4ekZkmgMf3zS1 zhyWsh2p|H803v`0AOeWM?@M4s3X2-+T!g(d8jf}L9D2yI{%`lX!Iy`F>VjVPe>gcA z42E(*7x-uWU?@)O)zN$PQJ{a>FYki^lYiNVKlr_U$9_)cl8RxCB?ky)!|~*gE?iAm z?X4)ZC)O)Atm<%$o0WRYVn}9nOfLKK4f!asOQTD4l4eZ)xuBcIe`))wg?Ywl;&*jz zPVvc0R}HP)yX@;^)i3i2@fUWDUly43FLyG2?@slM0egNiN-Ey*bM;t>g}hkV%j%aYGP-e-8epN|G4do7TuP5i!b9()-tvZ z!GdC>;+Q$U1yx~Xw2iG63sUOR3N%AH&yQt3k!;C3k*ZCo+o+hixv4d?PGavd`~FZ_ z+2CEbZ1cwy$_woWy39}bIdYBcqxTt3ep=nZKo6(krjK7@?9;v~r(?l`rkbx~gj2ld zx6|f1FQ$)~o)D7!P20+?xq&-IKHOaAwY2tR-Q`SE&yi>8lWj_eVYW2?TaNNc$CDpy zx^TT!OPByS8!TH>u$emDc<(k5A4wQKV9#i(PA`mo0ZHPlZzb#b952>9ja@MZ@rp#2-s;M~8IUyB(9tt2sxj={07D{r#cyc=c8fK3V9C Lp@HYkDZu{;Ke*53 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..44e6fcf5307a8b2e6cbf9878b157d7cb3e3a3f25 GIT binary patch literal 36864 zcmeI5eLPeB|Hn78&9F@rDKaaS3ptx@Zp&R1LWB}s+88YoHjQo#xk(8XQYl@!AtIED zQf{h?N_ADbQ<1J*b;*}Ys8qk5Gk&h?TaD}Y-*x>y$M!kzbKalN>%2bCbA0CPJe;${ zZ4pnvr39{xSi=@jj8IA_G#X_^p`cJG!th%>LnfTKlpT)Y8TwE0_d)_{4rE3o52EDc z-BF6N3Tj_CYH62eWwrp?v=02;MrjfQuhC=ioBmZW#qh!WKp=P-e4f5M9>_ zi)buGG(y-MZpdgA++Q@1h7UWVMF4#c)zjf;yl4V1njnjC6%z(rFyVp)7sha50vD!m!G;Tt zxG+VeAW4ZRLa+u6l57W7p+T?=4T5!O5G+K4U?my^OVJ=$iw41BG{_$=hwVxHAA>7a5 z5C%9L!W1PT0%bTHZHC|(UOU>1HPVbVYDXN7*b#>#cEsU`9dS6KD-K8Oh{F+Garh@) z_?Uq=EM5yAIKv@)^bCjaAv7EYjE3CNFz|mvoSa3$Z<Av|uVKu7bQpRCCWig5h;)((;Ul7UXMpzy1 zd1!l4K6;TC8qdsayo^h2vO~iY>IiDN_*Ic|Xii@5B`evQ8Qzl{tkNGcug^R;(QBuP zHG3LG@fg}gNknba>*$}KVfSigRMu>vL5Th%Y~kHYYxgZ%WroxC^5ZvmTv@9hT3`Pq z!lm?uP_FSOQ-a*RjGu_wk+F}iI0hESnibKbT^H}gD%Z8Cl6E+M@^+_jtY5}w8faM^ zsM+=Q`tfs|Ti(NpBgs&=5<6X^e%Hl zU@fiI#CprQfe$)nC3_59N{()}HNCpIfK|=MJSQ95IftgH5}Zvgoo=pUCFW@BpOM9! z;@QTu2)KLHA1veE5+vm%Wp!aZ58zGC-#cir^KRLmrcdZ(1%=q#8k0&O#7(BUJ{wi_efvm*-s4Jn^9e4Jxd+APpR8}*&w|eQG z_BK4OZu8#5*@Fba&bJ!*zs33Q?+fY}RI@&AxvYVw8SWD&*!b&D_w1@?Ow)R)y0aaV zt4VVU^2VQuxqZ1eEA4ajdScXLpI2VJzfr1k$sbobzuB+Cc)rQE91@-W1~{7c#eHD~ zEg4G#-I?euJFei3b8s*?QPLAR?{)pN((SER*j*Utr6^$svEerdS9@hrrdeXo-90XIss`BJsWBY-gLL=zRO6CEdBDr;eQU4W_xN40g$x zU-hVRGlO>fgzRLL&3r7MHnGBK?Yg}cEBEh^iBEc>z;0YzK6KPPO*!tJ4`FdiPwH`Z zPO`zPeu5u=+O73demU`0*TJdy$UDFH_pPf^jq|92DEsxM_hjN%1s50U*Jaq5SyX_-;9uyf7Y@Jjm)>&Z6;chyULYbQSK&OJZ3&Li|xuqy8; z^En~NK^VXFQ`(K}r9uY{t=2b#(QOwsqjv{($<$p44LFixuGGu!SWtaI*1qYL9a`vd zsSLI8ou}o+mV)esg7W<8gr~a~X8js`>}_ZgdVX-6m7d-8A7YDAg(b%nHT|3H3U;U2 zy}i+OZE)_alRul1K8lXc>s|D&@!P)9$-ey_&-SOdYMRV0zwwN^VEv&t65sn~%#FXG z@}Gqq59Uc1bbG*MVSYt%PNB&wXN^ZHLLqVOyIb#6d~guk-DwN#9FZ`JZq57OHqR&8cv2J{0G3=SBo;k~)8m zp2RoaFqWLBLtSnYbT=;DKe!+Lc|dMc@rC@`r#N$}FFy^byIP`m)b00cTADKYoJ}e| zF?O`FF5=G&(>WKN`(%YfmkqBz&&aL(u!EUv81kh`S7F(!dQFX$7E`^40!xYB26wji zq&QS|O$|%t*~gompoo7z@Jp{__o-|NoQsEbtBp00MvjAOHve0)PM@00;mAfB+x>2#gYd z&;P%7R~*Ute2mk_r03ZMe00MvjAOHve0)PM@@XsWmhG7uCb(dTC z{{Jencog{{=>y4=SV~k-3{<$Rpdl|L+#wjqCE;J-=i&BZ-(lTki^SEy1PA~E|2_gD zstVRRRvE?T1^M}NBLsdBljhG7KW@ZN^3)MJ9TLSrzBt10?VqtE$Q804T~ve^vXl#5 zsp)l}ooVS0y$+e*oXTFM$yNLCuAs~Fx%z^~Jk~|=?O$ck6i6N?CsC0h{5h7Te0*Yd zYmZ;Dle^~RFZowvR10r4b?<4-IZ4W|-ZigP`H+aJEZrnD4wG+Vo~?-KH97h;)RpXT zmRRF-bg-_1*h+je3vW0#K=bHWCbzHgSaK>nqu#Hh*rWDvLNwt`aPZ!H$KE7g;r$V2 ztE(o`o`AI+CK=3)9svpc9gwFVd7SWk)8{EaZwGs8O;~GBy$)Y-smt}q1j7pojd4rH z@;GGEHS75-;{6*hF3++K+~X+s?8lr->QP5*Oh-5~Z5tFvnpsE77Y(O=j-EEX6<6=bXQE;JnM=IzRtkod_=F z<$Dsp+!@QHAgom2+qSbJt6zug_$w>>^{T9kuiGa+ZHg*Vu6)?+=KG zW2&iF(q}dd9O5k7t)3>LDo8cSVT{9MCPuThRe0E{^x*E~U%HtuON(BpZ@wJ#xN!Z# zf?sSO)Q)A+EAc|wW`}sYw9JswQLwSUUb7hXps zpU$$%yc4XEWUiO*7_nSUL?uWyDgNjg+vIDHh>|HaKd<(v+o<@uR|%tq6P5jL!a$lQd1u|)W zX9%h^j&tf>@l3&OUrp(X6urVK3R;0t{@(t#P;)E%5R^HVNy{hP$G`v4JN4w-r8fD_ z$9*^5>O7M7`9N;u(0zPtquT=!6))Z7c!r=^{oZA_>`Sb#hB_adnD6GJ^dP$Oxy`vH zCl>3J-XGF`KbFbmHJ4GUE8l3J3a*;LrZ6-cn&+8)GT7U7yy#9$C+*^Zh>DYHa$G~u zBlPZ1I`niO_qx{s4~i>X1GG-_qOY}A^(>su>dYxpAIs#T_Wr)ryUQ7JS%+&+1Z~>m z_oQ>Vwv(lPa?VTQ-QwmN5fv-d)+HP;9K`g{Tt}hgq8O*^2Yc<`&5`JXUd#;>VmocG; zo5L8(WMajBtpAT?+d3k<7{Sf1x*bVFU(`RHc~se`PTkUt}6cT-uj`jnhcR#7@N-*u8j!r+2;AvgOhW4%?TaTp5!OEo&QCP2U&dM=^|b! zc$5=l{P~wYf?Lwdik7GEeDuX$WR*hYNFSq5Dx_Y{Erss=B&;lCM0QT4wEP?&EzOb zOLG_s($Y+}ytFh6B7Bwp%U6GLQqv}QX=x4y{4jzG_%MP7uLcP!hDe6@ z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU9rQ&a*kJaVc@P>Ns^(jT@{XW76`|$Pu3Iujd=Mfkz^ftx+kYt4WK||5XqYx z-I(7W_H|4wSQ281C*i+CNxZfR%Z6hp>`XCjW>{++4$OwmduI3&R`6M7LDkrVN#@$x zzdDolx*k=Nao^uDDz@)A3SZZVp%4NYVBk*kSKV_CNC${;RoX6pRJ$tk{iJ7Q2Q-P# zb%X=@tf3CE{-izkF8SsK>HL5BK>|GXj&jW+Y^s2A?92XG)!+rAG@Z}zxe@qGI^Ve& z*_7oe#cOsIPGh!BP?Z^*eSszKv4 zU;LMlWasUx3?n_pi6Qb^mZ+pvNFEl_@JWKi8w3XE~ERzhHqibkVQ(10UMwu^uRy{HHsOuD$) zg}!<4@gm$z*91{17gM3Ff;9AAbToZmm_nvlfGzu3c%gT_$Kt12=7nix4t{Bsi`58> z&07%7kn@m~qCDl;yy_UODX|Gl~>-BrQEvSZ(4P1k~8#3g%q{tbUR zp#ld>-{Wh|&z=^nb6=U=%<&v{L+X>zsf&X&L(b8B5k;}us*OLL3Daath;DAl-YwtB zZ0X@+FD!e&V@IXv4GkVLuCE+8;gibgKEpBR&=sP3W`b=xr#lPF-FLU{MULf83JZ5a zCwN0XB^i?-IES2g)2LbrRotl}v^rsS4)5+>OYj!D1SG`53*I2;%r$PAYeU-!1|Fo zQFbPkUiG?)3G|I;tZi5ymdNyQ6&oM6Y4m7RoElxyf}rFk17|wrZSI8io!K$yXCgCT zBS$A{6Sk;UjH+cFp?P<4&e;&LNQUNJ)sx$M4)NBD`t$kgy^0UX;j`dw8EIgLex&r}d^_z>Dn??Gm_PmM$%24Xv(3GD` ztA;Pi%BH2W z>RstSG9dzPqk7^c^^Gav8+aiwCc>fI-$xZ83Ve6V?m@K>qIPu(UCBM{T6rde4cKNv znx8WHnNx#Em|6xY@ZjU*Q(SChNhhUjiWdoxM{3~C8T~F;?QLsdI zFoHu7mrT)&Z0KAuEFp0sCFoqguCfo#+YvCZ7+&l5q~^S3HS)l{5TS_b z+L*UG6&Q3i;TbK46gv8C(&SUHqR&{XPZMXesE%0LL7#`m@pvVM3bCt;i1T& zY;wQu@c%nKxZgb8?&co)<#TvRMbPwZ6?!vv#GZu0o`&DMy>(ej$!*O8T zW{Nf{%vk246R06>gG_{^ZPtNjlUYV}VEq zAD>Et3b;NezHNTkhRBN&jH&H}#+A}6*t<~pm~oOL-aot7l13AD!~{a*2)l=nB` zL(8HMzGt?eF~rTg0FYE3+_)nc)|M6h!=X}I)DTP%x6B2}be!coOv}&^vzyK0rd0#m(18Svgv8p*e)j$e1Ahu3~8l;}(nKwq}$cKnp60#1wICvLImb_nIjR^`Ub zsZkP!lvvv|E8wZK#vnXII~t4su&1q)k7SN_DPLUGdcK1UM9doT?Xjh?QHx}k)4);2#N{&lsX%jIe zFe3&DDuzgg_YDCF6)_eB6b9Pvb;SsRDEvo1tHF6P@62HlJTNgZAutIB1uG5%0vZJX n1QbcS!T0DPu-h=A%C7Pv$+ETVhL{8h(6qaqKk>lS0s;sC$L;MN literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..3cbd561f8a1ebf20905080adb814e79588c7ef49 GIT binary patch literal 28672 zcmeI430xD$9>;gHNiZB)1Zq4gL_Cl~-AzJ>0ycnAQI2r6qD5X3BIQg?f>rwj!~>63 ztyC%Efm&MyE!s-8QtjhCrB8%cMQN>KTdTFcdQfelP-=NIlW@ofUoYCvr=QNk&i;01 z=C?E7nf;U9gv3OJrI_{Nc?M&K#w?Z+js!^(O0k$A2pj7PHfZ62lxx*+L-x>*k~YM6 zW|9NlO7LxeBx`Ch&(7Q1baAksBGGl9{Am zs7uqNBxRaR>MU(~iq0k^S``$l5{E`iQOy#gJaJ@%xGP^gR>Lw9&&fRG5QiMnHClao zR|)<@4k)j;gVb{hmoFOTMkb*8rYvo$UT5xd;63DE&F$^MGOTA1#TO0f>_>{pl%+Rz znQ$L6v1Io4P_Ul)6G$|FV369k#HYhku)ssU?l2{!b8XgoKFP^E2 z7so|}M#ZV%8A2i>riO)v#EOH0Bco$|#2N;yELbIAl|qdUz#}X?q=35$xT`?Bu!uqi z6JMCfVd4i91xzNwL<18oNG2jH#*!jO270iJX&-WySTu5$AZH13mLO*da+V-x338UAT2fR?ifTzwEh(xcN4av8D@VC< zlqp z4_`QE;EBOeIB~2J&K|3TQ^+clx~0Bb&g+tBB3R05yPKnh%}MgrFiBcOTmi?HLD*qg znN*JEtz@Dn%i)VuZX{s|BJU<($aN74oqCgSagq^2@Iw$nkn6PEp6FEsW%aK0OZIuTSGR%k z9Fo{W%!U=ghFd5hJccXQ6x?We(VGo8qp3=}MuG+Af!`9*7~Q<=edT-9uCqc{SC9X6 z@yxdmZOm;NDLGxh$;?eX*bvb|?Ndet9TLo z(Si|@=OWqGcAF5l=pt>5ykNT9{?h9Qw-()LSJr%HsCCglc5rU>nyBX3k)_0VS&4B> z?P&9thrOw9x6kW{xbR@Ja@?JTw`Sa0#7=wbvG}IQLB++DYNNQi{iK)k)E{16Qg=nX?8`;JWcT&&3z2!vVi3a(^Po{?Zuahso{q@Qx z<919Q;JIgu&jtI6L&sMyKj74|IjzR*{NS`->A<7GpYJoKbnuS6_YDai$C7yjw|mHz zI`$ftpBe!;Y(IZ-0ShcGl=;97&o*k;e_}#n(0DLPb}|#dr{cJjy>G1EWEL9@2D3OM z2tH>Ps|_Y|vQZxs6(){}2@@OjV8>)iF=UF(u&5~u{Q2UL91_??_gskwq6FG&uClbF zc^&1WnDoQ7_1S^$l7oAP*QO3nDtL9JR=;@3swvcBIBUlcFN`N#9%iuAMFyMtf0thd zp_dhauoD~tlTw$SqR%uZ>NMkZMl+K~IWT!-a|s2y1%4R^zQAkc^p)Q^kfa@t`0cb9 zSCIpFUC2uOSSfhz<~v*DAd@pPR%YF0f>|Xq*)kq}Xgq%2P*{2)*6EFA6X<|@&xVsc zg32Rl0vxyHuixQHZ_;mGbKhJ0wDFeX zi0q1l^#dAj=*B6$8oc7u%@a0WnD&+6<+~r<2;2J78Dmy*RiS=P(UsfTRbj4vbKBfCWsjHM8oY7B4&4sdAzo?8 z&9Un=hhF1)1ZCw_s{A}g+dbe=;0oOB$OsvGKzg_{m&Z^f+0m037;M0dBwXLhzyIv_ zSB_jxkVX2ZHF2I9n?p^Ql{_Qkle??8tyk^wY%i*swCreYRb#f@M9+FET=e=#VlXH8 z)+pV~nvCyXxp=*J@viHoIr|;TLRZu)Ryo}CEx7lhlcMDPI|CwKJGm)%(M=oA5@(G+ zp;L@f<>zI-`O?RGvp!RQ=XsEi*lGfh=zT1qu!X^I4CJEQ$(51cDMpLubbE>JyKK5%Dj z{S#|9ml(ntHs7XN>YS5HjfY3J)i2~|2b5QjzMuN_?tAewT3vlkt92C)|EQpj*dGrL zhL_E6pY`xc>W7IPYhbUPUQ`>AQhld-ACD8&7=2;^naAPuh@>umXe1T1<#tEXe&}GI zv9xT?dr}tj+>yP6SGB$r4L%AuBJvn@Kq4x)ohGUiA zMYYCVWxsX5SFvsVjN>Z>msA-sg5zf+Z5>-wca)AthOs-elMdvnKmDw_@_EOaK$W1TcX=0f7M&mxOPj@hl>07uPCwQb>RY zj2s(^E8u}=Z0P=9c##lZq(=*{&`0QuKS2j^6EOiy029CjFab;e6Tk#80ZafBzyvS> zD*-M=ki2Q!rHx`CV&ZG0+_(>MZkt~BEi40^5Am|ZofSzpr9RR7!@FR)ISAS z?*HE<=vwgU|4-x`CV&b28Umfq46Ix3 zKxz#6&=(I;)*Q|dN+Ia`do(Qf|N9C08hwhsN$;m?eoaeo9ZUcdzyvS>OaK$W1TXn#l>1`7!Zu za}0^*kb|PQ5v*vk38VyJFpwpg3_%cK_$8X56JAu}hGS%g`9u6yAptUm%@s-gkgS|L zq<|w`lP{HzlV`}ilXI6V`>RG^Js}h4~Xh$AdOV$qwB)hshI9a*-kbkiAA$vJHxOv%;U7X1_ zF3$Fj4mO@-cRN={D;ql_vgq&C2&#BSGngrhSGUo|Kp~NVoOs^Ka8c5a6%!qWF8ht> z`%y$_a=b)sX&^22Y&+N`(qj4Q#M@ zb&ZkUgz$JV9PX$L?oTq}>{lvGs=)>ejEuUjE+*Xu-DRT!qmk6Glz6v|t{=~iv$A$^ z_cS82V9`so-&i!!%LIwh704PYvWkf;GLc0lx`eEG0?UF9EJ(qgn>v7hluWQh;(c?M7A&-B3&E~k$w(` z2*BYGp(qYfD8u1sGZfG8+R`^;x#7-cC1qZTG;!I@U!YFp6 zF5ScwJ#J}c1}0K?_4&GgH3W{nSN*7?F;?`6B8z;gD2iSf*#(g32_`@Q5C8-K0YCr{ z00jOPfvpV8TAUh@$o$V%Y8G@NBzh2u5JXf_NmhVV)M6sc~P}!4lg=}$Km3# zXwdiC%uN}sy<4VJEpD^Q!&)%N1m#0ZM9%~2(*lCl96Ocos^jgDdeivn>L1RY-obw} zl~$P{70C}Rs&($g9^-kPS>AdUbw`aep=kNdO>RA&Qwtzt`T_2=JKsgW{CPUI zJ11z!`Qc!u<&4+yuNJ;qMV((f!RL+3#C`iNx^l@kKV3Iewg0>`>F#5XET3J%RlNJB z@NKhW>!p4)PFNpX{TMRBxqQSsskkob+88n@Z&Ma|?Vl@akiXaH zp+d>&%c;pHRC+VRZbhpOR?aF=K5yN8j2ki}eXjHa2ExEXj47;-mp4pVkkY4!QIN)9 zVGW$xovn;V=gxmG`|jovy&{=Kc>O132c$3u@g@;WU{*Ie{Y%^e?;!Rb^1Hc*u(3*^|qwc=1vmsY1gJd z$trP{ty0dk80yFxTw3gz@owG0Jp$tu%SsNc{;szChT4-R+@ri_#5`xp`fJOZCp@~B zxa37lP?P_u%NqlUwtdRPN{o} zjMBv0ymx7}45Mek#jwu1=|>$>%HL?+u1ixRx!p^p6od-mo18zDoVmH-Wz3A#Njiz2 zUM;?RW|NNxj}@*5#~hu~m%6Ob@&3#TnMSJbO7)-w##9vA!U?Zkvf^55jCWd=PLFsM{&RvcGEQSe%jf(ir0LrLdT1` zzOc9Y!mfgkZ`F04F*Q<-*HBFDUgfioyAAw$X;4!pjNoULBHrowsNF= zO7%h;e$vBfO*RE(%k)ZAFY?of%~7cdj0j)&oZY>ZC$1aZ4b(W>Ty@nj!Pjoc&)cf8 zOXCN%w85!|60XZPIVeoX(w(`RI%(jAeE+w7Th!YmO-XxV`_Rr2A7Ss(yJfXqh1hrF zXQPId+aop_l7>1fyctI)9}oRbclVKlD!Mn%5B|1vXSPqsp;-eifw9o2mk_r03ZMe00MvjAOHxU1h80$AU^+p4w0S%D1ZPU00;mAfB+x> z2mk_r03ZMe00MvjAn;Enpoz60{MCQHiO>IAAyVr z2mk_r03ZMeK#&HON%;0%am45UZ4jvqZ~_DX0YCr{00aO5KmZT`1ONd*01yBK0D*rx z0d*{$@U6StBKQAS#mPXV{lo#Hmtv8kyh4zCxxAKK9HE9VLw2J~i_Bd79_b!wH(a5p z8khh9K;Yj;KtNHIwi2p9ypSLL0yx}gKbQftI8?JhKk=`Q&}guL4==+LhHw8YO@v)w ztIqAwza;&`SSGa&)#S!U1#iFg*lF+Pe3jVy)$Q+` znYu#O?O&bSk7~~s=qgLk8zvdXSv3MO;O~HZpdGmU`tnuzeR1K7gF8b~Cmz0W{8^TH znCIr7UKZT?q&k+znMn;T8NX#6=2a(Jb}7~LKxuA?oq|@?ua@-r=``pszYd*am`qBdTcr1_Hse#Gi4HbEDn>N=?#+&w? zK5}!_7GnWveX~r=ti@L<1r*ZPJDWje(L~25`nx-3ECCVmU zT;Ux*_@Jlx1ns@U5v5J-W0?#{PMT%@pfq@4qyg>nscCZ#D`y{yK5=RGbFFEYw@m8# zSwJC5Hpv`^Ny0s8MuGO#(jAJmPcR4$d#|G zo|oHGkj`($XV$d##57VOG5!13znVS}AfPBpG|6U+!(_K@msjb^7xQoJ-0b-F?CRT% zuGYmnmhoqp)zmi<=1oTK`7ZIjy_yhbca@>#UwSpKnSS4H?(6f@62rbf;@N6`dF@_z z>CFO)f<%)H_Bc$+dhR}Y%;S{Vt`&`4$9BzDUv1Q~za*@wEqz!0v73W#&{!sy-Q4O| zd~{9Cwl&4ixt5kqbYb1I4>hM9LZ>)I>`9KgBB01iG|8rq!(`>^pttGF0ey8ZpCwms zR29#=@@nWnNwZ7p^5VV~=b_bOnXC=Bre3IP{(P$RS$%RSSEjLmn%B0L}9(G`jnSd5b72aqW!DR;2Xo^5&5CN z`MdfHD6(IfGz&6g!hdH7YD3w(DEZbq* z{n9-VUD5M*Sf8h4uX#*3*%#Fsh1|GZ;=6l+mTM<&b*nHnQo-t}uUT`DyJE+jY^8Er zbBp#B!G~50D0qn`$29~Q`x>Xu|9wv4{3<+NE^q7hOF6rZ6mNGv@gK_gn4I~zcr26p zMfJkYmf6rH-KGA@=B+8dr}R0kzg~Tb9U%Bz@1Qe`9lj9nKF6Zzr>`*&->BJ$`z3->% zQQ<{x2elS`ezBq9DOcrbsQXwZuXW5jKFR4s=el&BPou?(my;JY*5*aNVte;5BFN@9 zc?&2~5>1Y42wGXmrtI@|z0~U2AFnaA^Fk44p363aV8v7Xs$KG7zj}^kvXkV@q*T(s zOkHZXuW*yGv$?Kd`iuG(1jB=~%ly5zHTq$swdn%c6)YYvE{Yo%Unw_N)%JIFy|6@H z%B(cP&TD0@u*EliT_mBzOq$=PVg*r;i2wJU_<$Y( z0)PM@00;mAfB+x>2mk_r03h&BBcOw|!u<8c8&!#ESVbE<4{iO;3l_?fvar%u(trAr zo+L5NBuYxN8H$q947P%#G@C9jDa~NXNlKf-g#S$c`Kv!!iD{;cq%@m>my~9(r6r}= XbeyC#gN2opHif0+vD$=@ZxsFym1*+x literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt new file mode 100644 index 0000000000..67ce598fd3 --- /dev/null +++ b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client-revoked.crt__client-revoked.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/client-revoked.pfx b/src/test/ssl/ssl/nss/client-revoked.pfx new file mode 100644 index 0000000000000000000000000000000000000000..1ddd9ff2823a5625b32e538ae91d029df841bfeb GIT binary patch literal 3149 zcmV-T46^euf(%Il0Ru3C3=akgDuzgg_YDCD0ic2m00e>y{4jzG_%MP7uLcP!hDe6@ z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU?cbc+QQ3P2qSoDM#h+K zuxci<6|@K=N#?$-o{WSQd~xy$T{&FwGrA&oU|1PvyQuk6{V*}$8U{I3igdki)KSb% z9Jan(3$(IUjqV)Y=s`N@oJM{E$4x?0NtKnY)|d`1Lru|JK5NV7{DI4{?AGa(`)wdU zhMMnVe$F&f1UK9<1!XD5 zO;|3JeiT_)x{NgE;2^)Tw|nPD8R$d(>B!3%4}PExJmS4yGB^Rbv0O5uJfM=L$T@)M z>KR(+wIcqFZgLZl2a*C(Uk2)iwsr^`@Za0b-jN%hUuB*=ZqCJ9xAjU~oUV)a0GB>^ zc?5}BzV-3Tj`1q|49zJ9kiJht?aovXBt(fO4TQq zyUTSW8~op0j>nf~4++$-16*tqon+MBwEtwHW_AXVwban5b{sB{i=QSdX$7hx`6W25 z$U&b6X*Pu&-DOW7P+Vis=p;zd%n>#)6?V4S6aue^KDS}b#}^+QHe{O6#3Wu4WqxXD z?z;=9d@@FANI%8EPFA0oZ%;E0A_%QhL{ zC@@2P_5SE92a<*a0_iHyt`N;hBI*F3_8X7r_?uD@M%iktht9IKxH`U1gS$D9u?i%C zYr1oWd-MO#XA~gc03+jU>hqa|OgJI1W8vP+tTaL!!TKy2_k-;gg1o0k_~{DCZTvQ( zm$2O?oEtGa(n1#W`#ogY7n0rD=GzE{o%cd<4Z&cI?0fR8Vbn00L1kekkLr&Uki&pb zynM{)RRkcTb2o#baf*H+!ge{LVdd;ForAkzwH&UQlMMt|1*o+|jRJW9us}%$)t4Mn z$N}+E|E-sfS^VNQ+1)e2l$M}++6I0qu6`34JQdqaap=6*UgAAcE#nz%25{<98Lq$4 z>dV=6Hf={?|41FO5E*Jj$gQx_=_vfK%1!{gL8rX}FWC8FTAVQXQ9n5oJp=a4@4kX% zmUp8N(N4HBSABwP>@N+XB2BD14rwKw46rO1gL?A*S3j#sBQXwh4rQiVmlkEPaoy9> zNuM@epF_kUILUA332%(m+1k1ySzZs&uw!hxbPp0ba45{_;COFAtiGWioGCkXD>YF# zS7LpES0+1~MpUKVqbBeb3FmmK&>!s+1H@}HP^uuA(}dVw_ciFBd%ah3biGwR_7f|# zIC-2kqI07%ly(Q;G}w(KGb1Qcs@tsTgZe%HyIn=$it__H0LKFA+J{8nH+ZLqspO_< z&0pp6N?PZn*;zgbWxMq1;jbCjB9(@zr(76_-;PM!SHDf6ZYg$$t8`+j!TznrJxXGG z4{Y9%JP5FUDH9Gmjs+CQ@qt~Fv%JK#OR;To>QWiaqdRZvmB@Ilmgu8Lh8v5w^WnYv zw7FC`H^$ZDJBRc1-!sepGOlJ`rl@?Mk~O(%Vk;Sv=G!w;idMP9t(Nwm2G|+T0>tXK7p(<5~yYZ8U_V6*1qcLRZLvmpsYd6j2Zs*nPvFoFd^1_>&LNQU%tK{L(Md=FO zJFd3yj!HR64IXiPul4_7t8ArH^lH(0Gze^@SMxcBsCQEARX`PP`pvs|r2b~dTF4bd zWDN!6%o+PI5W9bJ$xeZM=U4)r!0jDu78TF= zJ$U(27v>;rujcUVPMcf0oA@g7lFmE=etV$7`b+pOHnY;SuDP?_VyYZXF}o}s*kEdK zwK9uRsURpMwp2#14G=&4t=!r5Ae%itDdwT2+a#h8aPCzVuUVqVF+!S9BeW~u8=sCV zae*a1<#2S2yJ+atdL3N2;a`nAuHmWn%oim)qD)LFh6jB!E5Lp^vxH)q6CfsvN zbUc9%)MacDeE4{6tMg#=hu0Et{I&VwHKXohUEf2nFMDqnmZ}I&Ix)7b0x6&B7Uek^ z`Kw<4A;>PHub|Wxp(ZsI4iKphNJwvvJJZWxs7dy6yIQD=Xd?_a@_MP} z_(B_ot~o`V6v^5YG~PX|#XxV`lTGIEmAd4_~mHKz=*kN!a{gtmY}6FSj9! zfR}RLSU&*^igbg$Qd^f6uMc4AzMu}p9~>}b*oL-0^>*F6EV4M71O;Zg_d}j~1K?e{ zZRqS?iDm(iF`4^Y@4|U1fs%ukg`(dKls~U5ChNKk$Uhzz8M}O9(|mU?jTrz<5r07{ zF5hfS7WTOAiU|j5aybb@q9i4CdGa&AU+3;8xq9dQPdRy~GX!2-8)x7?ojMaEJXqZWhVZ0yim|0YkFy(RV|Z z%8CVXC-LxRyNJ47CuA}PieVLV-!mwVyX8NDBL`!#TZjr%zDw|8;dPS6%q~dB?sD-u zH+R4lRz#Wz$_aSO-;sT8o|jXk5nRpMOv-j^^Lwn32yytFox{!pcngaDL6E~~;k4Oo z&XI(T7=DX!)z+iXWUn2S(V7!-Pv`zX!JsL_`$#bkpMDBxHXOW5+{GMed&MEdExHE5 zwFO@H)HH&AX6FIIioaQR48O}i5g3X6YU-P-psN5bM5TyRF6T50Ua~U)3tE<3&!`!l zfC*2QJA8hKU4+;{YdYzg7se^i|M)o~RV#094e+UWL)*TcELNL)^ej=V`v-`D;g>Nb zFe3&DDuzgg_YDCF6)_eB6subt5E}$LUeicrpJ6?jnETg%MKCciAutIB1uG5%0vZJX n1Qc4}45!Og;OB@7r{@Wt9jI+Glu`r;YIThTUQM(h0s;sCJ?sY=etOw9vQsYNBl;=G0yhK5GwhQ=larlwKi zye4J_CWa*0_IV z2Y54&+qGrPUC4dt$>ZO*)%q{4x14vAo8!GyW3<{9)zs`N>D*O;g{B0Rz(P=iz z**`n8yCf_`tWe20i;`0kr78{|F+ori@#1h01ku;6#D-kxL`c)wV1o{@f6LTICgAQY ztQTPz{DK(iV~vJQhN}#{hzMLD0Z0H6fCL}`NB|Om1R#O`Isq>RgUz-^BNa)p@-*2J zsUkK>sg$T=5)?8$-%x+=aDPr$NAA1>^H5^D6+g#9TP8?srnV@FDU3z2WxO~?l^BMgFT|J9SWsVEl=qe zp}ioYO&qKt;*QI9L-p9!*61d0l{6+n-e0`mpy+hMy?w;~134&SIg-%88Q!6hoaz3N zoLRwvA+!9!5qxI`PZbCHhI71qW`>44bEG)2a*35ktbAaTJHQ?;*d+o{5r~S&D99ob zfItWW7ZA9DKm-Ce5J*7~Lj-Q56s`?PMI2~waqV${3Ks`5TpZ|daUjISff5%7Qd}Hp zad9BV#bqGWRZm+#QkkceQM3y%wS>r9}_Cv)@3+kH5t3zvq?(Xa6Ov_Rav@*97XnG033PQP zXqe6fN6?v|i8>RsQ)dEzIulUTnj{pR`Mem3N4NKRF_*q#F3+n&n0?hD%)aUnW?yv( zvrm^W`>I2jeY%7>Ko|5GaA0CD=r}qP^d6lFx{%I{eQwI1n~VBQvLk5o#yqc145&`5 zP>RRKkiz>D}fl%M@!YJWHKJze+EZ$`%Nn0 zYMH>@fkN_kA2|xmn!2b^cCc}Vej2`w0 zg7sqE*iEbzyMUc0qHuu(AOT1K5`Y9C0Z0H6fCL}`NB|Om1R#Mw6aglchSIItcIash zKL>`+u%na4sJ0@S&M2g6jhrls9+jp~AC;pa$N$FD5aVgsSmRdXeB&8d9hUfqY9Oo( zBmfCO0+0YC00}?>kN_kA2|xmnz#oVJjf$Xp0kljL6!+pz#yuI-Sv0DVFkG%waZ-|# zRUBV$@RB)4lB`t4rO3lV#GJ4&F(*Y%M3hQJauP=cvMSZYv+Il@(xDHL4sD2ZsDZRh za}@XCdf}6`d|XLB{~j7yfhGFDkWtap`R7NUkN_kA2|xmn03-kjKmw2eBmfCO0+7J}mVh4B6y1Z&)dN!>LpEgr#Arh{Pe287 zlsBoK`uK3JIc}<*bud&a6TobXS}9M_j{o-{#B=|(SQqgIKr^-v+w;E#3y%&7Kmw2e zBmfCO0+0YC00}?>kN_kA3H&Ju^vyKrwv6Fa90d? zsP<_AT?$o~LK#MN&?g4}6Sb+JkaqmP3BlU2Myw30#5%A|*r`7yW!Pv)01|)%AOT1K z5`Y9C0Z0H6fCL}`NZ`Ljz=A43y~^)g_Wjr(T^xbx3Ew}}z}R%!U;B&!NM%%tXZm_O zzR~GV`ScdE{OMco%9M2Sp#hK@p3H4Oncf_%X!^0~LpmkoYUszQ+GhaRRDu4>lvzZ} z7)S_WWNT>6xI}M3>FGJNR>2YFixRE!Ol`5rKEGetNxg@5dAHFXFDybllQ6DtbatC>Gge4_Ec++ z_{PkoOuT;0t@&HeJY66A`zXxN@pG3~2EnwISuMou-T zd!u#G5_JE{j%-^WU;gBhsEI!FoDR==t_ZozeRDTRt6XsHQqj2jWp z1dTGI(Qzt@J{!o4_^1hHC^8-Qplt1OTse00gr9HGre8Z)cg^;4+^P1s?6{*&@g4t2 z%wKi#r}eER=L?)ym`c33A3d-ft{mS3r9r0~d%M+T_cyxl%qlRnyx6gHZS=Y7C#f!<-RE!I zV%53$m}mJ!nnB&u!{1oF{oP4}MvH_?7GG$_n@!jsk-p~1s+tGt@kO(l{*QK4MT#%2 zJ?Q*w0n4rAkoBU+clo(Dl8@$g?7VW$HhsRvaL&k8RWXjEAM~DZX4^Fs70(FBiKwj4 zYRk0$_Mv{-HHWY?d^e(QTV~R=fWC^_3Qnfi?~%W8YQ6ruaxeLNfNBuhKp#xH;z2&) zccQQ6YX;Z>K9YK|WjyJh#< z82R!Q>-?ys!?i=+od6u}Kn9uS|7nLis;!U!Oq@I~Ov4ktmPL4=ds<(MQU;xEuiwcA zIac9|j#W5!C|(#O8u0tB^~euaJ%?BstE$Gdlpe+uO{Wt7cIkTDMh|(B6_zjGx}nD@ zW`4?TlhGNqQ8~=3H)Z2RjxCOn395;C7XohS|E25e4*EI!soytr*~ccX-e6OGV9hs) z$-gYYL|n zWm~7o(xise0@di=i<9Wj#5;3Or>Nr^w#n!1Xzk2s5L>w}cxWT77`gYhMc%|BS&`KU z$0c$1!Z%6(_5sb_Tdg_b?`l8R@aZeKR;!xqo~4gk>%NH+%=B2&OT{P&D|yraQ=b$xTg)eJ+oap$Qs*kxl73yRNeTiNteiI28lx>2ya~6fF@;K$l2e$&^_MNNxD(O;yY?8#nWms|e`6(N>?n)N7Z0)4pKVufRH|4;Xhv(BM zG0du_u|4rWmEMUA>a}t{DUsE(PSjHCjE?#E04MbNy`H#m8H$emvTJ8lL!k`tq~-&? z$nSX2zNFXmq&Zp7J?T)qG>oFZ_N9y~UFt@r#^Fi8l!}IQUU#!}nCHna3~I6VqX%gk z_fZudb1!E{qUqq`)dAV)O!(3lD0u$IU1^Snz)85$7w=mV*R0KiD>^_y(ZOzX2vGe? zNBSF2Q~yincwpnM3B^4pylBU5BP|-eaxV*;?GBko5E6?6&N_I~A?6YSn!PV`{n5RnJ^qDPrrL56v z&6TF0Mf)`FmAv$sk{xu@Pp=O*es9Lp$WU&K_xD*_$6I?99^cZ{JSOWvU68MBUc^Vm zY1_*3G~G_smhAcO)QhV5wI3GT zaf$oTZ>=gqFlC?7;vdg#-Li6IhM`$nsOZh4)$7;)+>;y9egqHs`a8b!GH&tajZ~-UA&9lkkBzXU^sL;A&D{4! zQ2||1DGz3498486op)kp?)hgQmAundw(G*2c>Y#eaoQ!y$tjl|A z+RUR$^a3|_O3XJD&EC&1@z8Thx^46eb`ZFXq3~kheE5yd`Lf|Z3daAa@eG9cg$pDA z2|xmn03-kjKmw2eBmfCO0+0YC@b3{=jq5$1EgM+G+*E)V6F}>)f zeW`w-;lbQUDibAzLZeYeR4NLEA_`VXwE0#6--sosDKb3-{^?2AVJcLyEZZu+4dUO z_o9zSVkUUJf`TgA9ckbl$PMrbiHKMp9SRX@SKnOjkvFjoMzzTjT2;IiZ33N+V)4{f!D8qHCIB z@Cuai(F8<9to03_kimW>Gn)NIg+td&GC+$esH&pVO_4)3Auth%j7g0iwu$rc5Ufl%Mk?SMI$XtpH#zVo2ib(1a9D7`h6`P|SO6CsxX^g zg&raWjh2Wa1Z&Wt(fz)+7NETLP)V7c;769 z6bm86LiWl+_R2zz3mfUnM%37d8XM{B?aOAem~2>bEQEE(LU>?fA-spN5FX-K2#<3t zgaM9)FvZajfif0ObVKlr)lPKN9q*<)VMh>-+YyB0b_C(L9YHv*D+tH!2*Pn)LHHM4 z_?&@vEU1M~oUsr-d&WZe6dDVCCPLqd(C^O>IT1$N@+R!?U^_l+F66^Qh;!g$3nAFy zwk)PDa^5oZG?^lJg(a$gHw8|-R=wyGF-Gtmg#dq7AqiGAVL3|h01F@h2mk_r03ZMe z00RFNfedZ*W~?lktnr_{Wer$ll;Dd@Mxn^k(g_kM>8+^v*zvEi=7Kcb>c3nBq9_z@ z#{E5lCkz@L5fL=sJ1D?6BvQvaJQCJ~ZP_PR2RhHVCt;WNOr!mEI|i<( zC7e8EWvZU#R8bhcyCf@qaNbcR1&`R%oTJRAi%wMr=*i{i&wTGs&4@{Vx$wxuw26bdCRUHo0T_-%S1bHriW}vNf~;z-Tq+>WZ&M+ z)QX}PW~LfCs|B+)=F^{L8GzpXu>*_Y~%~7-GgVX?&XHD5;v`rtENdst#8QQL##i$ z$74j6lAm{Fpf7cEVQ-`R2i1Mdy%}mw4?XFujkU5AN24#PTtByUBIVIs@<#y<_q59Rd z5^Wcq)y{s|y&{z07B!6b*g zN>`^r=M86qjDOpoX=R?Ft!@3*RZF{0@3T?tZhxosI2b@>T+pIXXBNo5sN-6C! z=5@yGbS;9x@sn?oYByI7CoKs#A;j?vB0M##SU_pUuf@s6(p1$EyrOxmB77x^~ zR3dLb(=K92%;1mMGYZPijr!hO8g_a1{_|a%20Xbp3>JFdy}G1Z{AgmQ^dXB5h0o1P zO}2%v%AUE`$5K}R;yRnRf!$e}^(9C0u`4=Rt)z+t5fmnk@wvm?+LBB zxN6<^eYfo$lJ?wRUTu;t$9xz3AWZzo>sO<`*9Bel*F~|*yi6OFn5PfdY%(kJQsBJ0 z_lR+%=x5C%*+b7OXS6694h>Y^_%e8H*v+OZDb0EMyNp0J^Gk^Y@6?xB+ujiB28xU+ zm9rfNM1QL-_+yKWr7kbSTdAPXL8jfQtsvkN_w<{V zwHx2*HykH8QJ?PmzVE{h$E%f{qInN4hkX86($bp{l;Sh$Tgzu>=iOkVK7*W#<{bmA zgGIWAhmG_yEap9sly!4CRG;-!h0=U{cf0-) za!+#JYR7DUDfuM@FI=KCjWTAmF4T+=3yeQ&*R|Biyn_$zd!|jB_rAP6CxJ63E-DBs z*C}SD)iv*8$&6=bL_AkiEG|j9@qOP)x!S$l1F4*}{+Aa0wH4C_-!C6Kzp3tSeZ8)p zTf^hEHz-tV^C}+S-e#GwA-ms*=9-x%b~6Zn?OB)W7fbnDSGCm6oUqzhadyj~^uvx5 z^wKVogmhFh$xi7x<$9dm5wG8xipxt43i3)!Ys>9Y^Lk7bh!mMQby2w^!wFf(E$Vi! zB_?E3erX_xl2_U4mDw84NAGHDd$Ih5e%0-j@cnD_|M!_4zR8ak+@BXbzyb&W0)PM@ z00;mAfB+x>2mk_r03ZMe00RGG1Vk}dG5DSG(d++@D9MliV*>=k0R#X6KmZT`1ONd* z01yBK00BS%5C8-K0fYbsgAyCP{(pp$d<38X0)PM@00;mAfB+x>2mk_r03ZMe00Mx( zznQ>vjDgtS{pH)}_5T1$a^T-QLf{<`00aO5KmZT`1ONd*01yBK00BS%5C8-w2u#Ch zh<*KEaYnEI`%sd76Rki52mk_r03ZMe00MvjAOHve0)PM@00;mA|4sr57?#-g{>v>+ zFdVex2Y688qfh_N@d4L>03ZMe00MvjAOHve0)PM@00;mAfB+!ycLa!v@cn-!i9wX) zkfgrkbjd2oXvv$ByCq%8T(SxI4{|>FBe|9wM@l9Ikg=pjvKpy}R6-(443ex#+JC1C z>Hz^j01yBK00BS%5C8-K0YCr{_y-V}fiXr$1g!S*_6?8pg4lFlUr0~SYxI-V84M+% zX^5hNF+_R?`o@fR=KR@NQCJpI_(qz=VsHdLkk63UlNXxi$O%jH*s{XXY@Up;G>;`M zEY0Rl6PDJ6r2aGQBS7l+=fEU|ra5F`X&##-EY0Rg2ut%=;=T!o7ZUp>&GF-~ z{u~%VXqqD`EX`x%g{9d%oUk;Hg%y@&b1}lwx{!!CMn&vLZbU>>Xt)na@S;>iT|-Ic zli!maNk>WI5`NyG*u^VFAgk;f&qKol+aYHye>|rbpvr42!L>?V3=F{1X4}ixlF=K^}Oqu@AAuks&+Ccw$omVqvL2#ky(qt6#8Ib6ZcGGDWxQ`H8&W1&Qm+|Cipxug$ODSVnd&UlRDpHt;m6V?<=me=QE zh|B79uE-qjy7*irn2Ad2+x&^Dr7ychluX%oZ!(h!FSP8ooIUGRY%gCaMee*McBJnf z)8p+xsGRck@RKK*e43nalbk7-++916Kj2?<;Gy!hO~HBC6)$E_e;Bi%Da_LOfR&hY z$fe0lR-V6_lf29`_x_0)GrYrE5}8JAyWUitj7~_BJKG(|j^xv1g_`8Cr(jZNkW0#T zlUcfg#_w{d5*}s|`kOW>%_`1)gJhx%KiM z(_K0A0L~B5&`~~3MyN?PZwe+^Gar|Ri;RT1T8lIiLSH&*B)_dTbvvbD@gVnl%kg90 zlbPJ3IoEd~#ByGvM(Np5mh>~zJu0FtwpjZZHvxY`ZhbeOCN0z?k2M98HBFM$X6Jtm z+@R`hTr0mO_iST*w}+o$4auhKo^;x~JCm90uD>LY3ARWW;qvVMB)NTk&N-gw53%#B--zi1;=HyWd1A=@NsjiJ65T zN#$cv&xj(IM}}$6n`M`rBF?IQa&6}JPxFVSE&f48Q<6`U5^7R+DpOE}T*42cM+)fg zwH%(@7Eh|E+=D(LpP+cuz<$Ko&`P~#GLxpFeNFVP;hh$1%zt0qm0*dssoRWGct6X) z@t)|rRm&ClG|6vFe*L4x6iDi>8+1RtZ%yDn%NKSwv;AYQ_0Lz&@eIsc@j@qIeR^;B zWF{YJu21;fIb-W1vploB>9wZ5SImDL^s;4MUKKK=a=tQ~Pa_LAIh85ME-rU9wHQCL za-Yu;+*%pb(fVs^{dIXL@?Cz+s>-HElbO5_mTELGG=26Tn>-(=Fz)V}$z$!xYFGZ$ z@7ZLo)$)rDpGFdDa!OOsYlHZh$asa^-rQLZfw$e5ILgL^x%K^Fq!+Ivn&kF|O=hy8 z$$98U1FTPlX*(O)k0Nieem?6b;XDGTp5v^4DHUz@ay0{AHSHa}*Yzp-g7dIql5g zMmxJaC$*^d;JAa-3upTC4?kw0^zUo?I~G|r@@Yh&CZ{w7aUPUe|K^{U-X*4f-&XSG z)~GvKO^>5Ug8>xfoA1o!N+vUjVQkMBNGnoT)9p|%j@q($OGigpr-@FLS!Yh7`>BPs ze43b0lT(_4+&4aR$a&h((9g!MFc!H8= zxTX2v{1q;u<&3nnrNyQl3)gK9Ddp3!LQPI-3c7o@d0ADsXlD6}{qNt~@89`b)V!ES zcjkC(SD1F<6z0;vWG0I=71PLgGnK3JOMBnwe~HWN+gFeuMl5W8Wn~y`pY@hc!w5Aw zr75VJ^Ax+2t+Qk0yR8-133G@+5i(DL85>Y5N!4o>c6Vt`X7b5aZjX2PV7bVGt#_*H zkN5Asaj*=xp{Xu!`=@&e`=jLeG!daDr!)l>izXya|NKO&D#j&qMs%9L1ZSI@nZ5KX z@012*RaV>j$xKS8DuomE2IYQUxa%C5V&H(;DaxeSIYedlFCQ8}t*P@u<5XCD!uZwt zaLD43&|zNT>rbZFf1_`>x+ZJcFk}E};Kj$TXeDrH3`D`o{uHX+SLGuX@UZ4%=6$EO zkJ!D6Jb@Ri)CIGWmthiBZjmfpYv+%9Uc=Y_BIGKRq`RO13m^ap00MvjAOHve0)PM@ z00;mAfB+!yk0QXQDSdP8{`IeNOyQlmkye}@ad^RpWq*8VtL-oL@N_rnUvKc4%ha$u z*Xn9nd+~iblvxv`E zydFw|3<6`{;!4SVn(oEc`nOW81AdPTIAFWaW6@+LGdtg{4~r~!48B!Uv+G&v&B}Pa SsQ9RQhx^7M%g+|xF#bPn-f=kq literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt new file mode 100644 index 0000000000..190f880c0a --- /dev/null +++ b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client.crt__client-encrypted-pem.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db b/src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..6c8ec171304048a2a1c7aa14965b30cb7bea2ec8 GIT binary patch literal 36864 zcmeI530xD$9>;fcbA&~pf~XJ?1p#$)K{!-S5kw4!C@NwI5rZ6-Bnq~oL==x!1dGQ* zi+~m?Sa=|USCzKVs`#u{tXip9tmP?%id9juzMV}#KzsO+zSqy|tnBQ6c4mG%^Udtv z-PzeBBq%_xlyMd%CdEsX96n-*peW+b;UEa2qg{y&xzLG_rnSKa?PLF%se??wUD#L` z!qEK%(bvK1^y>9i>$wvVxIhAs03-kjKmw2eBmfCO0{?Xa?hJ;hsU;dNPl%Q!OP5IG z(FqELSQQl~momMAeLO;aIDUcNK65x^8fRu8r#GErE8*h2ag*t!!YooDP7)=H>&?OF zr$D9+RN#;ErZG&1TcQzUd4(z}Rwh;UD$x5WXj2DjaB=Q94=TfSSWi3T3WZ9R)GI>k zC!$Fls3GEx%Wy`Srk0lIW)Gz#Do)m0yw{*;bwWKn1AO{&kVkXG!G1G5g2Oq}eZo1j z0{wz!`G6yM%?z9x;O7;}@$j4(9O}T4;Ka%$RvxkPflclJd$?ei2t-97Dk7sGi%0+h zAqX5n-~<8@2%JG60YMZIIFnMiCL|Scpuxp8#{nu_9LR8Spu@$15ElnZTpUPoaiGP; zffyH;f>2vMP5nq^p2jAXd89IrROXS&JW`oQD)UHXK3R%Smg1A8_+%+QS;~=2btF?A z$y7%&)lrj5YC4jdPGnA!50?bQBU{SDL0KNzQXW}b0ZuGDF4(O#fi9oS%_np7$=pOD znMIQkWYl0?fP0&uQ2>@zMKv83oP_*XrVk92z-si;}dx|+euMT1MREIEoszaDP)gjCt zUBc|C4q^7_5@sJ=&}YDbiM^oXXid<2v?l06S~L2&DSK`%>NUxZpvfEcygE^!I?+N2 z9vwvz7lF?fC$WRP0=^^JZ+Xt+xD7yTsYkIVz|_%ffC(2!01|)%AOT1K5`Y9C0Z0H6fCL}`NB|P}{~^F)=n{=#VxJ&b z7uJE@!kVy)*cl=U7f1jSfCL}`NB|Om1Rw!O01|)%AOT1K68K9IU{Pr(U5BxSNgAx> zBN$p^I9+21D`{Gzf=U|9?i>n}O4Fe;yWb=4{|%-g2Gg)H22BPz1~af~EdDRmKv)?_ z01|)%AOT1K5`Y9C0Z0H6fCM0czYqZ$6+xN4v@}B$cjr#V-5AtaG^)NZRHjgJk`fb@ z94`;>k~v45s8Gfv$wGnxI3XbcoFo|$Q7Ghz2^=NJs!$Pg*BOJPLmwm^+92sr{b*?> zDDKI1$0uv}IFWq*7#eAuT$Z5ZNM%V%1!Wqcq%#;wn&kih?z0F!Ej?nCA>!O+K`4Osv&+MtaSP=Op} zIMq!DAIdesjWnYUdJ07x7;RB0WJ#L)|9uEC@4pIbC*A;Pzz$&h{W==q)R5C%Dq@-(;X+x-E(S9jZ zZ3<-w)mDeN`Jbps1%)*C|C#j=UpAO!{L)Tn0!HT!s_7h#z)* zanJ}?Q!Q{cg|UZ9K`Ae9G0tY_*sYtk?jajR_2|g!gT*aO*~HJ7aCuH#KJil{g1M$_ zfg>*93bfHdID#6r>RWA;j!@MohTv*cm!c*>9D4gw=SJGjH`Q(v9MwnKHnWVcU7vR7 z=j3J0F^o6a^P6_eE=0{g&yhQIeR5P-^2Gb#hKEh&xhwA_=1~HcyGqu|7`t7&y7eO6 zKKxKVO7htH;w`gG+fPcxZ52*BqmzSlwtAmyGb>L#pjx}(F>R*%_jwspEnQ>l(w4ID znzgs*Z#(;Rf#}@kcQ@8OZL6%UG#~57Sn?Auy7Xb~j?9v2UmaFA?nu?QuS8wyEd7_D z6{}h^tUbN>lM5mydd{;yGN=2<>BYN^Kh3z(-279Dv+aF{m})#_YXgC#j_c zk0utBPc)L9J+i}h>Z2VsZ`+Qj^^DHH#(MBplxxg_8>&JI6-CfOL)-w@C*}l=G^WvU zDvCbq%Z&J_31%oV9e1T{Yqwi9X3K=1Z_}n(X_R=gYg7IezwlziF#Q+v4MH z#S>||)lZLnWAWB^r*!Mg;x3zgp&oBMp&~40ZTITRhpO>;vspfmcb0_*TwZs`;n@PV zbHQQDMNjVWvu-9H%WB_$E8I_Y3Kwl*(+hHqwAX-#@_n$5S5 zbds;zh9u*A5mobY!}bOA)zl_%GQEC}{FPJd_1~3y$^Qqa8lm;|!K5o5;1hl$`f9%B z1s^P|984dKQeJepPfa5*y9Mt1pWWX~br899w`8VHvf`B&k8Fq?8NGGyx+vL-mFvB! zq{AJHyfXnf+`bIbO#XC-E36;@6DLoe~;So$;e>(o3mv6*ua+T#-U^%jF8$0cz<|o}T9FSX;u|3rMJ#mBtqdxmY;QAMnozqe zS2?Qd(j@w`fL&QV%4{E5)j2@g-v;8%j=9YR)cOT&>&K zzE(2StN6_HC#j68EflNRvZ-E=V&`sIQ{yK-tB4auUM)Ah zD!d!+-(}%&N-V8npRA%*>mT>@1WxGndp&XCG8i5EW!KKAnnLO0Nlp5Ck>Bv3JxQJ8 z*Et^Cv}Zzo=Sg?k3F~mPI`^zA!iKSjO~Nuo9ufD$Izy6--*wY_0<`oU^{FYD~EkMfhZ7iFtE z?90tf=f7PeD(ByxR9z-_ek0e#^6_F$X3B=L^v)s2{3{l5%iMPFjVP({op;tT=0opw z$}qu{1Nw`9Jil%0su8Jr#>v5=;R$OtZ1}k|E2!lt9`yBhe23-S{4JZN%pNVjxSv0H z-oLCu%+KGGlFo6!2S#3Hj^M<`wGM0Z9mc+OTCyg8V>RAU6lL&YL@5WO`f%$m}ZWU#6TY4DC>b)O<1W@wqP#yzi@f+`x_T zP#!HlQ!`7}Qndcd*>fvTu*PTCcJteXPRlw^hNrQEAIOZOk6I`hNkQw!9Pcg`7wx~3 zt(G1?HRHz^j01yBK00BS%5C8=JO$4H(q|~&v(Sqp-9BvdZ znwP+F;v{g!pQRmro$cp2ljqqxcsP^CYsp3tA!Kh~S5JFif3mx?KY6~FtIvFA@?0;n z<6N)V9d{6t>-gbelznbGW5Dr~CpIxDo4nyxN7+Yvcr69N;F#F*6RVVkHI=fK%J z%=MjTO6EYqRe0PuG~r5zW26GEp~6*cc#{opvXM==37Y{IOt@gdg*jZX;lctgIB>xg z78ZyUG+H8x5UfFkM)w1&P$5``3c)&52o|D3uo4x5rKk|BMTKB7DijQtWA;YNtc6dUu@F9c#zOcM8Vf@vLf%9e`e%ro2%~Me6Lz?;oe(Am3gIHe+3>N25bSVU z2AzeRw=@f5x&%(mMfabkz=_vt5OpHP2*0C9!{1d1!WAv;jS@b<0tf&CfB+x>2mk_r zz<)#_#|)i@RVEUR{@z>Jia|sPzlcN>im0fVA%{|2i%MTL{x#NIn1);Zhl@}Yg_6YM za)eJ9G@8$kni(7w!HY?l5geZYYeK42Wk?Z+nUBTD$qLg6JbpqVpBHa;ptserRwmhF z0a}W=`%*nF`?50{UQqi{i-nJ48~4oE`>xIodv=EI=$l$r#$E921x}*E6k!y?@1oIRTsN+QMe^ecR>)prK2g-}CknbQ9C>HMxbBr&}JTCC~NVE~$9_sVZ@k=diyom22Obk#9EDZr9l@Z?5QN z96RCWI4y6%k-bR;rFrQ+(R>oICpoJkVA-!O0asaJ2c0q#7BFnf<-)tK=Wj`yk}9i|_m$jBv6hnR7Bf5YTdxXbhx*Rra~Hh8Ph2 zWK;CZSMBLGx0uH4{!|Gx8k>%mR-RV<;;2SO5j$ypPTvLd>?w10oP~;>SqGo)GF+1B zrm+$$*`wrTeP(-Djb1#i7W*n_oq?|AUZ%D&PA|68v%_loz*Ft2CyvWYwt9Mg(yVa19L+y|r+GKS~ZOq{i?hMP`<(`i=^rYzS+8?pj$p&9^W96xq zy{j79uzH~q-`9HvMU*+-#V4Lu2&!PrG#LEwo#WCjlp$v)^|$2YE&Hm9Y}IFF?>?=( z*TFK)-MB4w|J#ndEk9j<7TDXK60>n|*$Ck>+WFoB*7l7py5XlE2E^(-Hfj7NEA)=V zpzmYoX_MaIS(m)p%d_SzmbkvCqC{&=VEOt#qWowr%8;P?8{pbfx}})u18yGpJA2#O zhpny3_;D~e!TP5sZnnr^Cn$0 zdtWcR!Z_>EG5zX+V12BfCHZb(?YaAo&D(~q*`KN&X&(9B>EhE}ciuGw>F3*qo>_7) z>wuw!C!<2zdUfhF!zPW|kb$1kzF14w_%O`sOk@3_Ha~~rz{a>hMv#-{Z-w9Xy;=DO zUSdD1eQn!{J=Ftm4Tjp@Hjnxat!$zO23b4&ICatKfg+E?OLk4qYBljSTD)$h28I7~ zsB&MWR^`vHO#JRr+~3W9s@W1NUl|>G+*R?@dXxS8l*_AMyJWl!Q{MgDcAMj_9glB^ zL^jyXJ?$%hEY*;|<7RR74UE*#x>Kn|Yj>FGveNvePnzfG7WziQb66e_)E>%oW%KDDqXH{jQXu2S6 zu}S47t7+UjBYpz>Fs2<0NmgKWgc>eFq-*S^kFBs3x(-?OoUYC6_ali>*g}FPXJa z{j*-UdcDJ2{*iUMH?kJTyhz(qTcx6;KU3A0K-oQ8FSm65z_Yl-nb!Jd!xfgAD^z-4 zFpZ5Jcb4v4nJcZQg1Q`h4d)krm~zFL6CfS&bF0ezH4V#uv3|V2Oil6oidKJ3lLJXz z!JLKd>T~?FRy|yc-M@*a72lop2l}+&Dl4MVQhCv~+3@{q^#Avn9lptr7T%v1KEMJ9 z00MvjAOHve0)PM@00;mAfB+x>2mk{AV+5oySUmhr`RMik5Q;SPKQ=%x96$gN00aO5 zKmZT`1ONd*01yBK00BS%5I_iEFev=!^?wJ7)B&IX0)PM@00;mAfB+x>2mk_r03ZMe z00Mx(znOp*#tQ#WfB80g{r?64{A@B|e00MvjAOHve0)PM@00;mAfB+x>2mk^T z1Qakv_%Ht}&gk|33l!2mk_r03ZMe00Mx(zmtF(hJpXq zf4P+u4hK#81P@Af^y%L@KHwS<00aO5KmZT`1ONd*01yBK00BS%5C8=JiGYkceE(ll zt_MYWPqHLwk&cs+NWYT`Nd80)(Si7oSV$Zq))H3}))OL#SV9v~kI+ddB@pF$2<`;4 ze^LeYfB+x>2mk_r03ZMe00MvjAOHyb7ZA|F*rWLoVL`#X_=F&c30Xia3n*yxlhtW7 zO_6CxLmOj@^p4~uk9B5;{@GbwR2EYEyENO}oEj|jfqaI%g{sIjTSZiw%TyMXW^$E8 zrMV16QE4VeK~$Or$$yomGr9CX2SyT^W)nrFxlDqnG?ObQD$Qlcib^v%GNRHf2>IDGz!*!U2F@I|SP zYDSR?iG#%Xgi3;}T&Qfl>=c<5_#1dL>Ge|WQZ~5llJ6zwVh>>@G2cs^mQY2<3p@N* zE&^S3N!xTq6#NqZ=8F^(tcI50@M9lhD@larLiQ7zau5Scj!9d!{CQVts-nXqAEiD$ zjxphC3g`Ah{@zHBsZJ4!3xywIDS;+KGC1i`6$$)bV=Q^TqgwwnpDwkZ0&xnnHw|(w zzrXur*E16@yRy2aZUqw41-fb?Jwjr5JT_zFr}dqgYUk(nIi70nKFlmpm|5rZMtAko z;rh7p0<+0HR>x>>j?u1e`(xp!>Lrbr*sO>2V7b&|642F(!ek~()(zeG=t+1yK=R1I z=PPL!cN^xG#gPoHyc^`6(sQ>6C@P{&vc)iYKH*Bc_4Pk~%U?IO(XMvd@9eM*VV^r% z=ojV^KktVrJ zF-(?4zv?$9dUR(rDG0=bpPyW^x1c6SOQP=v2GjfQ`3K zs19qO!e!v@$-$!$D{uNQQM)LhD2X)5`0U~*&i#4eroH}84^DbcUNAZ6P&5*e(m_*D(J2Z! zrK_4v-^aeU=KJ549$(x=n<=0uh&0LMh+)!j*Xz$RCtqCgc6xt6@}b)z>t~oQ^2OKh zx8^iGNp85FG8xH%eT@N$m~LWeaNE}PVF$X01^lV5#2Na*xB|@``G=khDDomrvc#E! zIs?zR^xi#~UkL3?IX9DH^;2ZcjO-4VqJ5fAB=>g`-%V!nq1D!=c2rc;5i^hK-hxba z%hlO@8sCg%~88eLtVLu&KZ1zO_Q zef{^3=??pHCo{RNc&l4y`wt#_qXos0Qrn*voT7CF+~&T*V6klx($zNw6ryO8;!Ht7 zkV0-VH8^dsu}rn8=VfNU#8JalE4&HwcNZq9J2LJ~X7aVqio!qQ* zZ>@aKRsT{GVApb4%g^sb!7(gb%Eoq2ahl>}CjEakDv`?V*eR1W%fRb)6*?m{)3Z>? zcM&>hc2U{-t3J?Ch)>^GV49(Px6PHfs`AeHm$exJiu6||zq|+#V+vBwT3ntZb)}|* zVDv%P-=MbV#qKg!gXGV=Jj2rFl^;STGx_7E6$^IlaqH39T6wMhSe}9=V_E_Gsr36O zd{29E2v%M|krHiEoGGaCj7t1`-7G%7zE@5kR~DMD=iXSf!!BGQ`*l*nw7AyEOqQ1_ zK|v0g_kKvdr|kDjroCxlYv~;esgiTb@d^5di7NyYoJf;mO+iz>8-`Y2^SZJm)a4H| zl`aYYy0SC3WjjdLR3{8A#?u6|&J@26?9{K%x-m)qAk zJZ=+EBt@DOYYGaL`cQq!C1kkp2L7Gh-Rn}HeWzs@lx(Sg5PcKZf zRwd_AA~O`ltVw>W@FCJBNjE)-Znv_)o%BLL!HP5~))Z8=*6+zlhwgwMKVE-Q^>eMB zTzfO`(_w5jr0Tf%(PKHo$xKEDAC}6o*YIZ7=-ntRS8G|$yVEb34a2`CaGO^P)I9obZ!=AV@`v*hHD%dq&qL+iZF z>vOuEFR}A{^m$>PFK;rF`DWp$#zp(*Y}wSAm=b>_J*M2x`zUX)`<#8SVx)8=AqXw0 z%@9bBU#+X?$ILx;P*%h6^11vtyFSC?$y?+hE64~ZJ9b4YCyB;D8d&A2+ZL6|*m@_n ztd8`1-<@*Sf|?U6^n#W5{@{c9)gb+es%5s<*#yx@y^`HT#fc2!t_@<<+~CF1i3F8hvTF2 zT<$nN-e!C77giX4vTOI3B;qp5ycvor4bPK}qw>&ZUON^=4L3L(Tyq?ESIt8BmbQjy zlj7WFIn=gt^Uag=UVBZGLYoD-5_TtUH-s5g9bi|ysVR<9Voho?cS}w=3;TAb`b(K- Zvrc*RxPLw*z1dFh*QOKE^1i+;{|DZOS-t=O literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt new file mode 100644 index 0000000000..3f0a9ff5b5 --- /dev/null +++ b/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client.crt__client.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/client.pfx b/src/test/ssl/ssl/nss/client.pfx new file mode 100644 index 0000000000000000000000000000000000000000..9c5f5bb3e5ce60d158e87d7b9b114f29991a7d32 GIT binary patch literal 3149 zcmV-T46^euf(%Il0Ru3C3=akgDuzgg_YDCD0ic2m00e>y{4jzG_%MP7uLcP!hDe6@ z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU_5bdAZV%CD78oZy;co%SBw zCYO`RQ=EMxZXc6FHAat!eT{bU+Lk3#bSG9VL=z(?M1@^XG^E4_@@oyN;HnGuKoyn{ zz@~}rQ4bgXom734{+-@F1>^dS>3(mimK=kGFWnr}k5qH;WQLs@?<=0HcXDlb*=@d4 z>gA0*)v{`DUz~}_q44vkYaw5>bv=Hb>u`aH#Pa~IeE)^!c1s7x5XdfV$=bvD{0ybX zbWO%Bf(u)2UxEN_NZ8BZ6^|*<&Z$?+?(;o010@C1fLmV#zS{cdmk|r~83$JkHAraX zBI^4#m7M}uzHc@A&GiA0411PxX5bbzWjRkP>JF;!Z2ct`1Khpm`o2Eo2i%kyuX}-q zcGe6M2_DqKlu*>0Pvn{T%%3+=%4Vs&quu>24+z;(;RRE$Hcn7|9Jf-%W!c1 zBefgZFU%J~RG-pICiT}4wmc`0n?!1G)`SB@l;(%eZy#9nxC7W!-3Y4ybi*8sF2qW) z>6yoIRpieiYVl6IrLdh^6h8=3e7LL~0WwQ+^S}Io@1`Q*bLVo(mjOFon!xffToTjr zxEi>N=EBA+dCv36M7$fPwGmLfjAVv^>AbvS4n;e;qi0HPA~Jmy@e$FJ;mhc#Cal0A z2hoJ8WK$;CXh+~WF%0i2_u3q9ft=#PWj#`AeF$HTuea*=1a}6o8|jVQLSWViKT+Ru z=2CpS$}m%|lTIyIqjG3jfj3zIC_klaC}Kbz9}iNK9ZUzD--@cM*wA zZ!p|qAu}@{_o@CA-J{1N3s%y$cW}{`fa*neZbhEvwq?(#*@71B6&Q?_gTu~*?RZjj;l%6JLs`{~Q@ktP7c^au= zhE&po=UD42Kg8l!9{E!!3*}}CjPYi7D>!(Ri|^}M6Vcw%;{gl&sdSS?eA9fwy^k?C z>aumcaLGC6=yPL455i;*(fD&SiUEy3v!~rLR1}q>+2}=OeM0vQAN?k%Z@8#uBIsgU5Pz(=o}+VWwde z|LKok=|<7|6a^39^W;!2f2tHz3+MnpILOFYUZ*Q+fcOm!v5Qo*kiO|72EMzF z;4ol?zrhF``KQVQV1&YTj9h*ArnlUqxm*hK{sR@`^Ypmjs8`A17~s^XrtN7II_Peo zU5<@dUgI1}25wa!V%a}6OUiX)PpeVJ%7w(WLa&ri<}&M^c?3^TSC?@-hcAN z+C`ApIe9b+!hmg;fQO2qV&?*x^xK$a3uY6eeac8E4kpB`KJf1QMTkOf97D@kWYZNH zqE)S1!!ImdQwgre2VBLObqEo~%5h*f#TqCA5WktIR>^V*`R3EGu$3pNPL5A-N(E~o zAR=EiaZXcDxmI|EOW^0u0)ruG#Kz`m)twi$`!Z|G`LcD^<{?|y0NEFrI-w%4N_EcT z0|v3ER=``8H$s4Yg4&6rH})Y?rtS+|I{ry}`$Uv;u*D<7xlW@EQBRFeuLg<7ragpG zFx<7PVw*7 zb$SANLU)trZ2AuiAk&)zU0CrQUTG3m)-G+# zQ9NwBnX{H3J2L+JilV!2nJqA;x3^=PYl`3OCVEkWb}&V)`HfmYWURIpCkXky@7lp( zEJj)Hx;md-)u;}^s^j$98@~XwyO8CZxbr)~H|5;p`*X0`JW_=aNp5|-nNNk1B3B}E zL0Dkzt$QY7*zF9ebjuzfO~3gFtw0omZsgf_o@CV-i z#_4TM6)i~r)~%IF!Il4)%%}=%(sx%lpD|6&LNQU@f4=a&)PN2*Of2@Fz);CqFNJ|&tf{me3>4C#y%A(%1KXptEvQiUf$!A1vq+}wsL z??}9Dg|a+}HY%2B;b0cS1`Sj1<0;@DoXiMu%9ZlK9@>I)&d}q+SWj*UR?_5r> zuwcKooWzf8PK;i6yql^tP3fN87`lnc{&|5y(h6C74}u=+dmi+y6Cj|ZH`sM(lq-$K zc1IS&PjPf$wOgeByDkL?qSYPzY43JoCSYt&bMeJpJ5$tfPAXr{b2`?x?m0h9=n>nB zT|JJ`g4Vuz)kyF=yU{Bi)c;c)m`t5>g`P>&HNF|8%MSX;SXzZ;Z&;gCx0Z4Vy(xqu zi|7`iAWr(?qT}nSvMyXGKQ;j$W_l^Fd?!8`6Jo=0%Cr;T7Y0ExLh{0XyJb>bLVGFw zq2G!@kSRLoz}SP0EqXG~Ez6DlR{@MM=6YkaWRd2Um`vImuN8gLKz^BsU26EtGJw=* zFI`{$l~+Lt1*2q_VmY&U)tvR}3&Ug?7h4B=*8?$1Jhd!Y-s7Kr%k-fjC>pUO6x27i z+mW;EUa`oh5z9|0Z2N|ee|je7hL$ZP5KA#VFEhLq&`Hcr1JULU^>eq|`z+|cND;?3 z9;@&)8%Yicp%XQ6liAjeZLi@lkIcN5pBvldrZE>1Pu!veak6Y`hnJ>$mnS zq*qzuE#+woZ(skhnWyaO3(J_1hEk?P!R8(EuSwELIeQ+|xN=)n>h*=Wb$E&x^jfF% za6ns1i2H)HNR3M9q4bwa2^|>!2|TW}-uG2n50|*h8?K9b5tAsDT%uK?qRtcp@;}jiPx6_V;;$VCX{Fnm%En>^t%W ztUtIq_4M*!P=zk1EBq8nuNT<;eiw6!bM#ecPLmdt&n1x=l$LY0kj02}fHH%6o?=eo zTSe5Fi2`%}Ck7MeFftobB*qFGurhGP-VN}eCaluLbyRU~jA<-LwL+g8JJqefsrGrx1BgwgW$|h2QPC;GF zKSBUzWuK6c{Qqoh?+pHnG8FWnHQezvBR;xd!nFR{XTi2XCrD#9X%BNOJwySm>}cHX zmmT^R{oGV;R1UgHg z2$_>E_@9SHif->wdYM6!l)YhLL~w5xM>}Lt6pJ7rZ$^RkWBX(smSJ%b&T@iqY;8US zrcS!!>6`R?JDNi&4xw^0>ookA7=K~#RKQz#VMW)7h)p=Ok*3EG)f6Q+&}>Wl!mfqm zIDV8H+neS~#wP$i?Bk+X$4MPvpVo*NyOWw0^ zq!UVaEOfOtWt@;FUa8K#3E+mX360Qo}j^)PefUjG>%Kf|NcOL`@4Y=)^zkWSS0s;sC45H)f literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..710f74aae2716883ec8e8bc4f8490b5f37063abd GIT binary patch literal 28672 zcmeI43vg3a8prP=Nt>4R*0vhhmG-u%r4`}ao0~MHf_)HbA(r&Pj0I~qNw3|Mw2>rb zurpRD11Kt>F0f8jP@Ym0MJpoXqw3aC!CmXtWf$1lU07iR%fe1~!3Xu6lbf_<+#Pmc zc0j)~JtzP3`rq&T?n$O6X;W3<^o3RNob2RC(&_yfw zksYT0ljNC+XtGH-%NP>QGoy^cZxVYF7bOf@P8*zXfT+~ z8ElQOxn5o9o#*z|H-|#57LVWOjVq~i6jeLKvhrz;J4MHJWOr&0BWV-ETe4qESp9uksrig<&0OmrQ- zP^d)>#!Pf0Od_2Zdf26$<@s!!IU|EzSrm4A{Az4^OmLb{by2a?F`R?1UUXHK-BDCo zBhGZxh_lPfDrP-s86Pj{A;REtH$vns16h;D?lgtLsZg=pG9S|rkBCsjMC+G&*x zu`8solEOxcJW|+6kxvRYDLlByr&cIZQb$BQBow(0agh+Qkr45b5HXSvagq?Rk`VEd z5HXXGmy}v~k@%>y9MRNSrp_{TmZ`H$on`7QQ)dgEWudbybe4tAvd~#J+H0e|Hri{W zy|zd%^|VpXJUWu{ktiUUu2e>3u1r@d(`XfhlPr;DO%h)V9c`hbEp#;Qq(dSD$ry!_ zQV_YeLP;r0X||zou#AR-Wi%Wtqv2o~^~Ew84wg}0EQk4$Jwq;x zTgk@JB-uThBwI+6^+Qq}lJ~?U-3XDfo}q9&B%FGy8`XO#aXY!Uh+-#W6^o7TTRA^R z;tXa-2FpZVMCSYPiN4O=5)ROMUF;cLC&eT=+sBiaTNBP)!fQ<89$Y{I0zd!=00AHX z1b_e#00LJefp&&ls7p&qN+HoLPNokRA869W55*(Xa3T|ulnLZPuWx$qld6&`mf6hA zL50#(bgO}%t>Z^otJP3g3RV`t*UT}RaH(gsNzZ}$&z2%Hg;d**!m|nE%T_Y_dhs| zZ6ye9Vjh{uq>W^-I87m;{@3)sLAbyQLwFZA;g1TvexKSLuJgJldV^uq&YMs>JFtPr z%fdg%WH9C~yM5WeO)Q(JXD*!_(NZKZ?Wh0<<|JalOF$l>6gY|_5b0x{?qK~ zfA8+ku5VhhBI~7BmmX{ioS!GyfA_P#&pHyW-H~m4=AT`2uG@7!&i~xzfvzb|=fI1D zTkDFanfa2x?VtOFzLU8oF0-feu8hXs(5By})}C6I60V!uyY99Hd!}w`Z9VNOupeRv zSL>e6WJ+sY_S#<*cDz#2$*nt?d~b92f{t+J+0Uow2c1tn_HnSKp?jS=_sPR2+q#|U zd3T@7a(7<8{lw_UC$0CcPal&zuVJ8irTgVAy6mEs_Pvh0>>Crm<9L=~HzuPbGzya* zo2t_zo@EDzGs8Ciosvmw=8zw&tnv zs6C;tf2sSrl5HQ){HD#&wVKOn+&R7ET;rV8OI|N??GO2_b${C0;a#3Fqd)2Xf;T27 zt=RE4w|C2zr4289y7RN<1Et<6uF0?xj*C;5NvPi@#9e0AKp-i4ee zerL~(XBz*p@pR3Mv*{B)ba}f>?{x9IN4;5GOrAEEzU#>|=`w8W>VS0Q!~6D?`+C0W zd0x*|9IAY40h@p$f00e*l5C8%|00;m9AOHleY65Y53X8w5giGdc zGLHDlj>!4{2qPR3j$hR)gy4Yy5C8%|00;m9AOHk_01yBIKmZ8*vUB{--mGTICmhluRw`+mQU~KIife2KP z@z{Vcc?A~0zziq>V!}MYaPD2Sk_QNth;kw*q7qVb;7TMHp{``7Wi$vyp^^E>Bz zf9G>f?{>Rn9bK5?3wY_NrR6jE0L@C`B@`tYLemn7L?)au!Wll4f{=$R!YlQJex8&` z2B1N4x<4f9Sf@lQ*PYZH(^P7>*t@aL*yGO|1noco2mk>f00e*l5C8)ICjuoZl|Ctn z3ib=|?h@}zZ-5`l2l()-+U|7NiX3#2Ej!0Shg<1BJ`Y{s9GPo#PM}9QCeUN@Mi!27 z(D`|^JwI<)&PaO^?Q|66*zArpTKIi+CKGxw83(GBdV3Nj@y+sh=lIJ?grJMB2$Yh# zE9~!L!YU?PsnqLJsMkq{;u*ZpGt2KUDEGa^2fQjVxsiE89ph;d#3@8N(0zCYnT$ge z#A6)sDB<1Sl1LZjQywJvj0bBRCRgecQz%y`?F#ps-r_*SL-CY{KNNn(g+YwbE>r3g z!n5)D{T1Hwh>iRyn^5!_7b|0|%A!>IloV>Eoh(_zAflwARcP5F?QK~&TXw#)D2?Wk za0=_jn}n0anl#`R1~*x8)rzZDQpH`YW?XQ%u;3yc7gk(k;DX16TPQM!6$+Ka5n&Go zg|35L7=&#Ygnbxf&|V3|;)%iYe|ueCm=_QL0zd!=00AHX1b_e#00KY& z2mk>>0G|J0BLD#)00e*l5C8%|00;m9AOHk_01#;Z1mO9<{jV|15C{MPAOHk_01yBI zKmZ5;0U!VbfB-!I!yW(vKmZ5;0U!VbfB+Bx0zd!=00AJ-{t3YIfBRo!m?01V0zd!= z00AHX1b_e#00KY&2mk^6|NqsR9unP_4v#vFiQ5~e(N5Kz5E|eB0zd!=00AHX1b_e# z00J)}}oZeZTRgm)Sx!H?P6>dD(dHVhb2|El&`(FHbsP@6#9oJfVODRf9(I{4_4!KBU zp44*s?X-jE>Q{fX_&b|6Z>di=KYrP(4V|=!Uv=ikPgY<3ep%3fapjHtl8P&3duH9&4L&*QcIvj6 z%vbJK*QHi>TT!BI3L2DAlXP=!Nb-D5)tLvL-&M_X{_5VOqDB-sYF?Xr>#WpgTxTz= z-*Bb1B=^N9trdbj1DmnRMU{KNB!>lMo`oalC0vZsD~{ifS-L4zV{lAOB@NltVb z-wWKPi-FeE3%B$ z9w@j|=qcPhzEQ=LW@iQs@~BC=&230h`b#el8<$FFxi;_#tG6|_9Pi)bZ;j`TiuWtO z9yK7XuC*l3%&4!ipWA(^W1Qkg{h*A^f6lA@Aa(fM>_w0F)FfW&KR9TRMNLxpR=d{U zILE4vB#*tCoHwzu>E1%^#0ILNcEPT*o38IW)1NJCyx%IxrooNe^jovHHupLFV1P4s zjl5y`+9B?S+Vt+8w5x|sp9vbIQIoWwHY8b{wLLk;&}Dbo;V&-icirw=V12x6b1-{v zvhH|U@uGgx)<~Y7_~qP3J$E|?&b`LmInZfwdHm0-jaycw|Ms}6^N`}x-Y!a!WDcrl z^L~G2X}QNWEl{wgXYU0&bB&c1_b%S<+-347C=2ybYQ$TRRzb;7g1k%8ie60%=dF{z zbYp+1qGi?cllQL=7IKltf41Y^-WE1+~Rs8pVwJuSjYtaqTCF=I;=IAcz z*6Sv`V7GdhE)W0$KmZ5;0U!VbfB+Bx0zd!=yto8<%52p0Kl)Qg4O>;w!fs9(EzG$U Z(ZX)CJX)CJWzoVGB-O~0V#1#&{0kpicC`Qi literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt new file mode 100644 index 0000000000..212e72edeb --- /dev/null +++ b/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/root+client.crl b/src/test/ssl/ssl/nss/root+client.crl new file mode 100644 index 0000000000000000000000000000000000000000..1d345a098f4488bc747deaa0ef788d7168beb7c7 GIT binary patch literal 393 zcmXqLVr(_YH{fOC)N1o+`_9YA$j!=N;9zKHV8g~7%EHWJ8j@OEqEM8dU!vgbsF0Rl zq!5r_T#{at8XV}O5FG5IP?QSf6c=aa=P8tclopp}mZXaF8d?|{8krj!n;4jyMv3#9 zm>HNDnn1Z|)-g9RGBVUyDtwyVe{1D7zqPZ^SxI)Sy>~!W*6S@zp;+c5W9+ z^Lod^S|Z)bS@}Ni`Tpa})~8e$KbpomWoGwBllh2*f__60v-OkD9uJ?Uw)g*jb;m5?;Xo@d|q+aiUfUo7iT?{_rZm4@7YV92Ulqo$lkcVF*#r2 zXz>Ca$%>3A*Vis^H2dH0V&i6PQTN~OPHL)m2G=s5-}_AU9$7i>`SIuP^gnIp_kxXH dbZjc_b^6{}Z@>M}ghR)eg7;aw?eLl=1OPoRrTqW^ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..480e281015f26cae72cf86ba29e62a4fac1288bf GIT binary patch literal 28672 zcmeI43vkm#9>@QWByC#S^eCFzQ~H;y(n2Zwe#xGSQSc!yu!J`7bj{Z|IJFE4C>%4_6=o0U!VbfB+Bx0zd!=0D=EIfjphg zXiQ<}dzRI>8(m8ro|vdk-D&3pf|MUH*uJ_6i5J^=c0hiRo5eXS^l6 z4v)_la5qFuG*_5}8n5=Si0LiaY?Lu2gJq{t$Lg%sJOaFD`@i)?CzLM3%X#6v`(d5DXMh>eJdkBEqoh=`Mjh?R(l zmxzd&h+L#p!wbbnou!bb&JuN&sIx?!CF(3uXNfw?bd*d-$#j%VN6B=QnYNl~tC_Z% zX{$NZNq!c=%WaYs*+eW=NqkjF7N$xvgDS}qRY}&V zN&--ogknfiD5@MDM)9auhliQN!_33sU>Obv%WybYhQq-!?2BbM94y1WSdQ=|dxlJm zuab?UO0s)YNw$zGYlfwJST2f4x)DNsox|ZcNjNno2dZ&W;uiAUB8r{#Rb(^Ww^DYx z$mxu>6qX6Sh}75N6MeNK;P=vcb>t4N79*0J?W4)dZ5+;A%qk}KkGOyY1b_e#00KY& z2mk>f00jPr1cHfNqh?He{Ae;qbAsjCri#C&?qhHw1LBno@}P~f%>AIEpn_$#Gk2jp zaVpBy@l_grl&R9~^9v1LuU{yzlCQ;tGOy2H+u*L4Z5Jvk>_USZSA0H?cbVWPU3~%k zZkrpE5N#Ykxash=qqAnDJzZ9pd*okb~!R#4Sp2l$D$yodzR-|?)z7a;&l26Yp1Urh-2AUEpz=~(O6>~KJkiD zmMG&>sdASwPB9}zRMhGXm?6lH8yPmMW%wX#U{H{a;er^%-c`r`^QdNHeK0rE9PH{} zAD#HciRpX4YP`Ru_RyO&_lb)=>H(xXD{JL<@x`CeLO%I*-ZsF`JavW>i zy3IL*mt(7QUwqMXyW>*o$Nx-fO?$JWtbbRQ{x^-Y^-mOj*q_wteJQYJ-6c(F-aodq z6s6=W?rvTljrOlOz2K?$hZb5sT>tw=yNCLBAKIOKXR&U{IjN>&;80uZ&gp+U5IoxU z@TiHq*(u#AGnTNs9_edI%`cFrw%;>3|L%!h^DcM2d*9~7!!4io_MTgro%XA<$Hr~c z)v~Gb_@qA_e1q?3zc{(QbMk2S`(16*iY~V8UzK+2q5PWXzKFi?pfjg-;g^A}9M3ZB z)&vxfM&VoJwnU8<@htnzNM`t{#>`k|Cd%QSIy2#sJN}UQ)oIPl6MOfaNd2_--BYzK zwFf6I?)%r$C!5|mx2~uCubVO+8eNtrzC4h8vu{$rc4)itLg&3RmbS{i|qCSjTNYxP0r3_qqqq241-E*pz2hZ;DMm*0+3Z z^+%nT?>GPDg8bMMWBc!WJ$J`sP0YTbuFuClc=DZ??xea;lHLwZO3d6fXXTp9O}hsI zleWx_wq4rz%6$7LYxib+voJ2Z{Xoj1ug}XH{_Z`vq3@Z`K1yA=AQ(IE)}~jS6K)?E zd?Ukn=b-sbVgFX|glq*XMcZA_qdMZ%ed+9tk-+)UTMBY)u5y6zV# zU5CB2z&hckej9iAbo7p)`o~>9HU@{x8O}0>L0mur0zd!=00AHX1b_e#00KY&2mk>f z00e#s1fqEjOFsMLqIiv-eApK{|JO5y1BUuv!UACpKmZ5;0U!VbfB+Bx0zd!=00AHX z1bz|(rfHfJ*cf00e*l z5C8&{fQDyS?uMTKPcnwnhLeC72mk>f00e*l5C8%|00;m9AOHk_01)`O5{TkQv-nR= zxSM#S|L&i9gueej#TZT*`hKn}gt&nK5C8%|00;m9AOHk_01yBIKmZ5;0fzouz{o55 J@B0J5Zvjw2gWLcB literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..65f7eb7f0b7bf0b581fab253b06484fe09083650 GIT binary patch literal 36864 zcmeI5dvHuw9LMk7cd}Va(IteNn3RNa?!9|A8x)((DwReA^`3P%yV2FilHJr}ifpx% zC^J;sXi?9W*3goap#-DD80wX&dJJkX9x+}OqSD@T_HLIkHu<;l+nGK4z2|q%_kPdk z+}-3RGs)mVS>Aw$$@dja5CaTPHKk~p>ccP;MJc6cjPwjYG?Gw-52RQ6Dg7d;q`IQ+ z2IE6Y7n@7Psf_#dyY-XxLhPN`+}O$&O@e+P00e*l5C8%|00;nq{}X`%t=5!~KnFVq zL|1`lf+rwmiUBeFsv3@PFWkpWC6kwsieA2sn9 zMm!2cm!}{yMDvUXDL&`Hr}R~6Ol=ZrXDD{DYrH2f5b;nyKU6*^*I+Sn=+>-tu-Yk(hKZl%OVC5rI4*c+ZO3>$i~?+2Idaw!iY$E zO8X{q(v!!Ubl@HqcUkeF6(3s3As%8i<3_-Z1vhE9vEn8jHzICaQj<=sP^cx22z#(7 zbRO)&B5cDV?872##3Jm(B5cJX?8PE%#-cpj%JD+^h%*<`#F-<`9C7A|Ge?{`;>;0e zp3LIOES}8b$t<4CvXH8UR4t@xAyrGLN<1yZGmVTSd{_dABP-<)p39MyawM%8Ne_<2 z-Lk~KJQ>ZC(L5O~70Hm$Ks?4wNSP5nx0#SK6H;b!Rx>%Pne2-|<_g43AZ`Mgo97XD zGcRCESz=#V;)Tf)pFx&*iL%7&lqCizOH45&2^3jIrV%`HZ)BP!Jk1h`Bgt?aNrvM{ zG8{*eVP8px<47{>E6JyP@il`_EcN0GN0#{NktM!_Wa*AbPekVbC&`5n8taP0ap5>_ zK}2pBA#TNciwJf+*34VTb<3rv@CuFT&BPad1V-MgPBxf00e*l5C8%|00=Zz0f00e*l5C8%| zfDnNDf4C5U01yBIKmZ5;0U!VbfB+Bx0zd!=G=2hb|KIrc7*+@bfB+Bx0zd!=00AHX z1b_e#00KY&?*HK$00KY&2mk>f00e*l5C8%|00;m9Akg>;!2N&Y-(y%I5C8%|00;m9 zAOHk_01yBIKmZ5;0sQy>b^5lHaYd8bCPNLI4f?oz{T`_U9zXyH00AHX1b_e#00KbZ zB_j|_(y479zC!uE#~)tt|@3*K{F^;qYJqxVxHD2 z#<2F`dE>Y$Z9?*a4kKrFOLgY|l6=}XcFnAcOx4trj^4o}ZS;`V2866#*`l~)!PWBG z?dpn2E4CPao%s6AW$grg%Lhrt=kjkKsV`(EH76654?24Lo63=2om$qZ?$ov>2iyZn zt7lap^rB=CiRL$DBGb1m<`?q4Ny?Vp2EA@q3p6uVeP4O{zYp!AY=@#)V_iem7 z?7@t(oF9rx9;0f@hG3E^YDky40U@nrE8-_!c=b~Cx{fVo_BvN}VfT*q_YU7I9r^h= zRDDdTtS{smUqy{?bLZu~mO6%An9)O1Al@}x{wckE-Ib-aM^FAv2a}XhLrVYEuKqX9 zw7Hwk1UD^ee)jD5+aDE`^;&H@|Hq#A>K{w@Z?g9j6KwT`Jg(s0?U?;Z%7RIbCC1dH z7dN!sQ`V)t=D|YW+FgSy4G)7!il`wir~x65#kA>XJD4`%QOgmUCFKgODb~NP`f}>= zl9D{Hh&SyEtief;p(0 zDEj@AeMRm&m1A7fbD9_P4|nJF@c62x`QAB*dZJDmz5Edrr>2#twW`IVnzL_Fd-=fn z-rKs3<$D~NUc0!flttCF?$JF%d9xeGR^RV2byVHxGx+!aI%6Bkc;DFF*v434oMNmp zeqkK(l6};}a)AI400KY&2mk>f00e*l5C8%|;N>OIPHCfG{G&fz)Us6@t?Uvs(aM5L a9j)v#tD=@QWBoGk7iESutkM&VryH- zshoXCyR-Jr_)}GQf+TI%cxU3f>zq@ZvF{qA2W{L zP22hH%x=E>-`(&2_LKc*vPmXobM0=QOIYHmU+(Y;G84zJER!P$48!m^N8lVvS}Zi7 z3Vviq>F<*~la8jv7={>K)K|f00jQ;1afpb zqcMqH=w4CnYN%S~a96MJdQ1GyT6a}MUa8GmZW9WN@@)$Q+9nhi3E_4j#UUaob-I>1 zR8WUnhtpLX?xDNNfwo=iAgAVQbjI70*n8=Cuiv@URpkpiXs>cmTd(yHk(g@bb;jF5 z>u`I$eph|iM01r%u<=?CiBZlG4IC z*3yN-Y}-PiqNs3gg^kRRS6ozJFU%_!thvRdMT)bnU0d_D4C9u=_r|wGSgNwZ8g(Y zGi@~oTdAj+dS=j`l#fUONpz(WB4Z`GQi(>ZAe~%%DoLL{*Y? zs*(UyC7~FU6pAWGhEY7~)sbQ5&@l5zI9P_l!7>yMmZ5O44EbUi3J1%OFP5Wx$(|t- zaFw}@gVeHGbE_pOwf zDsnobEs14d$beWSjXY>|EnV-F<(09_F6JJT zBTh%zI=(`~k1>_Iygs4ciQja3wiWc2uI}9YlJuGT zwwj5%|Frb1xcRjg8Vlx|jCsFZ#y&u(Am;HBX57_Sn&K1^{ST(=<8qA^=F*8T;qL$m zg2`T2{VG>|WtAhns@{hJ{CE`LbbsVImiz7%qZplj(uSEE24h$@TFcxxSTx=kgHODo zlp)IaRI1!#j8V);5f!z16J`jo6Gn&4Y8gJj8WsIyv*e7Y(cWYIJomi+Wqk6p6#4{b(Ukj zOSdg+=t^{D_VdrX?{ZvD{?~sJT2fwVFB#aIq5oyWT>Vq|?+zq%cwX?Y-*{P5ob&1S z=7OZGr9Dk6BT?7-GmD;idw8+s-AzwC+A}<`@9@6Fy9;&8&P&zpgNIvN_RRd}!N9TB zhsR9b$4=`>nzfAG`$&Ita&DeHz3twqxxb#=z2HjsoA+;vKhpd`U*GvPnJK?GcYMMY zT@9NoPfYmzp_lpgwo6mnI;M_wz1`h9qu^3&*V>dj4(C=s_fh1<2c20pi$C`7;CPl{ zcf_GsGzQ-ycgAb9h-cZaM>E4uHD<;#vr!iJ%-Kng{OZZ{FV1LYpFGfcGWmm=H&53z z*BqL>wEw@$pKg5P{Knq4e{4;AXlzN2_?N-NTfI{Tw8OiM7d!5owY)|4Cbm5M)`g1x z`;Imx9=kQUqoS+%#OaoKf6d>s)4peLvp_Mykz11^x&j06&k4<}a-PY*DbSFuwT*l)xtVT!M}E((b;B=G zx^{bUo^{eK12*o+naJJ4b&pqh*(e+`XE?_ghHwE12mk>f00e*l5C8%|00;m9AOHk_ z01)^&5QyY8Ecxt{i{LeS@?l@_{9nfy4jSry4hw`e00AHX1b_e#00KY&2mk>f00e*l z5cp9Ln4xKkV{gKb1PZW^{>FWR=l}hTVZY(vkAe>b0R(^m5C8%|00;m9AOHk_01yBI zKmZ6(0veuSxtn_aKgAf%7)}9RAOHk_01yBIKmZ5;0U!VbfB+Bx0zlxWN+5zC%i=#d z;cnrP{@Z`*5&ZuDG-Ehz=>Ms%5aI>`KmZ5;0U!VbfB+Bx0zd!=00AHX1Q_~r0VA*I Jzv~YGzX1y zal`2{or;fXVkWrh#Oc&wobNbwzBiN2XEGN2LrFB^V~&{Jb9%dKjD>%Pza~BX-t#-> zd%x#%ZVML@7@L<}>UGg2)7(=9FKtwGQc#p)7)>h_ig4)}DLn%ZwIq~*1L>7|M!!sk zE7H)wX#Hb_Mr&6@DfP#6hjg=by!M{fu08y+Nze}jfB+Bx0zd!=00AKIe`F7>hcOB1g{Wy)uh|4mV7InZyBC#r31Zma%nN0YqyQI*bC__Yav}Q#+FxL zrE|v6={aLEvTf=4wB4GUZArJL($e>kLYvy5bxk<2oZSw=F;M5-oIHIb@`R89UW@iY<7{$wQK!w^6$St*O~T$ZeqC22V% zJy-^J%M$w<$!H@PZ6u?mA{pWzh{te*6o>G+IYNpfq&RX`j+~Vv`@)mCJaOZR8&Bps zUA&Pq^4L*FG7v|S zfjE*3#F1pcSCWA^k_`At@)=)z&EOMDz4*eBCBAxOi7z2p76+v(C`p2H&d=CaCefy#{|(iN;MQ+`t0} z00AHX1b_e#00KY&2mk>f00e*l5a_4`w0L1~|KCx!7uE#?fB+Bx0zd!=00AHX1b_e# z00KaO5Pf(D4bt{eQ>bV^|>&00KY& z2mk>f00e*l5C8%|00;m9{P+Jgx_E_tQ_Pc?g6N&mx~LM}5vc`-a9e-swec{c%%Ac<*k3%Fp3JJXrxtZ{4QaU z&uS%I-+JQd3ij-GwZiXNyXVeX$zRL6aKC2Nf+6~Car3utedtSy2p!Vgj*us){4LJo zKmU-sVDV?08lj@S|7h`d+m?SS$5~(p~X!W?bgDPAAavkQiTl3i|q*c3;WG1 z=fe6ai#qpqAQXnXdj zm5o2O*7Uu$KJCj5t9?nzkRe5`9U*r;+T*TU)hDBDhb8aaO0wbwf3(`Lw!l%Awx?4)voO~ z&JO46jdLr$r3~7o_pY3~u<-br)fq#!8Egk9-durtrp|9GWPQ!zrOMpPb+%)pFZC$D z-$ zvc8+`YAHXet&sf&b$@bn#K`@+Sn=Y(bBWaWjP2`^n<9GKPsQZz+;H0Mpi~K*PcvQc zcxF#?7tc69efh>a4H@~ixy{k1%pVslgVmWuncZ*W-~Vg$aSDBlexN>1zgJ(OzpP)Q zFMP#5>S4J+00;m9AOHk_01yBIKmZ5;0U+?|66hIjpFQ Y7CB|8GB1RODw|N4E<7PJ@Dqi90gcpt>i_@% literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt new file mode 100644 index 0000000000..5d04ea23ce --- /dev/null +++ b/src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/root+server_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..433b1b91c6a7891f52cdcd3f87655486798c5b99 GIT binary patch literal 28672 zcmeI42~-o;8pmg{Nk9xDuTflx6crF*CL3YVvb#lPcNYUhK#>Ru7}P33SzIdRxjZd( z#r23AT0o1f8(Q^=%d5Kxbt_n&OSOOs&v)-l*mAI^uX=p;oIB^to$qe{`^|5@xs#bB z6A~nk(}Zm6@F~OEdEV8N6Tum;fe#319-4049J5U;-bUfES0u=i89u;}W8k+Nc?dxab76 zIxsmhJ}#=0Z?M02sJ~$NXg~jP0#qj$Gg{D6FR)k8l+a-a8!3b#g?L4zGQOn+r=0?- zGgc5e_^~+ro;KuU)L)$(Ib9j0X;EOeQ!vyTYtR(!;LYUldo=GyoLZf%OllEfwG+`- z8f(aChb%X;6W_*$T<)z=M8+#yy0;h%gHEWokKDg4hq!1#VDRu!-ofJqBmKtLJJARq1Isme8}M22JV5fhsfwWoQcO&=eG+DX2tKP>QCY7EM7hnu>y{ z!9BfyNLi@2k+Kje3z4!ADGQOZ5Gf0hvIzAOploh?E$ODn_G<(Q%QWz7nJ+L244zH%ciHiA549X)vL#!Gt?zFyROW6YiqHg!^eQ zAwYu(De6rG#bCB}LwF3Ot=*)}-K4GV0JGU0U^cr0%w~6h*{lo9W_N(utP9LGx-e$o zz@QWcj=_Y{V=!R|8O-QbQ`u@xYcWwE=-WoNx)TZAiIym+=tx9d29GU;u*0@ukrc(P z(9MBnaQOZ|KP}a#O8|4KVP6 z319-404DIU5m=PSN@ZDf>0(J_1{(RMvob2^Als#bGJTPye)IMQ;8}3r8PVk-zCk3h zm6$-Klj|v67G=)iI%W>btT!h~Gd4l_&|cIK4l|6!?Cct>qkqrL5bxN9>(*3$b-?#zAAVuo zsKKdae|Pn^xOmCE=)_R&;Y+r@6OSB?msaiy<}<}ROXPco4*BNO{-*hI$MsQp{jW^6 z{r9c#uYYbQS;7FFdu0d4r8zVY9wrsjm_CsNwRobPLhN;sko^N;Cv38jM)gqIB`fIa$ ze;azauGrZs>;C=Kmt*I<+~foi*EbB@laiddtwyn9iFW6Bt{?UIUQiA1e8t!qxd$zu zs1v-bw6Ak#MXWkdoc?TWXr0Y9$<&PZaV$u1q=`l0%;uQuV-!C+3!{P#vTqNmKNNG$ z&)UXZ2Bk7O)|3}Lg!0sfoCJkjl1lZ5<1QI|Ofrfk(cRVTm1~z? z%wG7D*^2VB_6?8er!sNpL;6KG$vh)qOQf3vZ;nOuc<*mB}dOHO~`? zkyE;rclENZ4XBvsIiN~aSvsudLcfW(h&{_BR@&b{YEZOEHe`NN#RdC(o zDITlLt1i|(>7@BNWRByk-q)|~k5Y9nQ*U(Yp^aU6ZTCiR>6;us&j68Z{+l7UmCBK^ zrrYGNzmquMb@wf8Xl(jNW2Wn!5Mgz8q52D-`o#-AD?a|^@l%YD?>quZMy$4ccjhRt z(z`LV`pFE0jm|>WLGb)e(c9yyqfS;}f#qGqPH@8()La2^6{4TZ-Z_LARu(4w0S$R4 zwpCM(B#0-xdo+TJnQdFQNj3q_a~=W8O&Rc7 zQZ(=CuS-~K6VpANrRj%jmz#9ET{*1ig*K%shLdPMsbbC8eA4>#syNq%;A(zGoA{g z3+j)p$=NmRUx(7KteM|=-~rOT%x1(4vT#9lmYt8UXvpTtE7qb+hmK7yx@}T7 zH_{_!%1_Dp3?@mC`4&_csxz2rdv{~8DJDt2Y0C^;{n6YwlJa1ze(boQ-rd2!YS~R&`E~oIj+mJv zQd{TDKlePWdg^JN^_5TT_Jx&X-MN<&{*B+RE%IH9WZt%0OK0VeI9Jy2Bzb$?QunVH z<(XMut)7(`acN&;iu7ciXz7YRwXsJ$cet=ji<=JL>NEH58Pl@v@z=ZmkUprJb76RD zMq}E6`s6_y#+vxQTDy0={CZ}Q)0-*gZkrF;Ond!YlzU%Qnp^$#%}aKvlhVz`^-9|t z>Dafv;iwb8|FI35Mh(pgFDO}5r5kYPC0AQ%AEKqU5Xn`uEgnx{r!gzw3H9y~`Ib}b zohK?zfqaawx8vVx{TU}7ne1pvTo$D!O@YfSUIoEx;633z1O{F(0ZafBzyvS>OaK$W z1TX9uSLLw$s*x5H!Qv3{EUeV@cfg}iOJ%^2Y&kd{}_T7&x_$5;wApI zb`X1u319-4049J5U;>x`CV&ZG0+;|MfC+q51XxUhWWj_vl%=yE-@}gt0)P(p-F5W$ z|F#70Ah`RF=h=Q#)UY#{049J5U;>x`CV&ZG0+;|MfC*p%n7{`kFr1~cBHza!>R9jT z)}INVBQW0U{eL+De*1rica>NE!LZ_iFab;e6Tk#80ZafBzyvS>OaK$W1TX eOaK$W1TXlwMy-m>3o;e)aqjKCwcukGs9J_RDk224dP|FT0wOIUi5YZ8 z1bjq|=(5eJ$uNr}nfiwsb?S7+ZMsc^I?dbzH+7E9Wk^&s;_f-UT{VWnzr$aXo__E7 zo%6ll^EtPL3kl52$#8pJbn&u^Qo&0bWCLXsC7VgpGMP*+J|o0u;Gq(QB5)wSQqSm~ zq+B)$C2MsLW$H+qEJ~p}tvR8o((sZ0MA{-x_B09lfdCKy0zd!=00AHX1pZG1O2WhS zF)@@c(JMGgT%|6rkS2JAz^gjdW-;el=v;G3hJ_CF(&OAtI@@NQYqk~8Z&(WG`I*+7 z`4&1WlTOXboRwis&82OY>wD# zkz;$n-_8V7M2bqK*T+(YWI)kU!R;*bc(N zw1C8?xNib0J`Grt4&1}wE)za9;X@NS#6wIRZg|`naWe%sCfp?9M!=0jY?6o-^0&kh zVGjoR&x2hUgl!mveHes|7=)b|gsm8ay%>be7*vE?DV{$cac2FRIJ3l=CC)5yW{ERP zoLS;*AhQf)mVwMNkXZ&Y%Sft5QZELkaw@LZOxlqG37 zBtBRMcS{oc8pvn^8Eqh=#UdHvABe|rgcOJHxj90LBcwQTR*syNBm2UWxjb>>i5pMm z7P)u>XW+4=B(bj~@xmmD&mc*>L`mXxN)iK1d1es(+D1^H#p50m}U&d5oI8b zCHrs%UXD5I67u z0zd!=00AHX1b_e#00KY&2mk>f00jCgfk?bCxc~33+Y9Rg0zd!=00AHX1b_e#00KY& z2mk>fKnTG7KU@ev00;m9AOHk_01yBIKmZ5;0U!Vb`ac1<|L^~M3@ZczKmZ5;0U!Vb zfB+Bx0zd!=00AHX_y2GW00AHX1b_e#00KY&2mk>f00e*l5a|B|;Qqh=?=h?p2mk>f z00e*l5C8%|00;m9AOHk_0RH>`YRyQQZs&kU1LkY@X*E&Bn$N`!cmM$)00e*l5C8%| z00;nqmyCcfPOUV*Gf3ufFSZxCD!g{Yv&fa?h| zWDXuiAx=Sm96kF%*Xk98Ti&f2ab$N}mUY*4efF>$6H422_B0M}yA(!IVHAxbRcgOW zSj4khL0`YNkULU!{6)oFceQ~OgAsu`lLQXH=dE?wX@83(u}N)pnhrk*z)$?LRzafv|P-xD{fspzV-a7hh-0n zE^Qm$+QNMi)znaZuVIWYP7yMsgX=>`Q%!Ac<^KHNI<|gPo3?&pm$}5YcWjq@b$i2S z?bFla*Y*~&X~UZ*FXWxoHn-U1RL2ivMc^|W&WMl)|U?YG-JR9-R`qrPP?#4Gq-Jhc4Fgf`6)Z4jNyFh za>3)NT2|qFZ`9`YW0MzYw?Apl8*xyu?mZCSji#Y-Dvk6J6s4r(Xt-i<_nNpfhJDKJ z*2PEb_jl~C$tk}&RLr6nh`8#){4~Yprla*KyS5`I{{6pN7cJ9u>XLQQx`Vovy34xl zx`LPNqaKzE1b_e#00KY&2mk>f00e*l5C8%%FM(I(W~%2O{i#EiP2r)+4qg?i%sZ5! Y$_`Eus>}=WP-P_N|ye#2^|WL}P6&Nfp#~ zrPRm4QtJxZ>XBM27L@8)twn2Hx2wCd))ryc$3e@gySji6)}4EkfUxM#4wn#0bT*mjcLHc)Z1G$Tnu=cPfawDY#mDYOo9&qM^jHf$nvfEEcOV zuTwT1~#*kYnr|-f0M2I;ol{o%Uf4rc639Iewxhc^W-I zJB?186rYr)MKeSvOp4XTN2k)7sD$Ly5wxD+50*dV{J|j`SD+deRjE-?jf!eqL|xPh zlqpfBLRmP<)F_KUnI2^ZK8wIoj5EiI4ANj3=R8P-WsnTZARU%LLM(%nSO!V44ANp5 zB*rosD0jK%^bae`oie4G zR+Y0AYpSqjIPQu0uo#dWuT;*Uv2wgpIrdh;@JY_1YL|(0IozAWy*b>QZ^T`k9Z??z zCZ%A|+zL!efk`RwtO`7<0$&#;9;?J^O01^DV>66OPQfXWq{~FQE)y-xWuh5eCR(D) zMC){!2%yVE6rCo9;xfC2VLYzdu3;+oFjbd3yy+l4b}^iu5COP#aI*Liw$2Z9jM2J-hQ z(Mcq+otVxz$d4F%5#ueE3@aR0*yc@=ULt~tVk4QcVk%8Y^$kxoTJq^=4f?=>PBdHc zv+|57Njf?uMMviu`GUn_GB2d_Q7?-zZ?Q3t&M@ZXTV&q+>tu?W|H;UL8LMYq{hZr+a=rc7^whA)^MhV0Owr7Hdvj^y2UXEu z50>q1o%q_)y7$91K7Tkps`_Z0r1tcX=oyC&=cpQYCCezq&i%UGabv%DHOR9Q{8>(#A9MmWQ1eClTki4Bx%jTKMr*{f;%Zozo;S%=L>&SEZ*K zrpzzd=X=AlFw)OFJ-#4YU2K-q$XXVql79@YA2}gf{%^7oijM#nDkBp&S z8y*)?|2e>qPpGz^Vgx#gXi+#Haw*P`i)6<#W1PXI#KDzkHviWVX60XL3;cXMWJBA_ zj&3_UaeVLxi8*7ApPiI~f;#!(gP0IJ*L30S8uRAZhU6tRCBK#bWEz+?bjQcp*V&R| zpBBVUQOcrMnaS4?6*cj0BH`B^i`_?oynk%^-?;RU;<>2!Dn80BmYgtzVYqV(rDy0v zGxG8o2Q`>+2*kgk1f-z%RrlC3%oD?926x+(itamCG5smb;2?)Q>^3PP_?<2#_ysBKy6(f`NBan-kNi<`2L|%!rQ<4Qn~A1 z%)Zra4gO_s-ZF0y=$4GuuQZA`k8Z#3l|E+YPSY#;yMceYGN3s4tIEWdz2TBqZAp@K zG2gWe*kk_Gx^nehVM65PEk&^bqqFPmi#(Y9E3eJmc&cNz`n$EiUQ^f6Qgx)tKPX;2 z|E4^%vh7G|@vd=yJm5H6y1ei3Dsog^!1(#(-nW{I0;8h2vE{SEqGk-QoqE6a+j*P& zA1(U6sp;m@h~O7))DPJt&LRW3p##<*JWN%V-w7+<6Xt6?Ra+Vtd#7~&8^ME)L}hOM z(W7;lVRY8)zgQ~-6iJX3K1@HRFTYJ*?k^NE6iGgKm>GYQ#&^dF%xJ;J>%-pq<$IyG zuL&nKR@XEJexLR2#jK*NgTu3%uP)e7aN_3bhVnCIBi{5)jAVDW`M+ox*&^!LE^FO0 zXZ(U<&f;IZ{N$~)<~hgh{%2nd+>^Gy=)%R~$zR0m+NRsJLaiCH{otaC@h9urZ&*KR zeP`5%E6Tk5>zfx9rk~z(f3fQ8R_>j3gIneu8nYuz=vmWI`@`U6e?8$@Hz4QSfNvZl z`-kqGymaOLf~q#_$SqSmw0AdsHcfY~uzJLU+1?T52Lk5ayTz4UG9N5y{_ydd*`;NA9~B7SfY1r0voh{0R~e00KY&2mk>f z00e*l5C8%|00;m9An?o*@SubwdZ(Ro8lrGPA4(`eZ}>T%|8odwj`V;u_nBQFI1U7W z01yBIKmZ5;0U!VbfB+Bx0zlwrLqJFoBo!yL`;brJO9HXHj^xR8oX`K+gmfSO{Ga`^ zK?RNg0U!VbfB+Bx0zd!=00AHX1b_e#ct#1t3+;a7)A;=qh2BRHJk{s_dO~_ddO=$M zjG_g%fdCKy0zd!=00AHX1b_e#00KY&2t1br`cS^;UsfpBSul`NOM3rP59jCq7YOM^ z{`tT8xr7Ca1_D3;2mk>f00e*l5C8%|00;m9An=S6z`r=aUl-v2dREfg9{~Ov#4Kjo literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..de0f7b37cc0bb1e6b656089aea58a8916d64b3f1 GIT binary patch literal 36864 zcmeI5d2ka|9LKZCCQX}`a0n4fbXyQxK>GGd(}F+p%rR{uxSDY%hjZSgD{4p zfG}J-1;LR^K<#jdTppa|urk9Tf;f(Vj#3y9hC^B{4DNf`7#N1M|5|=KvoGKGe(!zv z_df4s+f8ShA%nAh0WULZeCb#z!0@W(DvDC|W*C)9rIF8A`3xUAS}E>k8|U#(@lPy~gD$BoFrL(1 zVSg7JR~4an*17{-twP9f5PNs(B@rS{em zkD9#o7eDT!KWCrcJFh$yvU6B4Q5F)lkf?=3EhK6QMTw_{c&3w{gbzyqab%_(!ecoyQ;uXSAo<`} z+^k6K%ah(b>CKbga*%Whb;NxHLP|jR+5#aZ5K;oUsz9zPkaZEsSdqAi#7!h)i@hQ* z@FKQUB=%J#o|q!>6%>i5s7O3dMPh)8#1uo4Kv8657{Q~oMuu6!!z__>WEoCJmf>_{ z8BRx*VP9E>(~)J^SC$X?;yr^eEVtr~qe#4a6p6QxB0Ul5jmS~|NwN__ech3C+&CSN zC?SuV5VzvBMFczUEASSwZ@G+AUad1_B|YgD7@-BaRCPq00KY& z2mk>f00e*l5C8%|00;m9Akb6^#Nmm-^M6xaUYHjU00KY&2mk>f00e*l5C8%|00;m9 zLI9rsVIu$mAOHk_01yBIKmZ5;0U!VbfB+C^`UK$lzv-_r%n%3w0U!VbfB+Bx0zd!= z00AHX1b_fM|HB>t0zd!=00AHX1b_e#00KY&2mk>f(DVtw^MBJ{W0)Zj00KY&2mk>f z00e*l5C8%|00;m9{Qv*;hW0Ass%HN*D@fRyV2B@OI3PE`0R(^m5C8%|00;m9AOHlO zG6KP5z1B9PrONLc?JD+`23$y#zj;mM)8!iZ>aPqGdZA_zr^_C9ABDi%$k{Nuk8usv|Zg|r>Q$g!TcUQ@36LfZgMa=CVG72zjl;rN>#O|MK2Od1p_j>yJkFtgrE~H#rM!&dz zGBq>!a7IYwKw%eE@=aEvs(SB`{kjP z)3+@-ICpz&MSOZNnU0#ITWCa*dB>)A$#$*2(*8^K>Xq)-DmnYqWgS+1KO=Qs?-LJ> z(M1g<*<$CKpHHlYTEPfSFEV2J(U#S!?o`3V6rA^lJd9OHT=dI zQGcZ4t^-y>c?a_k#Wf=xJ=(ZdY;?@uNX-~RYctO^Nb-Y@=4vG5_L7bmC);KfR~>pm z9MLmw_C7w+zXf^hwVV+gsl|N+(kDx7N5Qtyu`_CrEz( z%_-jQ>mn^&Iy<<{m8yIj_;D7Or}ZytvK{;xMCs*HDxnZ`upPU95g8RIfz z;Zt_2hv@HNDnn1Z|)-g9RGBVUyDtwyVe{1D7zqPZ^SxI)Sy>~!W*6S@zp;+c5W9+ z^Lod^S|Z)bS@}Ni`Tpa})~8e$KbpomWoGwBllh2*f__60v-OkD9uJ?Uw)g*jb;m5?;Xo@d|q+aiUfUo7iT?{_rZm4@7YV92Ulqo$lkcVF*#r2 zXz>Ca$%>3A*Vis^H2dH0V&i6PQTN~OPHL)m2G=s5-}_AU9$7i>`SIuP^gnIp_kxXH dbZjc_b^6{}Z@>M}ghR)eg7;aw?eLl=1OPoRrTqW^ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..6bccb020a17e1825bfc26b0de2213c63422bfe8c GIT binary patch literal 36864 zcmeI53p^F+|Ho&}jpH^#9m(Y+g>sqWT+r41PDDv19mh%Tawyd%&L-U@=_cJ&l#-H? zYJbs^?weh0Ey|`^Nk}&-{AcDIQQQ7@_s{-!U;BTiX3lq>%V(bFJlc|KlbV4DVA1Dm}n1c3+0ulGQ z0^87zLSu~3f&Gd6qPW0Np&<670`(IGY3%13ER>mx1RL95K#?8Jzhmatq=QL+`>uG*WS9?F^bPs2* z>Gt>$Y^QoSxH;SUFs*H-PV+Hh@=UTz(ZJgkOjVLf$v%nyLb`{4!+^y z8y>zf$2S)E#uDG~@l7DMu_UBW$(B$=aSawKIS#JELU9=uitDgYT!@9@N-PwYVxhPe z3&q7)r~uzeizg``p=>6x31u@v*^E#&Bb3buWivwAj8JA1x!6Q5Hj#@>lHkK40GSarHAC^dW<*WRh|+RUY%ycu!BP{~WfQ5{L~1sX z8jB>7ND|^{I0PvUiXWRpkm3-eIK)vo#8ElKdEpXyxr7>*P~#GL1wt;H!{*|WQWMve zns~*eCVm8|iC0l-;`Nl8I6$e1Q z!OUJ=%7i)J^BECTx=AvAMo)C4q$yW z$(XB^#oaC5sfUsGxJj3M;3ilA0YCr{00aO5KmZT`1ONd*01yBK00BVY-$Ou_Du-2u zjub#h2hxf>LF$knkZVX8auy2$3m^ap00MvjAOHve0)PM@00;mAfB+x>2>eY1WXTkm zI@F3vCk(a94q2)3Rz_m@UZqKmD^!W0_<|xe+Q@{VdSg9FhD@PTRd1{#`u~c>kYX`1 zTB%McL&;r6tV)>M<|MA#zaNMGHtE#m%5prQKH!37@@b98`Im{jTs}vc0{6(s7Pik zo>UZv%@vm&BpsPS(xDBK4t0=pD1)R!cBUk$!Ke+(3Y{!DU*^R5`h%xR7_&$i!xRW( zVnrk;Oo=`iN<{x(=^TXQBLRqt(j|nUREY#3g;)?+00BS%5C8-K0YCr{00aO5KmZT` z1OS150s$Ga3VaZnMaPFiWCzr>7KDcgBV#39YZ+W_&_*C|G0K3-ChFJiC*yJ?H%gKw z9d%%7qnh|Ag1o}eeuF%HqdF`-R97;}FhUR&5fK$>9LbLmnnVX1i$vjgG823wng5>z zA!$e+atWLNUyYnYvXM1N(m&x8gE9aDfB+x>2mk_r03ZMe00MvjAOHve0{;>My`vb? zPuU^lF|cGjB0#`55yZsGNMmRSSr^8qc1Xji(r^l%Lo!MrjUh{8NV;SfI@Z}YmBbng zB8~ZxLB{;>SYjwZgsV&X|IrZAfRrOSSik=$vJtt8G$PUe6271sfB+x>2mk_r03ZMe z00MvjAOHve0)W8ZKtP?$fggF5(bJSy!$*oXn)pRFPHJqsT`if#fXDhou^O%{x$Y5C z@x0 z47KP=W_C{Fa!4|1fI;TazjRzhi~$uo0?E&ln@v-r4#CWS=(0M9x|E`(q@)Y2_k`4v zlr8#|GfA1#Z|}>d(wBq(SSVG^_X?I0`)$O2BQU6#tc{9Ew7p~!Od_c%%QEykGA|vd zc6Tw@=@~xpaaAq+SIXslZ z;z)M~;Rs?_w|}u=Dnu5;2!x7ZIg%J7aQdq|?Q1DJ7K$gD@Wds}8)a2%A2^+U6~CxH zn6^-HPTh9jY*^!RMu>Sw**R|Bd%II>-qvYkE`J%dhvc?+0zX+u%bL*fK|WyO;lm*# z`JH+{JW)?IC_C!eeA1jgD&C8pZg;C$y&&pXT=JSu%2cbzdr};9CWMwJMa!ba$xU;% z-sqZZackp-wdGySg{6fWW1MMWZDv77-i2vn+5z@Z6u{vPonZg0q!TB~$^MU!$c;p`v6M?&;4A zJJlF77;;4?khZprT`_u-$*U%c>x0v09_ZZ*zSZ^pU&M30WJK&bL z(!yHz;Q8ommuux6t#LVT){Wn_GE-jTPGj_{fZGKh7V*A)!(NxJ-Mrw!#9UK~+?lSD z8tr8dugI0Fhu>AN6dS9WoSd;F`9osi+c@JrzOwe6JC6Ig-CcFssAsOC<^Hoe^WVQ@ zr#*@~pVqkRr`vi<=7{BIY9<~J96R!D$3-K?n9@D_+#OSA94%g1pQL~P9XN$ltiM2K?UJmwYKKhA8p4n^D2bo}^5C;N~A&{+yFh!xmgu ziDQI+P}LM)-1N5fh9PWP+aO?rVHlH})_;Y{7l;?u~K*p zEwMa5y54og`cbPWr&rsN2~Rr)T5p1T+WriZ)c$f$tJsFIz%HIo#Dbuk;f4XiXUDG4FXu<9qHPPfP4=*B*v)Qo7$ezcLj1a+Y4=wp$KA^o^_XLDHq>rN-GtN9H*mpvr%x z|Da-dUR47;Tih{y-`={&@KP}(<-E{ly?v;%Ov34`eOPlUV` zji}G!JY7AS|KgWbr|iePtXX?FfcdlTh28ZdeOnhisxh(L@RQBWJ?6r)jEYpvdG$3H z<`2D@-1&4H*VO*qkqfiQtK(|CbhQE+l7&0-o{8l~q=Zcs7t`trO43(eNfVSnkq6Bd(5 z{XD5!e=mX;{&$vvc~a~vuKGObAXE_J^lM-G*ge8)$}fI~8tpr?YTiFa>gU!b?S}Lf zQ|zamut@XRnGMzKTcZUNzSITUfMUM%6ADS1f3+{gzTgYPjQi66{uB`Nt{&K(Ebq6x z>mU&PUH>{r6Pkb5$Ci4jbk2LdW`hq!xWVLF(zhXI7D1KOE1LZ;ZV5iU&LV`Nwd&X! zyIS2-8#t7+mE&si+NQ{RMz78Bx$5RWR3V>V-W^b^&{Ebg@9Yl7FVh6H(X~IF3rK7?mo4XR-J2N|cIS0^{N%_s zhrGJQFIHsg?H?9cUZ5>wqP!~T!KCvonvqxB8=j0)->0edxWaGPiT~uP_?OrvIT$Ya z@bVqB3~usyd@$#9#E%{B(aSc;80+pzr)tq2y*s;ljIaXgwh}k=c)7Y~d(1AL-dX4T zG^MPG=cVMKuuDW5ny2Dl{yJP`(*g@N#aDb*>6UF z_P3b0^R<4MGI#y{Lr)&Zb<237+m4m#HRi4?{O-Dr=Z_8^*KYBj-L@2LKSCRk-Z}n6 ze0&cta_GGbdV!YjXqmzX*_>R*VVcq?DIJ%XF75t(|?)Kd#bQVbhrJ4h)Tmy?WAP zo8Fw8lZHo{J#KGGo?wPf>h-Uzysk}M zy7wWqB6m#F4>sQS{YI7Tj?W)<@%6*u{)eJMFQ@vM7OUBGmN~dAlaD(s+Puxmd{)k^ zlM9TSFS71>Z~wtZzu-u_vR;0YQ_jP0J9eFL{60D}_fp-@s4PXdD!szUxx*nJZg&%z zrmfg8{@la{uk-aGIWfGJofAWaV27G}b6TnUwq4 za3txoF3`XSW~RDzUxm6M`{ca)C*y7+o&ZGya|VHMe(kuwTXC)qsH6S!WD=-hty zQRdS9kB+Q3s+i}TTxGFZv5}kpVuOms-pkKrJq~@FVY8%B#&EAHe*z@1(6dhwN1jZ( zmm62_c}G=6pOjIQkg>}E70Xq(B=d*a=3aAspFk_xMA8jC?qK^abk?S?i=91hh{Cx6 zKjmZ!QgmEel$K8@8LzbV=zmD(4mCLjAG>}0`^dYFf=Qn0ydnF1s-~>lx;M(LdTTTJ z%?;JyBQd8&y{n2R1_rE?9mE}-3ZSk43|Cl`s86K>k SdnmMpl~!>q(ZQF?u>BuKN`Sfm literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..2d3a91e75b37e4fc925ee9cdf4053fe8fbd9a7ef GIT binary patch literal 45056 zcmeI53pi9;|Ho&{7?&ACa!D?Yp^HK@V}_w9*W8k8?lI%iaaS`Tx)_y9q#GeZNh+PB z)S;qqigcxvL^>#?3rZzP|JfVI+uM0(=6Rq0^Zd{Meb+X#=C}86t?&M>&)zM2&3>|- z9BhNw0ffMa^}*bOHa4*}CroW6EC})^*gIOSG?~}pOq~gi=JvM6rskRi?)7RIdE$eju~-x%Z>o$$1cmzt#IV+da+5xc4eSVb z-DgVQhddRDnP4#T@~TKrxPo5@Bgj9T#j;-?6vbc%h)kNZvNJPxBfv?>!gK|~0tT5x z(O51FYq-K1p$uj~=yVm#4;patCk-793p7SvQ5ESkVS58JIKYoRts(q_25TbylM0zc z)-Xk3ftcUxFII9b1btkg0 zrY@|h2iJu8kYPX+xTh2n)RqGGlmfe@lDG?n3~inaAzdA~whmld2d>Rc!c`_JLUpJx zDJlutHx(vDg-KE2y;9-5QsLu5gWJ+zH5#l&gWLKA&~&IeG)QtXgmfoEsAH2Mw1>$M z>f&Sw^>Z?W08WMw#fcDxG8s-cgYismoo=Q()l7HV4mX^#!wskGaKkA(+;B>l8&28b zhEuxS@E>%ca|YTmcPn(_Ooq_eGZ{js&}8U89R^H?fq#bZi7-)@Ic;2CvbDmwQ%RP#-+DH*6Osj4 zg`|W*xuCH)S^EeUd+quFCkI;sJAlO|ur_cfgJg9Q5z3=*ihdDcVG-f5fOh0sEv`IN zO&cnD9qPpPN+lyto=?|y4}WR+amWVq`!QvgGdf_G_D#<3K@_@w zW9!y8-d8i$UPz?}$tx%Rnqt;Ltk^|GS2ZqrQaZQ{>l7}D-<*G5*KU!QrqV`4GHZY% z`&IG#rJ>V4mW$_;9wv=%kGWN^T4zH%-7Sr}ym{QG68EmI$G0j+zR%GQGq#&mY z^Xu+%O?XW=DY{OkP zO|0~c^xx=l-6Sv9Yjg5EI>Ab7Q2e$9wj@4XO8a*O>13;;={6NJ3`*q`o>2U5%(r4@z=QGe~)Z1q{jQ3Fq3qa({coN||JIzu{_uBvdZZO_pDJ97r!_Dj(f zHWh#Gc*?1xRcgIGOAvh{-##4V;!*Ja(QU)r$G=vid}1Fu*s3`bqEm00EZ7xS51iOY6ryNf#SrN9%@=b8P%bob!JH zPH3m1d3U42qDY#&XH**UevzTkA_yEO*{sSqw%UKz+-(VWQ|`Rk=W^U?^Va*P4-E9x zB2~ke7)YLK%lx$Ua8_d1Nfx0r#IMH4^_%XM@wfVt+AZ|*(~3tb61P3slCvhXc|gYG zcy>lPWsXB}+}Zq7$wgtLQd~{u<2ucfL&*5W89iSTZneK02$4#=tx#&2F0J6fZ*E4D|Jqje5oWMtl>f=q$F#adjS#(msOgcz$05QK zCz-b=5Naky9dkpY8kQzpc|#~N^4ouY@I~&cJN^kiYw=ND?e?v2%6y7HU6Xn{Djsui zp>kAKTeU4>9f-?MW6N?mlz2Ch5?Q4UK9Oz89;fOU>y} z&OX$=LPmLLh0O!$iN`Ntwv8uzGW&LQ zcUX1})!r#BLr;usHdf&C@;4dlXNlF}_FgrG9;LPU!NPX)->+U?)#Gv$zomZIwAQ13 zlSbga`PH7Zm;^ol=UX~Kx31}4{9uHtq#xft z;rsW?xn3Cy-8|K^6ctZ=Hz+aL)m5WQa1-v`UGD1=zG(Y0;yIlX;kzZaTd$XXzd%#M ziQ#{h-(HY-pzd=L+L@^ODAib@?cVj^R*yu7>;bKC6GQD!$8SdD>{_$7TY}hdr(H@W z{(ODgHO6nQ9&XtO+{fc?Z1^73_btrvX2X?ljYgiU!4-GuMEr1|@LzQk9zSZD-bK8F@6c{Eh$W)zMaz3Na`@xDi4JX~oWwSBx4x{~Gz< zKC+8L5V-f}xi7E)0)PM@00;mAfB+x>2mk_r03ZMe00Mx(e;5G~6j}`Ws(oVqKZcMT z`w#0N=nfzN2mk_r03ZMe00MvjAOHve0)PM@00_VYP$-1h#QgspLh>Ad0tf&CfB+x> z2mk_r03ZMe00MvjAOHve0)Ha{wrGx$*#Fl5e4Cj6cOoP^|3*CoRsaD&01yBK00BS% z5C8-K0YCr{00aO5KtON;M3l7{pTD9rG5>#wkbEh)ET{2mk_qPXh8Ns@Pxsm0Mx1U8Lk!$TW81(K0YCr{00aO5KmZT`1ONd* z01yBK0D*s(fcPxv{=X_t4k0-#X&|X6c|kHpvQ;um(jCvho8UX~1^6+14L)8XSt1CJ zmbi{rlXxysf-A%AkywO#D`72x!`;EraB{fyIOl)Y184^b00MvjAOHve0)PM@00;mA z|F;BGP{v4B&{`kAfc0!25{*pbJ~5u=Gw}d&3PqJ?nnX}WErVN!1Z-x$(({v?XX(mmPSDMD0%`45MD)36v7_)e#bxHC+rD=M8j6XXj z$1_cr<&|dAWO$`%%$dB>OsX`mG>tKXS6Y`O^;4SUA4vYQW0E}6bUd##lP19{O=IGC zrI}PLuQZJz&MU1;68q=0j-Nl>@6V2j@=Vi3c%_*%46iheDa44@Fk+L>uocFWR*{USS8*gN zn(!Wxe<)sdg`vKIZ&Qxln;HAFb?Fx+6zAM?Y;JNly}yF{3`-#-fh3L*olp@H`^Okf zFi7*SUS<2bky3UXtC8C2jk9Syc+xtVRE;dmEIFnr%^}M3G^tAxz@+rM4ZcT z+Ky}qwYtX~q0MU8vuQZQiZciiZ116 z^0nar=IDJpNwbfk_rD%2wq2p|QFil|!s|z3$)T^-thV70WqF&V3t+PE{m3w`GnAzu zRp>)0Ni3N6RWUik^2C#p`zB9~Yu!cpnf$nWv6rfLSgv2yt=q1tY|T+mTfavhhQ8jl z-^Jgr%&X)OWq6uo(gZMRJY%m${+6{j(<=LJ*}p2gl=QiW*o_5u zh$i6=TE6TvFQtu@QjWX5V^vTRP}=-V?zH-4FwE%FO$V&#Z)>A{UW9EL&v);VQ6`Gi zq#N6JD|3j_JWVpG0+`&CVpZtzT*5sjyY-&BVqczP(~48lN6CXi+6p00%ND)jXA&8X zBHtX3m9Lcxp&KM=>`yfd*Pu6l)wZW7(sv z&T_wSh*CUF3N!>^7W@7ZL@#zrk3kKHukFM1e=||F>VL>gl|4V&R=hWdpUM4!O;4L* zMjwwvFaB*Q`DoJPjU6MQ#a?Fbw|pqxqlIYW5G8*$`NO4!0EfFVceS>%?S7)D_5xeK zxRRVFbFscHj;`~qM%Uzho%MSJKa6!)dH9>yo#f0tM9-in!XYGZpa$$yP$ z-Yjzt5zpJCAVZMa;gY$@1)bJMG?(98ENqrherQIZrgTp?C0FXVs--tR^D}wy;ymLg z&M{27Z`VC>@x9|o&&=x!9vn@sN%M(3t40gv5G8n;6le%)@5$@ZXmY>|1TB8%=vgva z$hy5G-r?w~AY{8x(yI0i{7j0R5EEs_yY!$xx?E^XT|?~-}{b@(`u^+q9Y4l?=4R$TzTNIlYKe#1ah8NL2iZgc4u9B` zvLd5KxHo?^Ok|;!`hIg2Z1cMQlpPe-(Z<#4y@290*}54AdtEt1(VtBI zI0+D72+EU+p^uEtDtCI>*LVC{Xs|y0!tr&QC2Czu_6Imb3{R5+ z4M8c#4Buq-+%T$nXnb{!lWLu|L7yXgS;lyk^ND`hhR#ZUCcjaAEaeG~_DAe3dL_OF zr>@y5^9&s0)1a#rCG(L7BGGz5kC zoG~?^?KKe%e@i7gY=y-j1u*^K^6Qqo7 zhjC5C`M82ptGn&u9v$TnQ9MlwGz6*7Ho9Jw-*)D3^Z1kP8#k2c|7nv!;-yg$$I!x^kQUU=8= z$<1PY`Em;m3GMVj3M*4NqEoZ=tkvQ!Eh~1ejBOvUA+eU5q7a{JNJ~izFxbf{ElwDT zA}OF{`fcR4T}_x*GIQ{qQtpC|50F9pCJ*7Yrv^tw~DuOH-QBZ00aO5KmZT`1ONd*01%iUz#*#sbm{!#En)#C#9a6=%e}Ete(gefW}b zMPc@mdwMGLkw%?eEjk<`fwxIPZnVVQZF|^)*q8shJ-E^m>0Ee8&iK=LcY})#vXOVG zndCz*xHC}fY}UiK6+&_^2CsC`$d2a@CiC<7+;VV1pO-wl7un#uxgaL= z0_&6IfQ_5)MjaVUs}xF?qpHHwqaYmfEnG-Xs-j%W3?=H@yxyjp^@r|C{MI=d-zXn_ zwdiUpKaT~U$eu~b78aL^aw4x6;mv+s8tT5`Dk~sN=gfUMht5kJqVi7%`-fY9`T~F~ zvVPoBwvR(78l)M$e0LFTa~7pvf7t1hSIHmiEnG zeS4@l<1#;!zG%EPIz0%L7-C-Q!Y@Q|s`l_a?Vb?vQXX{4BgUDj#Tf$B$Sc!_MoyVG6U8x@a zcuUKJpGoSX#9eIX6#s^`i^ii)oli^|i*d*2Twk5~YR-#~mmT+UhzdMS3iMUYC?Zj7 zX?WZH@}45y2fv3uBRA`%WGQ9c`_L*X+&1=v?>T8&ZDboz+`o5ye(qAsZssoO61RO) Q{jqP?6(3YvVN%olKUb%Z00000 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt new file mode 100644 index 0000000000..bdd10448f3 --- /dev/null +++ b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx b/src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx new file mode 100644 index 0000000000000000000000000000000000000000..b75c8b1df5d958af6e508211fd2f29534fff4d21 GIT binary patch literal 3349 zcmV+w4eIhRf(;P@0Ru3C4A%w;Duzgg_YDCD0ic2m$OM86#4v&kz%YUbcLoV6hDe6@ z4FLxRpn?ZzFoFkU0s#Opf(Km&2`Yw2hW8Bt2LUh~1_~;MNQUMX*7$OKql}Yp^V%$6{>nNM%ZT3LBXq zdmRr!f;79~DEu+XbEqooAw@$6oE2G1>wL3zPGDw+^JOI~9{GLS9$HQ2c%Jw$X1Pvj zf^{R9&yo||?}I(_jg-Dgvlg#*2vaK6b7V&8ZCJ<5q*m?THn+@KLvBA5ju!QybwpuI z?_q9U0p{w@j&vt{Ybn5jyeh-79NV>xiw)%d9m&13i6ljKmbB3%W#^@FU{kWTf+ry$ z=SB7X@7~k^O3-BC@dHy$on`F}Ry{SN%gnPy#-Om2*VvHB&w(imnbg}4W#nI;J~6U4sgsF2DsK0jko~{IC2`yRJeYO8=j_ats0iA63G^2g}-?Y*KD9|3yo*_XvN3{ z8LoXH?LIy1oT$1*%di=s@8wEZ@26@wRaQ%rvcQqs07>zTstj#bFNw{Ns_ZtLVTqB? zojO9-PK!Mc!6xm{y%^Fg8B7|m&5L{}5_Wb%m%S**@#l&JQOH5(liGR@n8p{ml7$60 zjb1QAFAcVaRN(R59&RI0seRG9MH|!AgHDYA%U@MJQ9|ma1&4-2gaKyh zjIh2fV*vKR#~|Y9zg_LBA^v6LaVtmc>uvy({k^P>VV}NWU@qAx#pu#$N>Lk$VEE_N z5;;+zv_!^>OWBj2`P(J0{Zj#KSnJ&_loWqUMUqb?(N@5O-52svAV_fIed?^QUHZP` zU6TWGs#K#9dcpGsznGas0qMM5CWVJgK$Wl+L9rwp01j86tPnc>O&|X248u-98JiN+ zb<6SoUt1E-@)S+NbF5+-?UGoHOf`bV66yW0ZH^)tF_L5(P{<#i~Au_fg{dp_nIS$x-e4UyZ@1u0n+u76SjYk!6E-y~m| z5U`n#$>H5X=~EU`3XJf9#2gczC2@@!Jy~s(GM+e8u=AHZ^>0^iv0-3L#NXx4^@c4 z0rv(5IaMv?x0J?yQOtl*BG9`6jZ)M*Gf(#+w}!1`TiY@{gJD@*44ID9*Crvr5Ah@P zawsEvYX^zX5`XS@=Z%6ghBfC-AuYP2t5(qQO9RzVZ_VfCQS!*?u!gS@>7lqTT3D$% z4(BSXByfnlUK1}A3SzR>Vi0x}-}}E$h0EsF=Y2>wE12_;y437m{C`U$U!wpWjb_Em zR`iegMi%G#|2$kmcbshiSPARI|D7(xcxUkO@my=&R1Bh(8w6#9&Q!82UG%Vd14H2j z?w<}%1m(pO0WGf6J07P{-L` z1?M;4s6^*kKI4~o>H5-L2VIhQ7wgqfsa`!Iwi4kxgcQ3cG|QBQaze+S<}hhRpynDw z23w&H{i+cR@69Ugi)W`JB!~=`Q{U$NCZ)zec&?|IrD_`y= z^DcZukv`A!088>1TctBJaPU?wi=U6?Yj%P)^r{ABmhfWu>|#zJK_Z_mCcbQUy#iZo z4T5U}W7@vM6uGw&q>1fLmUGQLUc|YH(81?1HhJck)<_iNT@r$UU2Jp|Q{ftmO>}?F z6bhRgnX)IHt+lE%a(=Px*5{uDV^77TUK(S*fmgZo9{_?CyE<;_i@UL;6T7butU(0Q zx%&K`0qyq@(JFeBBy(8bid&dhD7{l>{&w%!%O*2@+?KCbvS@50=n0H#On<~3%_`&z zN)>ikriLX+=hpjF0%7qWNp>LIYTl=Kbtp|J;l|SiFZrcCo+%}vYOZv|OM+Th7!Eb# z&#_R9d9o&LNQU&PM87-V51g`cAWDd2nrnMgc{5T()Csg{|P`pE^6~d5e<{75zHd9$}u~e^tFpfnNHV!r``}-uq^*HUy!?{TZ;l zxs70f>stDDsG3OD-)+DR6P2xMn~K#&etL<%3DHlbTP}=!?jt%B-+XvFQA(fQ6$VTq zVx5&1iUKGQ?J_0i_y%&RI#bHBLC|&o6k6;gfHAk-doP?>#WBI@PSStmuM>uI%|JHhOW8ui)ob~_E%M(yNNQW=W?|LLReCa_^N zP`Z1{prrP7z>)t5egf(@rhgkeyF}%u5G|2nc~ApbgFgb3;b_OB<*W0pa}J4#VK~t~ zjr#Z}~ZY^^dj%QsNb{EBQY*_`cDoN}mXm|<{EiJR5fM*$*pP{$h#1k))~5$ z&O)wBdTXN^skdbH9)R^uLCV%iO}2DQ6@7Mx(hgX%r9Z2ye)&*dN=E*7J9e(Kr1Pks z{wq?y1Q!?;*Y4BUl9w&6i%0N7bXFEe$K)M_ZiieT$Wd_pn|l{XDm}l3Xyk6Xt6FAn zIqT!RETMckX48r{b*NK2Q7Is0;2|Wa-4eQvoe0|#92lg9=R1lFpL;PSFe3&DDuzgg z_YDCF6)_eB6y;5AQ9tKdDH`&co!k5658z(hfiN*JAutIB1uG5%0vZJX1Qf~;7i68= fKDl*;qP6n_SUGWZSKI^$tx$05lq5tA0s;sCF2PD6 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..4ad867c6d8c55be766ae060df33685bea252b12e GIT binary patch literal 28672 zcmeI430xD$9>;fcfLvKYT0l_ZMM)9ZO*SFeRxZO)@Zc&?u^~Xzlp{idwO$BT!4`QQ zRSPQhtT(M6#H-q8vGBA~TD4j!Pw*%xN~NGaTNUigBpmYWtNoPc=k@buU}yicGxOV- z@67(QyV-1Hc$h}77EaY>rm6Ho2{Di$Ny1ksBnZOPxPTQ3d=T@DHe8Xt?B6m?2@iUV z749nG^6eF|o6ACgU{e$?922 zDJo5Jx=uGKD=}4*WEv2m@QYFiLne$<#0pWKaN-1EcfQb7#n58WSUysSMhdB_M0IL+ z36sYZP+ngJiD(?p#Lm%~oPz4>vJ&4^C+WKt_>Ui7&7~6$Qe`WH==~aoT>h9{@2FIuq<>w!!=*>ZsESwY(GTtvDP8h0) z6Gl%636EC5Jp@dg5EvE`5GC~UpBND}TBxGI!hl5#774V`2DpWRo8&Mlhe4i!nJ`4gRMm-hNu&x;ORE%27(jbT#xY=kzT?r~JL8T?AG{{6n3g0zHH62wwWpe_tD3B*Il$~{4lui#1I(`G0JBRMm|e{QW|uB7 zd+EYC19uFz!ii%v;p{P*a0(gCsI3i42*4jf2tcmQJC;PBA}FhGtv{0H3s%B= zfgF<9O1us$g4Lmt%FyI$Xg!DU($wJZwnvv z!&y$<0Jn*pWo5P{FTGS<#FV^!cw9n^&(M$EW{f2AKRcFgUo`82Pe!SD)b}3V=kqiY z{tG7*mP^yv%O$p@^)s%Lanu|~o81pLy(n6A@B(+fUrFP)<|*F@Yu#2wzIXAi3nM=^ zTo}Q*QYWX&SC8rpczADPmfO11x5DPMX31vWz8BIsvu4!L2MdFm-d$f5Ids~v2Gh%L zbT&#kE<&ek!d%N=lT~E%xSAy zy6kkvT-W-&V+sX-&$qOB-KFE?M-2(>Yj^HhydnOuX30l3yNU&zTgpQuxLZo*61<)v z%Nf{bSblE=;IKV?umu5@7OO#&$jC5ZrWz!4I*m46sE0*$S>V%!14b6eMf6^X%IUcob=y{4 z_)$>ndDD5tTa6pvXbC(va`}SF(ixXRvkOKn=IzfP$DIvltqW1$LD)XdAjg)4P5qDI zk3r}o1t0{1O<+>$)R{BYnaU)UM^dJq&gELsx#ZmqTn@q6~ia zolEu}k`*piPW7FRg|SrGn`eCecfA#KAeAz!S=au)>xj}J^NY`I|HZQ=uRL~eob+aL zxVP*~$IAuZEl(-GsMr^N)3m(oTwrH$^G|bR#i|?D?YBnMYRA9A{kk!%s4e)X1OICM zvh(hmXei0%h(Ikw<@ zWYzm2>8-(;B}*Qy=XvrvAB5ZysbkpL$EEGw4j+9MI&drJc*|_}&7*fF1a0A4%zdGu zYTm9hSINn_KSyuea4~&R-uBWLcuEcz9D$n$(gNBNkRCFK$EUd@`KUKDFxY?@NyNpA zWbbzbdj$li{Ieq}VB2daN(aA|ol=(H8r`Noy~ld}C(|o7?YC(8CR*{q_!HM%_2XXi zI^1MFqB;Jw=?>RNwF?3^*ZQ0|eaK#Ep3-!5q)*Yb1Rr+!-r#wX0lc-}$&Q@A@%ip+ z))SpnMW?pRT7KtNMC<+4lkGMxeJ^9>a>q;S+2;IFs9y>njGHI?|Eg zeTaz3;=9&_!^7s!&w6+y^~1#ebY+LO{hLUoG~Uj3#tGr(ZP(`kPs-u+@}#!U)RS5@ zH}`nbe&`@@I{)rVXP;|b7&88=J85qm+_>r1q55?TYkMDu1!yU+u&3=4}tIb0ralVA=V$0 z;&(l2ATyM9f*#ev^0{6gXg!}`%t(5;!Q(n6Y17iQ>F(*OG_}W!Y3@2*DlFy!qu=$a z|L^BD$gB1lVB|wrR=v7|tt zzHUB|%Z9z-pT=yr%1uKWx*ftG_+FcI&AXi>T~R zMNPG5?pYuHs_>p`e2d5JQbkdu^W2b*2l8>Z9cC@7C`_~Xy#8qEKG9ZAVyI?(Nda*! z!!!2sI%}r1?f$*i*?!s2w|_AuaI4?3#`*j8Rnx`CV&ZG0)GJl1GqdAen-bQ7;Zs4qY=nO2DpRCG3D~i_~0HM zy8ahjAOshvQG$!q0Seu@_zQFrHxU!S1TX6s+3Yv$y6B?gQpKBfC*p%m;fe# z319-4049J5U;>x`CV&Y%B>_{e4GDhs%7?chc>Q+S&xLZFFkX(6S%3W~z;OM4grKUy z)Bp9<7u1ob>>)0O319-4049J5U;>x`CV&ZG0+;|MfC*p%&xAnNO$OtdXU%mXAA7SA z*Ox(Vsom6<&!p*iCzt>xfC*p%m;fe#319-4049J5 mU;>x`Ch!{s?71xYq?h;^o-%;BPkLFZ;h_OLE^GFry1xQ;bT|_L literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..b49070fb6791118876f04e1bb84a73c4165c7507 GIT binary patch literal 36864 zcmeI5c|276|Ho$^GnlbOvNR@p(wR+Ti4bkd-X6^`M79`&lBp~ua&N^qWowg?(kjY& zD|ORNyA%=CO;OQT3-z6IhM#-Cb%*bL{QkJ#`~4ggRF zN)AV@ldY1CmgSJ&lHJJFf7A)o0|I~mAOHve0)PM@00{gy5eOm@)wHzGqRB!YKS&TP z5b|d7guLNb8GAPeTMq}ChpnBH18umLW*Fd0b8(w9-_~sjZJxstn&*N!uAUAw=LIx- z=LL>VbL>56ZVoO^w)PGtH1Xf7!3@a@(`c#;LCszZjS2|y6|9X|6C_T0^CE?z$h!Bi zzBgkyBH0lLYHB*@Wk>^`)w}@TkcbGE@PH_uP(U0qH)p|2hs87`30oLxKr`eqAg0j_ zJfg7((Fo%41wkWC2*1-nlHX{sj2v+UH4PoKx5RcNKTzN!9MQo4P9s8+{zioXF^uf7 z1U2>H(F8<9L<+)3WN^Qekz~J7;WCVpth@X3v;;O!3AGj zm?KhWfszlh4f+}y;w*u7ShWM$(kWqGbC$oQAYS z_%IMaOk|`?2=2>7M#@CovLW%pWWd!!A*{aSnwr zz@ZSPCj3gM$?D1;B8q0o0E6pVy^{}&<$f}|~f#10>}DT@NX4)@e?hhiV{D-0tf&CfB+x>2mk{A z(*(BrqeW<(3WdV`cMK{bO*RE3{-ID%D2kHOW;v8nB5LEh;h&-Q;xydqPcC9n6bet- z0bgyvqR|l%K~p0H;ZcI{DLx@nLPLULOnt(Iur}n#(1tV#SWld++&Gue2%&$tz}?k} zCKN;nX%Ug)lR<_qM2GWOISrrC;NZ}ZDIwx>QPVL0DPmQ)nJHYH&%HG7-L_X7Y6>+o zb&h4B*t}p1G`ye=qLzvucTair>UNuYe+<@EEOb@wxQ%I+ne2?oIHi(nX?cA&BR8ge z=E_Aj+Q%n{>7r69t3$@`Ui-jiO$k%)p{e=3Fahu zz&_DFn?ARKukTZirrl;=@b9YIXt!-!+}q1(8I6PM3|mSq(kWFba!O0}2d^G#UHNX$ zkz+~u%gY0{98x-(O~G_~pGTw6&_=WwWJr)TPMV$6FOQbPqp^@WPDNqe4{jghI%cfa zvaV2=t5bBkIou9|M&mZ3Wkhc>D-)dy)CF=IPyYB;-t&Zo>U5W152Ev&yKlK($~%)3 zS+Qld*XkC#bxY8tiQe4gyMr36pr`v@spO8|(NXLlc2c+f{o04yZ^r4=I8hEIAG9cl z93NBYdG*c&cCCT4A1{j%+8G~WkE2#kZ$*3g9aFpf!~oKnm!#LB^|feRo`*BH%Bv=I zKicL)sVGS}F3{xDrxPDf&w5L+6TYAD`E^3itPDq5oo|W5iCcv$Jx-kDT(~;%{wU(qLh{<8KblYQ-_d%7<*kSQOHGJ(CuB!>#3D7?hg&#mYjKMx1!U}xIoj?*6~1m zsVc!}pQ+pqn)hYee0<%S85SueghUQgLp!i+SM08)#`~9a9@I|Ko7aokyOevYR;Ouw zYFy}mj8gBThtnd|GnX`ZDui5rVQqL|!obYMEAm@pHKJz|Ck`mxT=;$8UH4wcFU!vN zv|jY6qUS*d=_AoPN8(#<+?iLuUR=TLPJMCCWP|7Zo-OATc0aZxG;rVM{Zcu}bovjc zJZc+ERFUT?A6J{h-Q<%q*jd!411APm-a`O@s*wm8Y!N! z-}gPUb@GN(|D1&{Y*U}D*DZe9esSoQ>aSmo~S@W$EzqRO<>Tx+>C$!d0kXQ#d{(sl~pcQ2$@mE-YbL-V}Nzj$tF zUU#kuoqc{Tp&{e@zKzqHUg|HJjz_VP#v&NAc9EKKeUw^CNd z)j4%vV;`vZZW!OAiJNtBSzN{UeXmscM~M6M2E)gU!O*Pu_Zy`dvMi${*P@( zMRRPP_Y?Bw;>ct?B(ONL^Xrc4yT{}ruO6jiTxJXPiaYyIzF7|-_nVl~Gqp)oiuqcL zYCB){H$4hrhnJVz%R{Ti_p`R!9PI1YyBad7A-8;~%{u+9ZjTSD&UUPwy49I}d70zG z*dn5;(Z&OrN5+|ZYx~|8q-R#`T&0<$t>m){zJ87VU!U2@Fa+`SdGP}*fB+x>2mk_r z03ZMe00MvjAOHve0)PM@@HZns#NtTsC+w2*{{a+r;BPiSFdRSt5C8-K0YCr{00aO5 zKmZT`1ONd*01!Y3V6iBYih2q_0R#X6KmZT`1ONd*01yBK00BS%5C8-Kfxi#| zC!9!=^#AprZ<6!>XDI5kzt9MQ6+i$G00aO5KmZT`1ONd*01yBK00BS%5cm@W)UjOB z_wS-3IsbowqQ3YOvY-nf00;mAfB+x>2mk_r03ZMe00MvjAOHybr3k2D*`)8?ugx&b}cvoDpxEWXg0YKpIM?geZ z#@lXGLPZ4ld;18&h29Vc5}30fj<@7nN0>}VlmIO!kcMvmjHf`(knPB-9K^=a$_w-M zZul@eGvUl~`GB~Y*Jk#G>>|GXD+W!2$OIXQ3WoIC7)L8^UPiPV zER6BAtW#>>TI{uSSryEaeg0s2^8|q*sSB~8 z`u-Nj-ebBri4(T9H|Zuhjb?J(iay!w4(rN){+xZvy>0M7$JGyA7Vi%HYK=SSYvc6p znn*_xZ!<)4wIF5~B>O)B`Bih*rq@44sBZ5fb{0_HO*E{$w;db54x(J%rB|)nwtqB_ z_Lr)%tRN)M*>(jJ;uw5vd)nz4I zH+Mawu0%wqe!H`oeD*Z)@riuzj`vQ@=ba|;J`J6GB{Cvwe*?;DF8`C!vP8`18TIBdqS6!8wW0A7? zaNt}h-eNS90j;O_Dl65<)hUS%G0v1%x62K!H}bx&Dz$r1cJj0FHW6J;s!0xi3?_9d z(huxhc14lpTYUlj(4AU-#4YZ|`1Vs9WBV&h49OoxGwJ$nS%^=w;^~Gus%pL8=a2RI zRqvwK;GdER`sJC`$DfGkvQka**<&!dj7o8P%)e97=hEG5XN-%_X}o!)Cu+Ta+CTEN zA1Swcjb`$P)uuWMzG{;yf6;1)?LXh8R<=Q4hps#JW%&!!il}!#iRfghCdFSVHTqP3 z+Fc}Avnu_gw=OojjLz|IEx4%o$(v$%@7XEVql@&LqnT{kTJwQnO}kgzQ+$Q=D80*| z{Sw+F)+Fof%>{=Vql*@c=p?Bo&BihXE!*Td{_@mWDuMg=HdO{`yz5OMK3VM89pAo3 z-tB_p(~8kdT88;=i6UR|B`f6DOt?kno_rkLWZ|;&{o~isZ^(VkCL+4bHzs`r<^uEo zWD5GgI&4?tW%W~+5=|iATNwsh8vTM7r0hvu{rs+-VH>_-;rd%)T$YGVkZN*F zQ&34^$%N!}*CrM`DZR8WGOXjq#Y)$Dy)|u*rp5o1lP=#rnn_oJQ(0Vkb+Kz|%=#5& z59@N4zTTo}-XXK6RxTTw7{L|M@ls8WX$soar&M9S!sv^>?$SF2^*y`tSIhLuS+4YO z{-Abl^8MME(M%RT_1C-f&y2o^t(TvVFP<^K)JzNCok%Fd^C3<1>sym;9iQd^Q{iB&IF73KP+&($=RF|&Ijy>U) zORP*(K6eG4JguOyC+$E9Q$)u~H94j!D5UoNfSkdPbauVnxlLx9HGEZfD4VvgI5OC? zX^(HR4R17)^Q;7w39b{k={d(5g>rH0k9M3CX*RW9$i-F7_n_>F7SSU?RdjDJsmofNNEpqe{1lPa{CW46lrNbM_yW* z!F!wmKKskY0)OXbIy#Y>-X>8KlgWkulsvWoipF_ET8i{@AI7R>pb6cX1Ke# z1V#xMbA^$i{3r$sQifm{vSu(K2$IKEI<|H$RLr1s?qHvAH~Zh2@{kESN)dSn(d0fu z3Us7YzDzz&-WuBh3m^ap00MvjAOHve0)PM@@E<2&O`~aO=)#_XVg7;ze!=`e|1gor zHQF~M&`-v03eRRLkKr`Qp69_J@)(mRF}~z84Eapd%xEl?P?$z2gz$X@Azw<+zEU9a zzExlu*;8m519f3%QQ-~gk>~zb>S47D86rq;7j!{21%+j)yCF^*PTP4Kf`s3(?pvoo(yN6Cu7PLfMQ^W)ZbmL@gFki$&C85w*;T zTyrAVoX9mNa?K^Vgr+&6X+e}E_%I1TW<*cTP`s`g(Ni;`wQLky%$Rtx)WmgJL}?aL znnjexGKnIRf_ND=L5hvy$7U0x*aRsyaa1;OR5o#5I7D3zp~fN9I7D4P0f)tAad1hg ziR(&Dykk-mKZ4Z6yC^mBeo9Ropwz@EN=yQZ)a`EmvO zFu#~&%+<=`?iQca!^lV6q)R?<6D)uLAOHve0)PM@00;mAfB+x>2mk_r03h(sAs|bY z!#YDp@*(6M(t^|@Rmg4R3UUrPi6wyr5C8-K0YCr{00aO5KmZT`1ONd*01yBK{w4yl zWC~1G?5{v4426tpS*cMaBQZQ~)1<~Ns>DF*C{p7wnK0zbX(Smkg-(?(m(2eaiy*}! zWT;Y=Qkv34C92{XH+2vk77zdg00BS%5C8-K0YCr{00aO5K;SC^6fy+U9Vzk3 zFlx;li;kv|r%}iXoT&m)6eCh7jAGc?;9u%yxC%v40g(cCHy4Jxy9*;yfbEDxfx<9G z6kb#mjlC-_+ebPweWXL{BOPiV=}`JehwMa&SBFtsrZqZNa=t8x^YsT$l^}AyAd=xH zh>Q}E#$!tKzEC2b|0|t>kUYc(QB^vRXeeDo{E-4I2`qpBAOHve0)PM@00;mAfB+x> z2mk_rz<&b)8L}$82bxL8Lm{%gnp*pX1Pa2UBvWe{T&~X|5V#nnS8Wq@oA#4&Ig$${ zUYm|OFm+IEJc=N%(63vNrz@(%)JOFsQHFtj!q8A*m~j|CRA3SwU@Q`a;KfYvjpY6R zRS>cjIfh)tz5!5;{EXxx>ycIe4W}5i0T2KL00BS%5C8-K0YCr{00aO5KmZWJ?*|KSkw2q{JOAuF-De+trogd>;#X?#I{00BS%5C8-K0YCr{00aO5 zKmZT`1OS2m905%-8$P+C)VVdeDYj&v_NKvyHbZQF=qSls40!HTA@k9tg;ys9mOU>! zKqa}|pYr2;$x8`%E-lw(vYpNFeoZ{m`9|6O?Ged-A}aBg0iJtmL%Xo`7k3|ymxg-y zMMl=XhNY0?r2!2xo8HrL6|t^UVJaklO71vKNDaZv|Gg#2pSp;muB4;~CA&iE@ygt8 z2;!C5-S&Dmm3mJ8W2saHk6Tzt?9VQCi|L?ZvJNUH(RPtZFo~qDEURJgF5`T5#l#7Q zTU|p&U#OVmjw;gV!&i)7(WVH)@>HnzUjssQG!(JFF2XdkV6w2k0K%TBp~yBz*-W-{ zw-1gWhV{BP8yjq7F^oW{7?vZ6F#^Yz+-Y4!NskbZHZd0$H>Jp`-LDyc{PlwQwE?sU zMX#zYGqPZ<3u%EC@6Mg#L*`*QTQu^dSq}=o{>BG->7w4@D=e{6Lv(UAHsQLDwp%G(KDwElOzg+H|db zHupx#npLIkO$8+dTEm=Z!7t4GbK6R`tj!sJ>!i41ON_#Z0(exZ?u20YXlz5GzO5Z= zY^JxV?W_^S9-oRY&)cqcKJi{{?Tdw$hAJ(0^wMbous+K`bK~i=~zx%%I+r_?C0ka=OXOYM-1ZOFuN~i+%>dqiF3Kb>8a7TA$*r~>t z!H_d*McULnJa*_hlh=(D=bGauYV_{~Tz(Xg7;t(-P{Y&Ew75$zR#s(}XN+8`>T1o* zYt!m4GH#-_@6mXhKW9SdT9!y_ZOoNd(;DVnh}Wvu9KBOP^bh*3Y_{fggik6utb?1J3#Y%lF zJe}IG?YEoy3%$hh9@=q-eTNTjdv|uE#;}r|yC*uXot|5?yf)sT`aOL?jiLJjG#iSp z{Xw~THZ_i1gUwh1uo$8&z}<{0-u8H9;sZDT*z)I`j5@a9x=QSk z_y<)1sk`oO=MF>I8*_bt4TfP%Zc6tRDxD{esNA>y?sKJkrq6WO|4_Gkc9X+d{nWV9 zyzpA**yJHAD94lR$%LmJ1|^%|p0+!Kc=f;B(;|;C7TCq}Rg@g_wThSrdL!|*F#OHc z)_Yptb*z2xjX&>IAQ*Puz)c?t~)gRd5DpZ;Mt)|^b2`mYUqo3oJL+$LIgGT zb*-ieYyB`q?ds11Q#_D@pmJ;5oF5!dgdp_m+gdjo4#^u7v$bOXd(-QQg&ta-oM--S zmgeQ{qmzG44KA$W9dmmoQ&>>p@OkUg7mLle@*7oJn}^&JP8>tNQRkBWa{P-EZ(A;Z zKHr#9=sAzX`v^7dA89M#7{fL~56_$J7MqO&c~=J>aGv28mvUp%ol6IdK8(*k8+XUO zY@<_H%lOD0D?7GROevo~I=wa$%wR7%&uO(Bu=hu2 zpV1$e9x!JdJN3x;r7T%W#;@k5?=+U=K2e#h%}>9Qy&&~<^OTkkn`UY3Ub8x4L+ZfV z?d+#XL-{YCtT@IS_NsE#0UyQ#y)!#%2hV7k_qfu;a?NkH*LPY7&ZU*D)t*yZd1h|E z>j@v8ZswTs-XA83Zx=TU-SYtA#V+`z=($>JhfRete?<(Fax^e@%$u1ORh zwr~ned!$g4c6qLr?YW`b&naIy-9E?iBs3$MYIxlZcNo1N^(5>{>VtvZ(=9D5CXu>% zQuXd$1aJIzmfm?%?ANopJZT?v5WB(qy)Ru<(Xz~G;reZD*>^o^AH5y@U9VbEF!hywvx(39P#u+hZfcKjkt$_JOeU=>P~Tx?bv2#2V_~uV zoEhVE4vz@ehmw9g8>X4Q;O@AHJhP#{nONRQ3}jIaF7g!Cgt8y(P|vFle*}9XiwCOa ze##tflu&e+9AmSi?zUX;FN}L5(%e^9y&1;jp4DSaAw8_*qJ^7=ezyD6wmW*nwwui^ zi(8`2=f7%ms+)g(sLsb_j`gdyr@QL}46c!RF#B^Ihct|#U31R+gHcVT#~@vZ$2;=; zp&&3bK6BjbDZ4w~B;~BR#XcSI?7Y}EIeGERvNh{&wl6WPJ~Apr>8B(G)tSTEFYT?F z)0%Pc(28AN#epmLs^)A}A~pM*B)sZ3Cz!ZB-B32+0J}2f*R3Ok4_nXAUFTq=Iahz> z!-rnn(*7Jw>yppTcJZC*(ocp@L%Lg9Iy_z5Al%3@KaqN*nF(DI|#_o#PHQ;IX zo6|)r)e7b7wKTmvM1?gh^@6hcWw*98T`8Tj*_GsfaA{(O>oAp;sQshvTATJ;l33p` zYv)Um;OgyL8GEj*Pe5W%8P(q_Z&NA0meOYE)nxK2kC*PQyTqyeBiH`bfCcN$rG(0t zRG-N^X0(Uo>l`?7M>6yz!qnrzHWg;x%MWcWi)>>1xBl$yu*c?XUCi;Qva92?^Pb## zL-qdbfSYVRW_uA{lnr#Sa?cxxdQaf zl#0meUgOW&_-__tbx1@23a^aCp?bU_!6Hj|9`^r#{oWc21w&ZOP`2xoeH}0R1E-*O zGhOW0rMqUjy$*@?IL~d@@J5Euwm#VLCWSnbJL=P;wJ~G#%<}gSx*9ade?#^PU%{fK zN%k^-XUs4I4>eNYAeA`9VAV#X;te8U$4k#%7bGHz1Pa#ulF z{l4b+>C@%|AId zd(onou2$UpaK}2z_Q8;&w=36sj&(+XTMlV+lX7@i$^49{!SC*jp?0`zOT7{q9Z<4a zFe|;PDW=3l$71$-J${b%!DpK5O?Ue3)EO{5IN;6H6#kLD6a$-R@hP5#!BF}3KM^z3 zDM)M$|4?Jcy@w7Pla_O-k{Mjz8lMlCD4T5>-|-qNU?JW*rc z5J;0``%K@@`EuxoEq5PhEXsU*Fg8~)$0?zlo21yl+3<3WDtFg~=dzRb{+wpJutCOX zmm1#+^5g3B62)OhQ}6AMu64bmrfNV+D~w6oW{8UADw-4c{q6Q&asC)XD_lp?3p(sz z_daOmx@AR9uGd5%9G~CzW%woPPH0wIYE?W+X;tn|q*Hqv9Rm*CJbWwcuA|==S50%3 z-BZiQt=_at=u)w%iTw7OTEM}`V?*ATFCh8K9xfZ&8uTLTrRRiqIwLQ+`V}gkEhL{% zIAd#zJEOjc8It;9VE6P09Tuz6x_i>@&v^fOPwH{IFFk3G&x3y-M07Ts8(6*UgmAk< g)s!Djr2b^~EO0=8!T!BL&CJxYLvao>I2v~U0)w$;9RL6T literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..54b86a5ec169812a42836dff088af74ac922aaa2 GIT binary patch literal 45056 zcmeI53pi9;|HtR%K4v7B`}G^h|d?j$88%rGt?ca@YzC5lv1loX{-AxVTf zkvd&Y(uHnHE=8g!l#2Mz9vr8)-kEvc_y0Wq^MBv9&8+$D{afq1zw5Ji%dEYh>?Mos z1EW|3ztD&fMijviA%#F95oQDe0)dd2cym6ui!i6eOvLa9@-Oi}3ndT+kg+8GGeT6{ z1%bujuS!%)td*dOe-L*OulZ+`BQRs>h`h4xm2$*qK0fxZN17aIq27k7f4l{;anqs`)_Rs<(U zf`yagB6}MPSAvU`v%R^6)ocRi`)UYj{DZ7BM^sqeLK%q&T;t1H7a1PRNqRA&qe8js zUX%J>q{&EZp|G&Lyc%*Pw}MX)BhYtEWTbOMU<@OQB{E^o#?jJhIf0vmElgD)%wmur zvW}S$SHq2~5zJt+f~Tqof2YAs{-9x~vj`(Buc(If8n+$IT+Q-{n$i&ZP9t(W{eub# zBI#J5h2<3{dlMKL8O@5AlEHi@GoJlHg-+7hJ`X7(ucn6FWx+jUQvy>FYC>xKuuW|j zO<+KrH|Mx9$egz!9CJ6oTS)LGI=o7USLxhUxC)&D7gV^Q!Npv-pu>d` zTrl8*$tjGuQqXwGRfJ#-5;VRaScL?^G9(DrAwjSZ34)bK5G+N4U@Z~^i;*B7xSX&z z?vJZX9*?=oWUexqt4!u9lex-dt}>acY{+e8$ZciFZDq)9Wyozs<7R2xERCC`akI4X zELW4p)tt+%$>l@h0wQyJN`~OJWNuH%T(=a6vye&f=7|v2HRRSdF$Sb*dR{vKej44kw(n!wDztaKcGDoN!W? z6HeOUgp<0Q@GrXXIRo#QvlTvZCPMh^nF!%iXd?8T3RzR3-=87(L>RBjoU+4&?f6m| zkS~)IPrOEIKz&s(yQjv-1|{ui}>HUv)nTlFGM#c0lN6jAuMiX`Wa6qQ48 zUSI(P00BS%5C8-Kf&Xd(Y5qty5+j4d(f<*H3|onULvVg@I0OPGExi?skluz!h@1SG zsLx5mwf@D0BZ@!>Ny@=@Akau;WMuH1NLEA)D?;CAjeh8w;PnPR5mB%Jti|q+ftjH)rWHe_oNYa3aa2}0S^a%|K30>sAr;j zPN?0bGC3wDby=jG^;MSMZl)^5dSM!fq{}sHW@N2^k{pap^)}XD{N{A zr7cJ1%!{y>NO$}OMd`wkJYAh_6;IHc%yT*##e?nR+1dP2i$t#>5?oO2&*)Iu ze$7#fk)hmZz3ltF_8a=5X)yysHXSkbnkvIve(BtCIBSWDzgmk(o9Ac;6{ST`YN=iI zRj1|Ia%EM7l~u{Rc2-~>JI{2`C3oy&QbB41<&uBT)r5s9DH}dqPu+e0TimP{CC0mO z)k#?C6sJ|G zMDZIeQ|NI?#0KfM25P6Zcic}uKj2MVRJ0R4w9`6spHJ3`t-C^41vG{24H@d2s|r=4 z&gyK37OdCyAZcJpY(08)o`dz{thpJtj}@BVDz7`axWl%?rP^uShU!uYM*~GMgQs*!FStJ_DUu8@82J9k4PO$+inYNd+HW0kO+|0`AFbml3k_ z{>}|gPW6vuNY5Ufv3oBJj-9l-OvxmbFd)>saqRNl>LXt~D(dq(H*aV%?Y@GU?Q68O z&3U1FU6Y7+@<^6i+`x)}R*GK10qn~8jqko{y=}CWe-KM*4)O@Ed14kRD&+Eh%;96M znZa6OWYADAt42*N+IXQ(<1S>G_J#Lm5pFHvI)&PP&y37wzdF9xGt(-wD*xNDTCdJ+ z1N5K!UVG%we2FzjMbFI>qAcy$Z*pXR>dJB7>8fhw>llBmkb$~Z>6ex)8$9+f>8X^D zD2o|X)bz)^)C|>-u-RuAN~(18qbI$?S_dw)9J>A4W6bMZB=f1-)tNN6hph))U6yaF zDwom=qsz(dV2Y=iY>fSA+|Z_5^&&uVBpn}K0QGJdFx)y4wv1eI%rZz*`Q{?e0_)`s zDX*$_hzF@w-0~&-+;>=x>qo6k9>)!#&+S3c4NJcawapy&jr#ibNL@zH@KB>&9?CWOEkC1b97wiMx-EI#If*JsC- zNQHj&#hK|J2F9w^EFHt!3BOJJx$h;iHaBB?BQ|*+MxF}~I9aj#xo-KmZv~=w-Q()= zZ0lEf)}MWk>=Dx#4zLX{(Ka%r`PJQuAKr*-Slusj?b#WWcfm3x$hyN?=V(x2(v>61 z_l5UA8>~%Bop+S=M15nB&6%+0?RA5i`iCUiU2M;F+^U~NJi$D*FZi9$mAH@%_mAFd z-uFsfwaj6);wk5EIQbZtSTFT5s^79pN?Tyz`_6!Y4)lmwP@Z%6M33Sy<|MI zexG-ybA`$Aq7jWE!12u3g5p*{2mk_r03ZMe00MvjAn+eXKm?5ugRiiU&;Lgd_>upx4ub9g0)PM@ z00;mAfB+x>2mk_r03ZMe00MvjmjD`#5F4NWmm=_`016-g2mk_r03ZMe00MvjAOHve z0)PM@00{hz2-suTN@D+8|MP8p{@;nfcm9of2&@1CfB+x>2mk_r03ZMe00MvjAOHve z0)W83KtKUa7yJ2N(HWorcOmdy|AH)N0tf&CfB+x>2mk_r03ZMe00MvjAOHve0)Hz4 z@@R_K&;H7-5XU7FKMZ@782|WN*#>3+0YCr{00aO5KmZT`1ONd*01yBK00BVY-zFeF z1HS*ShLuC$2l2*uMSMAa9sVKy0Nx$Pz%9fz~2Xt>^n(YNi4P=OU24zBe1UjwizG*2mk_r03ZMe00MvjAOHve0{4V4{6AcMg6m5c%ErGj#rvVmE@JCGO@hUOo{}rG?gLFD@}vM z{xQw;B}247J0{9AO&8&nW>STDrKwCIUTG!;!z)c?pn0Wf5K02AEEdLyj9eQU;Va1* zUuGcc5cngwueha>XC)=DeiBzCl*HGHJrL6uO%i!2vOqXXXi&%ra~dOr_C{Sq$sxlz z4gQ7;n>a(rJV6@q*OBYH@q+=eH$xu6ViV7>6~aMIkonXq7NTGXt$}A3-0*Z)lydos z#=PwKR8n0Z;=zz<+1gKwz87-v2Im=;C?o+A7Zx2?L5ck}#t_UkC3bv?E({1g;r(e@ zRLm*akOe)c&wE#vy$U?fqQ5@QCd%_PNrMD1NtYx_Jv%)&y+u6Th5kC_Q0W~H8*xv{ zH@b02!e~^k6F-ylXC*w{hQ3oGH-FUjs$6Df3Z_4Lz@DzYMYIsHaJ%mfHc{?Jliv+k z0+^h)3hBGo^eO4CVxBVI%>0|nW(s0BzGNQx<*j04g&}`_CXci|FAQ-sqj!4NG<@1o zRh;+Y%D3Zw;kQuJn~JZ$-mc9i%JMeJd4et9!(ARsv>iH_r-^QRMa1Pdd!!T*_UW%# z^b*(3T8n6T2R|Z~=iyfEykpX5`RmHEBW=-gN^Ljo8q@-;q+~l6uSdMmUcWh?O_bqj zl1UZ7Wc8MZ75%ac;(y19tPy6XH}0&x6!IJ1rswzSzGK~SOig|!FV;>QHI06JxM0+O zpl-{7o)jb@YrA`_@`?|Mr?0qq&1Ms)^E63i3SbgXLvEez$TCLsksOCg6Z@WP6$C|G zI#cJy#+*D+y2_59Nei>H>$5X-@SWrvh40LKeWN5(_N-JCXFRc?-d?|({X3f|&C?{4 zB7n*E2Q@MFx+KTbN&a2wL#*1upht2#3i>5Y$d@ZTy>FWEGkMMCj=0DO>g~Jh_DxSI zC6$j4+4cBNTff-)!JV1YBJpBEKpMvd!}^TJT~J9 z)2O@-<$7Cn8b6bN9ITaSQIr?Ud3<2HD?(4>%~d@+twE8^#QZ^}GzBz=q!dq+0u4bf zfwygT4?(9?y?m;Kholi+r;^CmkhaF}+?;5o^olrsCVxLWlDRrf+}bO%WIbso-Cfn> zo}7_uw_6SARbIlHN-H)I|D(z8zFG)yxYzkp>Z?9oEbkovWpv3N!?b#SQ3oGmFpV zj_ED>vau4W8Zuwe*F5}}u_(lhEjxZod#$*FJGU*cyn zJ?cR`{nz__6{q3`G7mI(%M`9`y0LX^LtKwT3;Bg^Ae$)qgURnF0Rjv`d-1sk9aAFv zzRtGFy=au4bKq;?ZQ*a;>fVerL-Wl3xBN`L*vq)kv7{n0Ps(bh@=n@XA-@^P2|H2g z6&_G_=9^y{*hCTDCIuOS4(=Dt3LF$)Kt76cHhW*MzB_x%shDR~gnccgOjH2k3qO+* z_m4gp&f0Q1y;;Nxackd#0SH3f-`+ezrBgyTPYnkwyLi7o;yXIGX!CHniOaV^00QFJGSm)e1$N!B_&nm z@nEfdm87ZGbsL>VrFG4fX8cS>`3Idx`fsXITUCuc_N(QE>l(NBMftWT+H6tW?BTAL z%qF6FniOaVN=`9T4n16_Lr>msi0pdMqgGpJEiF&&y6(PwwDYm$8-6CQQJ;URL2CDB z7uXn?s7@>MX6HxUPyXEX_2Z&ln-MLFPlHu;HK-Z>*92Jr0Z;M zNS)S&Jw|&!_o%@le2ZdIQ`?l4X?Agx=`2mk_r03ZMe00QF#*hIA-zB+$@i&%h(@!Zi}MysugtLm|`E%n=8 zhCe(ZX4-w|YF2Y)LyTkdoK5_`I-?DDe}3}FOm~f(r^Eh zYYA*3fwxIPZnPxM+(V>=^%@L>4j45Tucjcn78O~B9XQ{`2;_YcbDY^j1ccHOm2DTd?+D6H2W}XskYthlBmytv@3HK+dqw9bnVsniGbz zlRWM?46zFl8dY8@ubfXLATZ6UV*E^g?5(`uHGl7;%8KmJ)4ILUdo)LD->lMz&<;#D zvAp!QicM7FZBmd+HM09VpDh@vf7uk#5&G+%;lkF$Uk*EcdVs&1P3+o;Lf+g>BauvIUf>Gw7>Q<_awL`}tx%`Ky?v3S3Z z9r=5-A7q`lVEX*MY5u0#k-E?POwQBvc#p|wR2b~+mFrg0y!pYg`1n`Li)l6~2UHpu zE=6qOOr9nMx>SR8nH_$)QTX6898)8X(6~Ttpf&!5$NX5a#m;UyhW!!zOhyqN<*)5( z^|d$j^i1|(? zBc`K{SQ9K_IpyC;_{rS>hasGZNl2EDx@XB*bJHGc9oF(iVmQ5 z`oVtOr1QD1$RiR@(&1tmX5S$d(M3)h>b1$$T!pK7z<=g?j_MBJ0K!PE?hWjZ!$I^4 z(54{SsgPtBg7cjs15TBuknd4BuyVy)rqr<w*B-HZ7 z6TBVzz3nWK_X@HTT#X&}G2Xbgsu8X?$+hsM$7yujHqvp>ZB((rhBVo4i^;;T7!0z1 zjhkHna*Frv{~X=tYAIOwUF&UZjJYCHiOtO|`!>{RM1kHJj~D!F3%E8Zw-bKtoZ?7g zj7hSWBKcE2uOmwNTQDTbjEfOSFl_hvD3QWChqw+2VIO;g;TWh4yy<#CRpQmEluznq zNQ59wNaIlp7~jd3s72{)@k{2}8$1H=ia{6}y6e#oUrZeODMy3l|i= zltRV*_es={zZ8`f?y<*d*TtW0_cgT^(nBWXw)ZzjF z1OhlwNdJDOXfbQ+#4Kc5ePs%C;k-ZT(w+@jz_6(_c)0(N=6v=+swz#xBb@o7Hiz5U z#W!^WmM+6ErxJSj#oHD*`j|G^x9PI*8C=q^mly!6ZUcU;bgw}2uF1wS2n?Ji7LLz` zqjD=$B=76rL6lm@WHGYE2I#l+yzd5C1#~rsG1e&|jp+ITJ!^tju-PSD)eH~>c zxZQ9H_D?uw^Tp>r7drXD zQNzWA4|wH*I^Ht`ZqfarUvv+(_==z&YbU0sK5UBbIFrhp20?jUIOXH88Q)|mWt6*` z$&nnbU+6S#aI=UQMfhVfZp$2~r;h`IJwhf%i^EiF@%UyKv_uH`Kq5g!9-zqzh3pwS zb}}De`0vI?m=0aX%FFUP8`;df4Z+V=*?*kTjQlcb3% zN84bN27HL5X>tB0;#buFJ}n*U?SB#4OoY{x_@0 zO1OybNj*{a#!5Y?C8&jqm1>wX=lH`<7e$K{U}*SI`~s!Rnb*XgECapf4#!zv5R$#t zC(vr5--@JDx_p6f8=e|#oGMpr@x-&;mrttF??IWAjHi_Ic80^$2SA)8SKaqq2X3U2 z3~b%0OGsqq=azR#n0mM>+M}m~t8SiVHdG&LNQUdQ6Ge_XHX1PG+VvWC<24s}d1Z zBynN%m9^i9S4TkRVtB!R*r)*1)F?hnmvt@%D3Esh7G#zyRT75xHaHM}K|GtNy&j&p zQ^RS78&{ea3@xK?FdZ)eUxz&pxCMZ6a2JL*CMZ~0H9HkbC?1IMN^q!~r>~HU9nBQ) z4-l0r9mAzIfI?!efNKS%YI&R#-U8&)mJiV>2?Q;#+t8X6a`2F`#X7>?!@k=0WRUVF zbU4JZ^WAv}u-NBTdM#*9Wt@AR0i=b_94Q(4 zQV`>Si52hZtK}}_qQEZmm5ic1abs*H_lGw@P%8jqmwXqmIS8mMr^3^~lrT__iFJb$ zg&nW?!k)s&M@8H&b6My0I&1$AE`LGA*mScY%B_c`JQ3Os`?aApYwp#B-C1b^-_sEp-n8HtfTz`~a8Bnpg#zZIBwZT&n3WK-%4%0f6v| zmAj1NrxtLi9r*s;Soew~6?!202FX&2VKv%N3-i1?`vfGyWA`QYdITlltWpg7$wz#>^lT!KvTVZ6Xz8SStMjSGm2qQm^Lq1i~>#JARu=aNOu}>?@n7;sIVxR4&p?`m!MVq_xge5 zX&UJg@2Q@ClCj2j#tRL|m%WOCb1rlAtFNXL(bxyM=An7aw?^;Of#A>NS65<B2ng8Mf2_o zx0%S`{|t?xF^LolTNl$pSydl`M&X7s&R)mb5tYZsiDN%JwN=r9*qLzjh4aY z>DJflesqdq%Q}A_X~TJ7?(}D;^_ti>bir^0WF@oA5MY33y)D-;kIU1u%`ofCq7csI z2yt>*Us2+X%O|cZ$%q;zAvXnzCVKxE6Bw*Z6nIjD3fRM$CgL9&LcGLh{6L&qf{Y|k zdXD~Ak*hp;`GPdlgB^l<>?=ZqN3+$%4nYS1>U$d1qJ=HMH}S$H;JYIc6X362b^?w_ zGv!~C7Uy4i9Uj;Z9g+0b3O0Vuz~-+>g;)%X`HzlF?AbWW%)tBNc0>Sv6rnLCFe3&D zDuzgg_YDCF6)_eB6nfR~gGo)z^le_ap`z}&-kgJ6@h~wkAutIB1uG5%0vZJX1Qe%( j2cl>0KifkIPtxmN3vs3;%^V`|So!L3h)7>d3 zn$MUQ5f#RbX0RYR2!6xsd(TG23`)-d_6hf~f6tVL4AAj1NGC*-`Unl7 zBURGX((%$3*a6r80YCr{00aO5KmZT`1OS2ma{?ALnxdi_>=P93&tJp~;RgAK3j}U4 zexX4;32P6Ir5A_c;9|p>&LGklt}cvE=?rZy6E)JAOeGYi5(=SQKYr+^9JJ3Ah_wC+ zEFBvPP4OEwcs5a95aSoj=S6=~pnj$xPVKM3M4394WSZj0o^}KY1Tp-mPa>4hL_~@G zHO!bgN#?MGqM90dPTb-XOCoH%_s1o<=EJRF=YJ$x9B93RG17YFyL z9Q+K{t}eDt4%S`_ODk6oFFghq#dapP8(}*Ow}}WmhKWa+;fH4Up&4 zh*T3I)kKs^Xqph3rbJGH50e07M6}ch#mgEIEj1!)%SN%yh>1swO-6W0}+ zc*Dddeg?6LH&JZj?G&3hK(UEa6qy7RvDsUUz$1?BEoRbF%%rzEnAuYu%}6CeaZ@dHs5;oHL^_a1NF#C$sXOG+DK=^(L7*b5(ZMeogy}}$RZti>{X`alQWFrQ$~|;72id{HSOF z$sSXp4~7yk{+GQ6A@#@##9X!o`5Bok+kvdcqQC|S00MvjAOHve0)PM@00;mAfB+x> z2>cfjkRZ#$yPz3#e8xm_KqGKoXb?XDA45)5`KC=U4T#ht`>_$f! zOjT3`pKFjFGQ7`JQ19H2X#Ia2grp(`NF~yMT*cP@??94}xc{O{45|tU00MvjAOHve z0)PM@00;mAfB+x>2>i1N^h{2OKP88f$HJm%245c6fEN`lAx@zoWOW!{*ddOmisLDG z3DMwRoI)0-kTl6Ibb%n$P?V}4784pB6dB6b=Y~e>hjYXD0$g7-{*Q!^`$!eC2U&>} zAt^{R5{X>+XM+Q^0|Wp8KmZT`1ONd*01yBK00BS%5C8=J$pnms@1 z+i6mB8eLO6_a7B4Pry^XBAEBjFRpb7s(w;kKqa}~_V{6eXte>JN-J`5wYJn9-o_!F zZjsFIn!ko8pc2am@YLfQx+0$cWPhCP8CM&BBt#N~fCCHieX;y+9yU)>=P1!F;|FKxA9Q7cU6ZcO6&D8n{E*-WT{JA&fw%5SAhdF#<=w zzy5p`C1bvDqJfFl&=f$MFEgugi+3)pd^SDEwDZ()b)zgjM=-x51y++lcpmD-dL_)uJPlBSh4Yx2(7hE_Aj9h?5)*oD9>h0{s5nwp+2 zHrF27aa}!w765Cqw3IfUI7u$r`POjf0YiEI#baCSY~OAv`(9h6(#n6wZOPZ)`ArCz z^Gi%Fi3~$D31{6w^6%xDZV~1cS=|)OQ4(@ zTk~RS^W3uu%Jm~O4@@mfx^q8uT8T|zo>Sp+GfVYdCn9sF)KqnL#O!&!di=KKnbOMF znl<{MI^O1q9VsD5|vyi}D^=uM?_LVX2;L(>)~euzK( zCPqKoTaxoGqu9sk=8B_w-E(Bjcb2Qod;fx!_8{U!TJyG_uV^lwC6u175?}16JNixM zNj=4}mDxL-?NX-|l`U^d(7N-MzUZ#D=OQ!@ifLLX*FJ|DPj19-u7UT+-?_C0{582R zxn5WZQ5NBDMjo$wf*kRIn}2Nkb53R$w&A+6Y(4ygiv7@f!#cxO@d>-RtEDxuSC8UhWp)Z1E=*>$2th#^1~YNKfBg@Qx=R2 z5191Bx_!D&LUnxkt^3Z?&+ZRbK%WL0w{W5p=TqZeHYpjf){m7@x%2UxlnN$#i8O<5qunbCbHRiED18g_JaMj<~lXyocKI^{n{D`mklh zbe}6-rknMHIJMstIC}HqQ!a11e!f8GoqgWP`0Jk48y&(s?4!1??9QSXQa-+Sc&Wqp zW-mEy{M>xx?jIcGc9BlEEz!@_+dJ1Tk1GAW*4^r*g?0DgnZnMgJ8~Ms6O;1yYf*gv zglqMgrDL+O%ih%5KIC?nm-U`$=k_a4iwilN+%feT|H{6hSqB17?K~>o_S00(7Uy%# z+R--COpiU1(s(@UibR2S_pNyA+*{wCyHc*?D;4snLi5{rht}ZbnVsqO_Oo9v$yC%~ag6cJ=%XY2P$uu^%Uo;XeCy#SzZf7Y(Zld>Ox} zS8Q(@?cEXhpuxa=?ax-1vQ7D?(yLQd<~B7{%o~0w@!jLi#)h1?dn;y=lVcj()kpc> zPvmbcY!ym_b znrmJTdB;$-FS+9mW8l4>gxyJl(6PVtmSYI!KSN<#806l5)`d&{u2n{5` zl;8T&@}{&H-~1hJcXR49muBm$S2Wi)T+;mIozjQ4guMLa^B&lbk4g@Q7vuk&xIk-F zFkku^1-HN4l_sZQlyO)3wYP?td$qwHW%b1FmD1n64g$ijI@qr+ZT_nJykWm?*DK$9 zk$Y2YX6XyM%&zG!P(YYB&jz2`yS38u?8Q3&LmO*zWh1udHkM7iQxmK#9MyD+d9>iP zPF~K9$9jup?4LBJ_5BkSIr1E@#C-{yYwteEt;@)`pF{C;A34@xnXBugZHrC0W^Xk1 zu3J&jS((`qbway*x$}dYDN}`xyMD--q^rCsB9$vxwdUjGrNOVBF7z=t(H64Cl~e2; zb@Jl*H}_|}REW)V?+&TbzDtemy5Ujeb#`~LmtLAqF%!1=F)zk8o9V`D(e)Xs)gW@8 z0Vp5k;ZLSRDYMWS!co{yU@{GQ-Vqx_2IynG0beg}fCogf(eEcK>l!Q!3iao4qx}09 z?bk<$2VMj3b_F(6`9X5ediL-d){~5f%Y4>bOK5s1t*PF0RR8k$^B1rA?;PoP=(XP! z%80O4rMqncJr*j>UJ^I94hJW+PE)wptIU4{Jq_v_A-yX7PwzOQtsINV}aqtant=){GjJt zv*5I3_D!YCW9+!3wyR_Ey%|@_&-hq2v6u=g794WU7_5!<#H91Ym!Jo9YvmijOXtH#dj?7_fbkBN;MW{+j1U+Gw+ z%e^r!pK3so<7B1di-`w+@&}h z(Vb(lxBFEJS0X1C4dc&z9x( zn_ndL8{7-(mjh0QvZ@s?W=1V&jW7>T{1FLDd(+4&MAF zVD$ukwknd&-?ZxaIKNp@t#YGdOJ=7^-hRZ>H`A@x^$CqOTz}23g}$-GETc##%;`-_qpBMyC(2;I5sRmmhLr&s&C_xM`b zD3Y!3U7Y!dS_lo57+qaBOD(ugkat;OcE@JnK^H zA-mabX0zv7WFB@eByDb!iwv(^kQqI?^ZF!ex6`(?ny8q7%FXd=uFeU6x`^v0T&Muwz8I|LgmDN_>j+HjosUtfp?$LmhNLHm;x`MnGDZL~%eVaBal&Wt}jyHb2L{H7gmlADsr&>dcN->%-26X8_9sg3;l zqC&vls3RJ0>lTsxB#W!ZJP&@F`^;xbr>fq0H(rU%$r5tukP0g++!+nL*JD0nFgo^^ zUZKN61zKNE+V_3%U++n&hX&J=e(~M$Z=I{7_Pn4w%St1%Y#TimmZtq^)EYE0Kr4TD Ra62=tdSAS)x3Qx2e*j|bcw7Jg literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..8907e03577f91c6303d4b523aa88a3d23eb6f48c GIT binary patch literal 45056 zcmeI5c|276|Ho&{jCB^-35}5=+nF&lhLi{;)z~UZG{X=nWh{x(*ei-sxDjniX{A(_ zlBGpjlq95*Hfa%YOWohh!F9Xc@60@YfBo+F_c>8jnXe?MD{}TVFP!3@NS>gyo2x(bY z1Qt!Gk-IDxDMyq2B z+02Cw^Brfq6J70{=iAJ-HzM+{S67oq78CSd9j&(crqi9GV%`j3$sA4F$TRp`c--pqsNW``e++2My{y8Lj= z4nG{z<%fUK6`V7I9rL#ePMpzDaQ2Lbf>UTT^cxR3Md#lpZ$LQ-{(&VT9x$3Lq+uI9 zfB+x>2mk_r03ZMe{3ilC<{@LzN_hOjzZXz)rs5I&A3Pp`z$+*uU=a$5h`5-spV8v{ zw4l`ga^j035E%LE3H${LiR5yFO}U)V2u`T+>hR#Oz_q~~V^(mO@f!YslWXD|8Yb8c zL?mlNnv$qRXgRF1a|kyqAe7_gGM^a6;f4{p;rt=v+1vI#Yi{+dmoMKZDeK+A+%a_W zJW?K;o^svN4``!=*f|6;;|7mv0tigP+#RWM_k#-5NJEbi9SA2T-w z4SbCBG^u#EDwSz}YDwso#v6lOOZyc!?REKMRh@n(X4Cf;*JAf;g{Rz&G7L_Uk#?64 zg*)VvoqgX<^PDiX4T(TPaY#C(FDW-IX>QUW4vEDeQII-XX&-Cuf=zGUIFX0vHI>{s z`s2BAMwtW>iH<``CuYA|5xr~eh9E=N*~W!ZCz?>hG7~U26=buQd1nX$ntqcj1l+Mv6-?889{mKrP~U;OimmOJH1SrH|2wU zz6R?oH~R@?i?@1B(uBOQCui9AlZL}d9Lk!xhVrk2lU(BlQ~MHYv6GhUQ2k;3Y+*O$ z+nV=^Cu-&#FZ<@}b*14(g`Y?FmD;PKNuk>&uW+>j&V9QF!7;~H2Q*UpF z2*B}D+&*rS(Lb1mY~+3R99|&xGze13OK6h%BdmFoe#eCCbtkF%FKd(*pEE*hNUvRy z*7@@M1x6*VOE<~OC5}MAC?B5I>G1@5{A{Pu>Dufgr3osy>GC@NKxrPu$72PeSmVLLHdtS7xqm;j}-rqGP=3bInXaM$H zo&}4B!XLi7zWG3c)J2Jnp0h6hb{`tDjrdRzynuIPU3;`c{W)s)qlxSl^z_Xqj{LLl zFQLnW(3kFohON-e8m4`jvT>zv%qZ_Vy@Fze(vJ;CbDESBLYKZw_B?F~T6@2)^?T>2b}el!>~x$RluLDtz)ZA6vr`DdBg%?go>-lsoezVsXX47_2AfsIZ6{Pe{BB!a(2v8 z7Ryo!mHN-VQ}5sDx_30VXw_?s*ORq{Jsi9?yBd1r(N8-|YOO(A=X-E?8T1 z<yz^sv#96&J3#GfYxD@5ZF6OV*uvRTomn~4 znUtMF&G|}KE?udPS?Qeg&%Tcqru(B=lIOG{qd)YgI{j+3=_$Vb%Lj~>tmtUCmCzF~&A;H0(%Sa@N56Kt@1mzYJZ5?5 z_wy2G0=D5|UffvglNE%5PPIv@Jew1L99c9a!?);5;fw47#mQIab{AK5eY=4BeEV?o z(!r(>Mv2Db!_mn(lF5rJd!yw(zi?}eEf74vM*e^A*<}R~_|ND0FE9ZDfB+x>2mk_r z03ZMe00MvjAOHve0)W7O838F2T1IdiePsMUj35mEmo*SH2M_=R00BS%5C8-K0YCr{ z00aO5KmZT`1YiOv6hdZX{Qnq1cnqKb0)PM@00;mAfB+x>2mk_r03ZMe00Mx(zmI?( z%2`JAU%riu|Jx9Rwtrs>fnz`b5C8-K0YCr{00aO5KmZT`1ONd*01!Y-MlF;P`Tuc7 z#{aJogx7!=AOHve0)PM@00;mAfB+x>2mk_r03ZMe{M!krqNp2mk_r03ZMe00Mx(&je)E1ke9}@O!tAY*1 zy8o;U)&K!O01yBK00BS%5C8-K0YKp2LO>g3gX9JV`1o={!+anb8S-T?Xg(ufKu)3P z2u(voEtEA}dle^YtTOe_%9Dg;A?;tJsT^Nlz7P1T)-AMzrWu;T(rns9VQCs$Ls*(k zRTq|~vDAd6>5%F#X^6(A{Mj%Sp=pM)ur!;dBrHv1D+)`qsS3i0GM zOSjy&42H${5tA00W=IK3vuTpT z(ljrv*<*Ma0 zWg}&pWQ?U#q`IVLO6FktF--I^GzPUoqFh1+xsG4q|KP+UsbOs56c9i4Tz~C9SP*YB zJn$txbiBb}J`N@`$faCDltQ?-7rr zD%2z$62oNrQP&$M`d5Drh*0TpY01@dD2~@N^)YU^-mGnJlCZi+l*!OWU0Ry=6x)+; zy3m{@g#D$pEjGFbqHf7PaT#RCYgrVnF-726NZEO3@0&brzQ3t z8B9R89L}lSXzf&xRU^vent5j&L&MEzG0fkM708O1%tdKFq-Bw_`rjd?-nTM$@JPzS zO)|tVdDl78emK`7Gsc<`>)}ANO7Xgz9ZHILXZLoeO3}g_#iC5s_;2=@XgE~seSXz; zwMmJ(2?(a!%$SR4s@LOWTO|ofXm|PydUyG+(JF&iNr+F0nEi-pXplO?K z%{R&t#ji!{Jl=~k+2J-h{%qYRditd=%kA`*SXt~rH0UWEsCbj^cg(0@PXdpmDAXj4 zEr!Xy0(bLI0~eka^_+}U@Sx)|ktvg$NDrC@+p6{iRxuZfGU?quq!d!EHuWf;Hp}Q{ zX3xf#6Z)_3b{hI26Jnc|Yju-HQV?pAO%=mr#LjF5&*r|GfZk=k$?x4Q^b@xX&E1x6 zR$vkqvcS7eZDnm@`@L@~;Ii1X+s4cEeTI^FZl6xbf$&J(jHkQdFO%Q65CQcW0 zWjZeqiFkWWJGTB+nN$wOx-8)H=9oEqhlWe%{AM|$N)*ZComE@=2>O@zcQUKKJLqIv zz6qUSNzmxGD0)_%p&q@SN0Jw6QmihBu0Qd>GwI>RjRVBW+~b42Gulu5;NTXUnnht8 zwz+su7G*Mqx6N(gJ?jk5&t~gg%G{zt^R1Vwm&OmSVBA#mj*{@=kqCb``L|08F%I{o z={f#C4*WaEWXe~j5W@q-$zkXbBy^!){w z&1Se_-y#*on3mTZ9tkVdq*z^0A!+@$3l1gR`_!4KxBcg7PTs3AE8?xqCHJW@-3{A! zaz&X`vJOm}_pr0>odJZDN}T7e_IZ<6=E)HH$u`Qjw4~eWJd&JHlVWv2Gh(5cbXl+w(|%Yw(7q4T`95HI#DLW&%SeOVrRc8syL8o5LRc<-56ATBV0*= z*~&dXQ7XlQN0Jq4Qmig$k<;NEnPP+K*!9z0?rxsCA@zhh;RP<|LoEn|8PtHYVxN+fEZm+C%4H)#_pws^2Nc`n35JZe;16$63}ql9X_h;&efE`KNDue6L=D+`V;* z%Zvp>OXVEyTP!QQdxb_yC@FRD5oK~^^Es`m9eQ51(dyM5F0)ag8@=n8DxR_3KjPOS z{B@joBuSwr#p;5T6Lxm6TR4>KK9@9Zcc8;M3Y3oV^^5xamfW|M z`(=oDR?!W_i1^S!HP;?_M=i~rJd%V^ zlVWv22kx%)40Q6ej4eO%@!IJ&bYs7|*UGciyq>AA?`W^vWhKhw?F;2nj@vVQe@w_f z<>gXw=;5;Zn;T6%J!L}-(}SW;Pw+uvw5UAkvC;a~t4#^|EpqFn9I~>FDp84<7ddwz zD@b2bZgfbC#UN3TI$Fu@jGO6i(a8rAHMG~|E)V#WbaChu-wRsa%Ddty#oKVt=c`i| zZe6j?Q!xIQk)mSlP$?O<)2900BS%5C8-K0YCr{00c$|@JKp; zzjXfFBVsWI#*VvIeK<9H$@N7m%0u2=s?fBhy+9^ih*7G~C^GpY=H*vWm(Cv4tWHDA z7sC(C?fnN|VT>QGn5waM>PC+Vvy9hWo-WHDDG`O66z4$;ow>zXH{7>7_vkLnoQihE z)(tVG8x035CcVs{RIV%kEXw4w2Omw{?jYV@u90}3a_4n@9H;QY_vF@7IcYlaQk+an zp3WqU_2?t3e|%gn2FM||()#Fq?vl|bS9NTE@wos4aa9qREYd$_$M3~at_(_(**GGRAVt`z8+oNM1?=p5$i)CGp{)*>u4I#`@$XKc7bbZbh^9VmtCduqs zOVvzr)D(FskXCJCDhWOLe%Y);4G}kehg)YzT;h>5g_{)TR?XFYrTy`C8vP+^>zPRf z*19q^Z@t6nJ<?V<7 zmBb@W6lzkeTQz65n>c8nmVTusZ&H$&#$C6%eD;p~5MM9dhTpm}j5It%k^J6kdVFTY z)qz6ipa5@rtNZLKB6nK=bFS7DWzxn?^HC(-sVwhCT$sg+*hy!2Z>&x$EF)X&)?SGEWYoqZ zsS7nJ)~y2+QJ`x@3uG&Jz#^ zK}t3w4+nAz%960=LoP(sXq{R5$PQ|-!*?DAKU<;4F=iM4*KNE`^F|dilpMXXxZbyE zc~844xi)#?|MN0gC7Qt~81TBmA{gW@3768 z2HOd*ryg1lk?v1z*Xzf0n)S>avrqmdyIymXBGL;?_mfz$zah*HRQI^i?rRYI`~?8sDwP(Kc!Bo z8ipiB#uN$1?&B4$fox~&HN|4+k=s<}JG)R6QSW8Bzb-Qsnk7A~?bwcupr6nsZcP>j zg2BA)>p&y*h-jAlhfg@FT+-(Oh|ZaFV{wFah(eHYp}@z#rWZ8FO97t&oXs1+WG4z0<2 z;X_UO6%_b8T7>25mWO`GtG7M%5}hbxDhDL)eU>vsZ3UqVMGgX~OuJ4XXPLs7EB!;W z=6ZnCqO)+(!+KgpRHpe+8tm2fXuCtM*klr~gs-}^m@Z(LkuhQ-PEkG_)s;Tcc|fI@ zrr&9%1BB~}sN6R^w4d|mh@yW3y@&BBGaBE81BTq`Xp(H3YEt?zU&1h~!D*(q#6f`gSj*EG++f|`p9$K4snZJ$>y)7dsDip5kFHs!W=W@{wZ3*KP zd*rXzy+xZBeJqw-3r4TCf|-V17iEYlxMw2dUhi`A>lGymH)_J>wUbg5?gKm{7$eMO zKP@iV|73;mB6>c^l7?_*D|gCLY191REj7=m8Z)NaE;H~BUWqEJIhY9|r3N3#KDpV7 zC8bJ$Hcpgt7&)E;vozVp`?Vb;>B^mFDZB1TJj}Rm@QU?F;Lh#!#{;Le@RBV{y>z%L zgW3=G}cfJC!!g8g0f- zIJ~-)%R3oDnFXL(0FJ*cBE+I`VrFBE2L@IKz{lC5YzR;ay72=0yyNVg${yPwhyuos znY)?R1CiF*bh?1X$N~<}AD-^ghzCn!O~t0)g+2b>S)1wv;MPE0|Dg@FlCzu*&pGaFUv53le9cmErHI215F|P2Cdb(EeS+cu9WcXNI$=Q zRl@uy)Z<4D8|z%eL2#B}R$qA~*2kbME~tD;Z$ z$H)#+Owv&%Oj&GOM$SkRv5EkY4IZ*-`xOrVS#pRgTWf}mD^YGT>H^l#qK-lQvmar@ z6?w#rw?qcS>OpRb(RVEW6;AfxYVu4wxc0yr+m0d2rJYba=p(RJXhgT~!q;Va!VL+d zw!!o3{<$+LpmN8m+(?zvhZwxTY~V}4hIu?;8tmydj|$AZk5*ICG8Z4vZkb~{Gi838r)eDd&6!8Hh>+LsX2 zmd#HAyjtS(d?g@l1vclg(cgIm((ii!n&@i^ z`k}h0Wq2mYIlXE2*9~V(t}6WOqHZbzrUQUrJtO5#!i1G0X9wfQ@SD!wn>&*?swlj3 zMFB}qUYkfNlhM}kCBxx4-~1lDxkzFEt`MC)>>SjiG+i< zvDFZuw&BpJg7{fWt0t-;i9AzXZUv>sQ|1lAsQvc7qq?!MX#!DW;`k>Uc+AW8-A_0@ zi}#wd@88}>FoFd^1_>&LNQUnJ{2ml0v1jyOV)3_-FlWs8J zCYBhomm=ImS4V1hdLHo$5cVw@ej&@l^agP&_$HJqim2ghu#RR1*9K|SB-u=ft+-}@ z#(<}g0a*f~ROi{|!NnE{U#5<=(cst^TB*PHTz`_!4_BUoGVXn4L7mMaS-d7VMEK+C z1<|%J!7CQ9nUPu5x)Ddt#DheA^UkpTxyta?$|(-8E6>jxj_O z=eZJBK3e&wrFEt1_`>*GFDi3dv)GI{EOfK4f?mbHWRJ81A%(!Ijj%C8#r*ly}!XKYA3Bqcq z!0fagI!CcFt9Q2`W5nlXiam&W{_IP+;;|>|Ue!s$N>$i(xcXfUD=jP?UAQE+ieWfY zqf&k?LbTRkoHm(xDovsr&u+Ua-%vHnri+0S`S88Xz0(BBsCb4Zh;R&)3Zt6lG>3m0 z!-XmVDQq4u??OkWPeyM|&=>%HZ@lRjt%>DK@g>6v&^&kfXhg9W+8N)N?l?!YAra-R zchk7koyYWJ_cM4JQ-GMJidye;fs$;*u&@c}L=<@vM z7QxOujoInZP3lXtOH?&3^}4$XmNZ!)aKDxNy;{gjnYGIjXwgtCR9N)bT-@wSGHBHE z&fix2KRd{4Jkob1=}Ge&&E*&75bgtlo|T($dC(&k6ZGF4eJ3!|COsW7=}P9uk|)a` zK$AuJP$k^8wp9pHFo8_cJWrC1TuUQBtSs{U~ z<1}^snUK`L`9s!p+Pj)WutvGksFz}rzL1|r@c|C|JfGj!G5x~#l;4!6*|2*n% zbPNgIZn($R>tCkbBE#}vuv&f!Q~cOwE3$`x(u*8i{0vzo=8+ZLF;SArT@J-8=}Gf2 zZrFgu({cmHh39d~szFKM@hVz8LRzKu7bK^aP}Vbzfhhj!&*OM6-=oOmItrIXJmQS` zBCJmJgVwF6ZF$xw5+}0tWw|jWFe3&DDuzgg_YDCF6)_eB6uID$bzi8VP~V`{n|+@x zBE9I$+b}UOAutIB1uG5%0vZJX1QhIiFj!FD7tg`@eugW&6*Uplxnl$fayG0o$E7Tx H0s;sCd=XR| literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..16075e71f320303d91db3e74cafa01df05fbba6f GIT binary patch literal 36864 zcmeI53tSE9|Ho&}txmV;wob*?QBjdP*DiADejzFqLgiFPy3?tIEjgqMN=Rr4i72#^ z6s=8L#L5;$h}JbpxtA!vnK>t=^;^6D`u+F6|KBsr%y*v4XP)Oh&wO9=Jo8M))x|L& zf=^!*79PTjptB))2!_HcYu`df4N~6$x`zkY|IU<#3>Xt-kuHcL)eFf` zkxJ<*={RX~^Z+b?03ZMe00MvjAOHve0)W8(IstPEg+|kWJpw}g_|d*Wya2yYfxtP^ zCpf@Y!fKX{g_{lCVWzdsTsj^{cbZB66i?UXF&QkqDP&y19ajkE`S623rJ#JKfX5A1 zVCz|vD729puqU2h5a|=h_l@|ZK>kcY96MNp$zbYP5Ggd(zIp@*1d;skPa>qxL`0E; zHB6X#38t_FO+y1tv54UL1oJ;-|6~xvI&K!0jy3~11o+XNXF1HUnB_sAZsS3BpXuP@ zZiAh{%4w#pql1+j-NMpomYY7E$3Rymy0XxfjoEkr7Q)1WOt3=}?9c>1#FChBunia6 z7-1V@Y-56LOtB3Q+xVaxQ(TH6+Tw}~OoPb~od;84GB6n?1JhwLFd-%bQ(`hODJBEc zVlpr>Cc_uoii;;IAFj+2*|;(bS7zbLEL@p|E3qFAJ|J3ok8)fi5g27A!U~T{fPYji+Yg zsnJM0i6|kKhJ%yhFtBrTa8ewc6bC;m2R|zZzb;%nFBezi;%ZzxuP>j==CHY#q}arC z#U@rUv5B2QY+_Xun^--?CI(P!ViZLt4n=JCXT$M`L;JHC^<^{aFAi$<6$dr@ii4Vc z#X-$JUDWI=4r=!4qUHcytj%C2MnkcNBQ~+tBQ~)nBsTr}O@6<*=#z;z1W{U_{^Iyx z#qs0v7=AuDaTDy?GH~ozS`OO?Z?`N{Jtl!dv(bPdkrP=OjP~fgd65xe__6n=JJ_4~ z$t0q#RuXf!Sf?IF-eV?Jw8KoW00MvjAOHve0)PM@00;mAfB+x>2mk_r!2cftk`yVl zGE}4hLb{L+2mk_r03h%;5s)O3 zU^4B>JgUfW@sbo9o)Wk*qD7V>He|>mBgTRxHq414!<0pkAd;x$5vEMM|1WzAl0Ait zk!zAmmzyC+mMueyk&wTsg5b1(03ZMe00MvjAOHve0)PM@00;mApAjGtA((1MS}hMV z%$ZXdlPE-Y5>bZh#ur4;!^6TN=vEfkN8NPiFhPWWIN#O9k?!j1NDt?u2LeGrSSURL zODc#&=ZZ@Xla9nN=}?AAhdfL=q+!w_I*?W?!wgHNIb(|GdKu%_>rY-Pes~l=obJmH zj}Q>-Q6=hdDB=BoxqA>&kE}yXXUPANvu_|4)LD9Y`TM^Zz0G1waLohom7%|Da0@iV6q-0)PM@ z00;mAfB+x>2mk_r03ZMe{8I?@4O58sk_yDJuxP-++m~nH8y+Dcj-en#O&FWvAr2>t z!%0{U(J+8GhA569s1YYp1%hBhQS5}!unD2O5WWCY74`p@K*)Wh5;=$@A^AuOauI1k zmi$w|fpP)@fB+x>2mk_r03ZMe00MvjAOHve0{{02s1P~unOObuw8jITNeYSGrOGFB z-s(LK7EMpUV%@@+_p6uxGBcp+S=Avj!R7X>AEQLG4X{{BzN3?s#kg+)7|MDJn4M>Ojj5^!>oZTG+lR5z@0V4VY_UbW-TjDJIi_+ zpz5!admyl#nO1cq&UOx$W|iniUV%~3gf=)s%AaFdEziM9|A)(8<1$DJEKP=nPL!celSO~2gvl~yve91?;mo7S za*P-pCP#cY3}+C+ngfdslOduIMj(a|mLdpI0w=#~c$rMvu~az8z(`oymLjQi`>y@T z*U?eU{*kC+(6>q?GJ^=i z9|tl+FEz>xhNd&j2;17nts1k*;B_l$`rVVoceNY+FW&c0@INy?u;ocedR+DMq^5m! znfft`&gRUcooXWl6WYic}3mc4$9dfVc%Nx6n3 zsp6i}Tk0$CRZCT>1m94(Ae^9NaD4Xi_z!V~osko==1AIf?>Oe+cw^m3{f}O2j*2_xGj4Qe*H8MivE^BNXV|6A&Of!bd9}`+chu;+ zx~|cT{ZM4{GWm8davZS;a_tyzjMAZ z7Q^X$Vfgo+wsNs>>8*pCZ#SDdD+9gUTwBNX{W_i9$nHrebol7b)=Jt)UR73qI|G4SMxM#t7-u$OWs;TFXhAJ_hFXpz|M8q#8uX^3AV!+-!R(8~#-jOMD zk;1?_bIZJCcE!O6wdVVmTXnULejB^9KKGqrO+wLJH4pAnKNnM@x}HfJuBQbRHQAhS zc`8vajr2XlswXv6X$$?H)I)gR?IjRhzvks4%g^{RO}Fh{CRd#pm{&ly3Xg z-DdlY3oW`4*0YUEA4zFFSx_r+NcUr7oK<$?)C;vGD&A5-kIJ;C?(knYm6P^^eGFTY zlzH9gOhapV{$mBFQM?_O_D83^ZlBfBy=^{i@5c2@x1^11-o<&6IEMG)@wyW>V_)4$ zKIBdRO|xuw^XNGpiyz!FFx`05vL?%ze=fZ$b=1PKpz(s-xyN74I@f)7K2bZ6 zt-UO&v&`D3l+N^Jta>d&>pbC>mZcQ?(0CR>F>!45q9VJQ8P$rt)$#Y6eKzTuUTrvB z>$FpF)~olZk=gk3Z&uyb$}O|+j80%#F~+=WKIwYx@yAYwI*Zt~rZslqQ=8f|;Zo`b za+rZ<9OcZ;!0QPmw!+iTy&v(4WDj5G3NHHG?;Tg7rLOQ=PmWr+y!~0>&xs+V4?Bc* zDN(6q+w{(+CZ^R?UX{6I=5c3crb@v4iX&RmBpv5XVk&M%lc@I)24-FVfRjJ9xj&AHDu^H>Kfr&E(tTv&Ziy=|npVrY$KvK7}Lo0IJwp zqg7d}?6Uq{H$VHNf2gmjttyghy3u3VlhXy;P25;Ys>FR8$IR&7&|Ujo&As%QK?WW{ zjR(w*9pX8EIGbS;eImSz*JU*M%=ToiipffamA%(?N3s^_Bl?>kWyF!at|Yf!j@7PT z{%dxQkIyDas|4F*-5a+OD)M}$wr(k|azA2x@A>HzncXqRJVwq*=5)XAb-B(z<7vQW@@!)3q*WywvA!BK9F7gUGrrnPztsJQvHm}iN`$0Kq)wtcumA#p03ZMe00Mvj zAn@NnU=4%X-vJz0VP!=QB!~V(Upt_0ITY8*K!ZAmc+|igf7QnRk~5lzfWODUGNZ3E zzWA7ij*($;=>Pxrz63g`4WXl-lKq$L^O3(laS4XjXQ#P%_4nC_Jh+R#lKFj)y@%$B zjPo)-{P9f+QQu_Zhx@6qlQmfdx!?X0_^scT{p)=AD`FC@CH}_IPnwG-3L0&cpG{F7 zH2O&x)a4ucIMATJI`{L}O5Az>)4tTeFT20mn?Lx}E zUvI|GQb*GH+mc_7_gN7BRDN`9k!Pyp?MJ>7OvcrZ^9YVG+9uVzYpldnVF{iMOeTMH{66hcc%*-M27msJrncB}M|ESbcbdGs zQHP(ZY&OjD%~Dq#7v%rOErs{P0g{eIr0}$jvCbIjp1&~qsa}}ya!Gen@hwk|lUYy) zVX^KiqTyWsX(4yolXj)rjaxYDPA4@6PM9>U8W^45>aNedhryQIw3xc`c zHxFj|CTL7+my0ngohX-_f0l6iK&zeqk=kQdLvPsmPIgu?QrPQOH+B8CJzCvOEWV!RSP5ko8FpW?p@r4X~ob8v(&2nk7d z1Qt!GmAWbwCq zcu)+}jv2$8Tua!x+gmTOCoZwJS!7R~+)C672_(9?J2_js`w$n}`w%@{oECf96J1@1 zwyrMo7dhE3A-dbUEwZ+?Hze{tuZB~`S5*Dk5@HIrGmwaoh`^xr?5Hqa(vKM%6A8ce zo7DHCOhy`pBrt-_c8d;K$BYRQpD^d-VrTD7gp-hksR~3rCWTDZ zw-SXlykLzmCMzgxs*2bT8gTL_4P*WJXfXv94W!?=?O4{Dpn#Yu4bdMo*yHJ+R48PM zzAZ{jL20r#A#8SRQ1p}x`Ujcu>`yAD6#dk>NO1)X4dhN+_>fHrOhqCSQsakhYP&E8 z&f3P+eTgBFN#;Fy$BjwlJ&mCl-T-Z(K$}dVm!{B5Q}`uR#gqmWbf{oJg$Y!cLWLPr zFrk9QE6iXi@^}d=k|7NWd3-;R3WW^GP{@!Dg$xN%$dD3+3`tSQkQRjuiBZS_P&r|5 z+#jq=9gksUDy&R}m8q~Y6;`Ig%2Zg{7;a?@w=#xX8N;oN;Z_Vd%Yd^CILm;ujPWe2 z$$&LY;F>TW3Jiz}_moP8+EU@3Qen3=GH;<$pv@B@q-zY#^FrJC6Q_UEY%@|X5c;TcSUN~uo7f#yYg_F9xaMBJh zoYduof6|4{8ED76tr02eM$| zrqHn^!`Pv^G-C#Q-crr#g+#L1VYAsm(d&YujUpnAB6t%{_N;*D7)YE>C$Nmnq$nIRh^Xu!QxUT!(qnYfF{r0FyUmpi!ZZSuHb2!oR_*wCeJa(Kto^m~qQ`?b-#|;Pygz!wCv`a_p!IkeL7rn6+@QSp3;;;>$+uW&%GixZu^WwVnvZCvJzUhE;r7q>~2MXJw;X$Ay&EBRyD6v1c^i^AthGq zD807Z=;d&<>b)ydKXvyoo@KA{a4BD z2n^Rm8TGhPUG$?uS{8j04_>TT`DOUb+wIfv{f9;4wbC-R7Pt%zJl}BgN#fnE4?6-b z4cXXn*`^0GvcOG3<)23lO-y*U8e5syYQ7KiW?6w8{mvgISjkXmYSoSz~ zqrp%}GI#!xr7xb@ymtS1adFDioQ%}Qfd}<|DI5LjJRMJ3m%Z*AXYF|5h@Yv0nQPVu&H zMIA5nTrAOwwQsU~zoX%z zTjXYPL}mB3I*qPl9{#eAEc~1AMy?)EB-64-o*Q{4cexw!0vk2=+d+ht5{a}_Pf=utTAO~!cJFcA+xkGy`1~`)6X>d@U&ZOibxwOmq&8cY?hIrENAJ|z z|2${0=e)J$8#qN_W%nZ00;mAfB+x>2mk_r03ZMe00MvjAOHyb zj}Z_@p)t_K^YQsV7eV0uk981q2M_=R00BS%5C8-K0YCr{00aO5KmZT`1YiOv6aq6o z|8GMO+5i+l01yBK00BS%5C8-K0YCr{00aO5KmZW<=Mm6GxnTtV<=goD{}qDp>Yvv` z;20191ONd*01yBK00BS%5C8-K0YCr{00jO-Kp8a$^Edw=XMFzOjUaUYsXhn+0YCr{ z00aO5KmZT`1ONd*01yBK00BVYA4xy~MZ^5nf4LRq^#(~8h595lzWPUY510l700BS% z5C8-K0YCr{00aO5KmZT`1OS1*B_OE?-T&9X$|DGaggFEi!bQS*!b8G-f)AdFx52mL z3-Db075o-l8ZHEn#?|39aj$Skv1hPZxS81ZxCJ;Ywi!#u%44IkOa68zAOQ#f0)PM@ z00;mAfB+x>2mk{A)dbW~)<|~9D!+iB=omjTonjIYOlSIye*rm_s=+r+CeA?3gIk9N z#ZNXi`=hZszbskpCuur`9>ntjf7QC#48CboReos}U4>to&Qj)=X3>=RrRhvXerX0- z;Xl)iAX9SSA03nDn>Ll>muAsr`K9Ts>HN|xnhd`*ohi*P%^*+vDQyx+qx{h^0^hVL zo?n_p$MH+kSy+B)7EOv@n$DEumu8SLKc$V$jH!QgOoDIPRGeR$MHl0jrn5x(rCBsI zzcihR;+JNSMWj$OFl(7?c3fn1AdWW(Ao{lg!yd_7%fSe21+l zp6p7to_dKT)6m3w4ae7L{$5h^~ST&qJ7%w@0Y0_OKT(O^S;AU1W6=I zib;&Ch+zI4qls}5Ln9X=W)dapUT{(TI`9<>a<)23FM&|h%FWr;4efGf85fecsN1Zph95OGeTC&RyKkxp( z)_r;UTmGAR@;{mUaljJ7q=;Ko^|ZAYrKH!D51`I}NNT|v-Zs!E z;b>MQ5ss>-R|zs%I}_oXfGF3`nD2TvM_B~Tsi!k+KWHXxoGveWw$db=Lz3ff(o_hO zAzkGU2X^~Ez7_fv5tsd*xk>kJW7fQ;_}YOD%4eR5Jr`tBu40Eu@8L(M-{68Mx*6I> z`nT+4bY|t9N7y7)%30>@;E-hbnq<+1F!}uK;FHg3>wC%?qy6!|g*~;1=&O4ea-}0# z%kMf4j3fv$sr!a&rgzCCV@qq+i}kOP9N&IwzI6U7{<>C$<+;Zr@9`YcbiO9(yzizJ z_{Q1DDVi>2xFy$nZsH1j7x9?BuI+w}T4lZOn~PGex6d^YWb$n9-r?Dja}HQG5S-N% zaukn*(i*o>R^%`ON{%GG%;R!MGJH+4XhN9$Hu~a_%BjBfCy&a~4p?j{l;~D|at)iU z@o~GY)y~S3Htt7PSn_eWNH1l`<%I9dF>AKg7S#KzN`Lz3oek}k{; zlrrRVdY$>X`1l7$-KOuA*m@}!QQS0`ofleN_be_glqSgJH#_Y1Wha}f%P@OA$9^jCs@ii&b5M-!!w14Qa*i4IvY6t({RvjHUSER}vAUDak z&cP&p=-esDWFFebEp%31;^&qZfww+;1ykuk68;~W+s2m^<+b;4Y!yK!`{_}4kBh56>o7W1yFGe% zd+1>P0lVscch8=03+&%zmU2jV{w9SPg1n~1ns?katKU_+vFwf$r*a-8?oPlW$E!!b z75u8Yw-_hLq@1z~vFtKQEKpOvvsEl%&F%r+!>`AlI^pd1>0CJfA(}(N@ii&b5QNv- z#Y&jhZ*a!6kd$yRgz?!WF-%_9qMvcIeSb-@5>=4NcIymvZpDIFGUMu~kyT87{gZd~ zm$StTKKO*rMz6kC#UWw&niOgXdK6+8)}qmJx-9heq6Zyk)!tqjF`RV+Rpetl_p4N* z?`uIO^LHu7aF;}X-`_Z%M)zuc$Ar483uSubXphg?3gIVSq z#+K_~C8=?q7B^1r+Vv)Ve}$UNNGfxhubUu~^~t^APmFrM-gO+RFO(ZN+&HgTN0MW4^!0y!)!=a5niN+cstP{i2uLRHNJVO7Wcm zPgk7|TFN0w{A}`vNq`VT(5p-J#n;V3vk)iyGpC*W-da&o;yW7L8u3LZxu&@%#X%6s z<^BsdUUKlhTteU$kFs~Q;~UC3YVTWOTFlf-T)Y<0I3#iYCWRS-zLVFMEL@}=7~;HN zGNv!J_P~%R+bE{_8tYVq1z|LPogkB52g)N(tv`T2b=$P|U8-UGdN*T6QU9po;`MW~ zy;hXva!6u)O$s#xS+^l(4;*q<>)5hX`%-3AbF2TL_EXbB|Ay-}g;G@+y@E`-9%Cz4 zny-7P<6^R^{p^Q3oE%X~x zWEiFtZE!Sc$SyDY{$x;l!)ie$o9vYn)1o|*11uA?TEBNnoh&V075r_^kn`mRxk}{l zRt^cx*Q8KGkaNbSSdVST9iOc6m+dy_#BrO}l!dG3_j!lwcW2>MMg^HPKN0puN^$Uu zvgm5v^*0mdSG>kVM$Opp#x*uy?j2M)it@rsba<*>RFpG3h^fIDY`=$3`b2IhzZtaW7 zbIE#QQWH~JtSAyiRzk~~K1y^?t+1-GTaF&kK5*z1kMThP0I8u-OLq zMzzKcX#S6pq$3E+@fY#ZxG-!zR#R%TWE*c2SO5V)01yBK00BS%5C8-KfpG#HlEzOT zoqxPVEX2h4MjLng3@MqDL*z{#xg%n^#*(cI60UzsdY)gFdL+ME-~~jz%$FgT>Q0O!-CN09B%OHmbX^Q91@YgNnviZ=#ixM~OVa27Dn^%{%q_;djlu~m%g`=S^ zI&b2Z)nDE&7XswY*mjZG%PNwSR~a&w-LmRg71mLMlvR8--vAl8_ObMspg9Pu*U`3T zmiVVrUuH(H4$mV{f4h4)`;+5|mb&eIxg$Qs91S(T9);o95ngro?&pQSUcg1wm5MXp z*W?nOd~0iAXZ3d}hTo}qFUVuhaLNmx%9$1lxVPJ170zmZ;x}ElD%iCH{~~@&tIdaZ z6=cTG2m8;r{>+2`+3MWh9nF=R+e%ecdf&!osq~8A)bA-D%pOI1eXQLnA;_dxblZ&d z=Z~Lerd~1IcqDcV-y`1d!7Zd|#jfb|?9m?OkW~4b6y{Qm!C9J7pN3=bNH)fzyUgQ4 zZLe9|{oL)6;=Tv+mt$JH1epxDzm2%;Wa9i=kC^YV+9u(|+=E*@9HYu{E8JBIG&Axz zBo)3Ug}PLe$&pk`uJqTHL1C2VW|@bcwbaDWbG?))st%j8Lz_YZ-m`=ILFYgvDV=3% zrbyEJSUh*{txt;Sf=nLlF3HQ(*)jI!_Jd^d@EGvR4*|q{P>x zP?u_M#pm?=Hpe%o&rgy09QRr7iun?}uZHWXp#|RN6*JKL1ev^b`@y0!>g5Xab^J7R YwJF|(xqDIH>m1rw`)b~lamYjd8+gHb$p8QV literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt new file mode 100644 index 0000000000..78691fd862 --- /dev/null +++ b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server-no-names.crt__server-no-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/server-no-names.pfx b/src/test/ssl/ssl/nss/server-no-names.pfx new file mode 100644 index 0000000000000000000000000000000000000000..3db5c17f9c65ee8e38b435307569945f5230eef0 GIT binary patch literal 3109 zcmV+=4BGQBf(#)70Ru3C3+Dz2Duzgg_YDCD0ic2l*aU(L)G&ez&@h4qhXx5MhDe6@ z4FLxRpn?W?FoFhj0s#Opf(C5{2`Yw2hW8Bt2LUh~1_~;MNQU++eJi%sogn8c-1!Y0{EinWk1kj!2)1`E#3r zcx_zQFV2=5ZjT^bL|#%pZ2>?b4drI6BYQ*-|6y@y)1mz=Tk=8i`6yXi*;L?qzL}pY zd1urdP?r$?4~)4&0o1wHwsexr16d-;wI`|GI`S`sq5j_QzjCu5>Uh2+=1N(qH}m*C zEp-qABF?F<8D{&(K;>4;=P~>!;}9!>%WO`?bcepRK4!D$tLblGdEnNUZEv5U%kQf&_oS2#ja3e&jOn6hAp%~l3f(SqQZyX_)|5why!<`26^?rQ^o?v zs*0tM9y@_V4K*?ne*oxyB4stAa)V$NY_%zq5^ye@&0AldHDhu}ghx>45rm`<#Qv3& z&Go{AQ3wX>=>cLmr%mPY!Mef4PaAfX_iQ!+B`*z)8c*&j;S2V|HH%^l9@Mg3GyHRk zO`T{pDo6jrpK5xXZN=F~+@FOY&z>o}9R5dkmQ59Tql~y@B#qv$yo7uQE*X__j{|!y z6(Vg`0p*~h8j&t6um_(R$(~LPxmUw+*cJn%%?hhT%h4eRESt7^(0&;z&J^HpK)8f) zd@hR5BQ`Ze|49UnNegM3h9%iDbdtcpr}^V*8r=O@s#BWq+1h>N2GWT*2%WB8`v3Lv z8sD8u)o4VweG2uSv10TbCsh5c1ugx*L*}rwJ za0T7yxWM2}yt)i0GPk@z47bS`?;Eo{YW78kl?&WNyVQSIlAXLpC(G%7k-cIgEB%uV z+2}2ztB=-c1Ea}~fCiOJ=ntXo8LH5v{~ruTB+5=9xS%mq1ol}&09fsw>SKksy&t+G zo3bYolc>v63yxV*rgaVcR}m?0RxuW%Z1sY%OHq4In@%;bprEhEx@g5F7c~tS!Wy8A zy7p9yU#jTXSIiJsFSiI;qU!ltaj;RzzpgaKKWz21S4o2R29t#%$PIji!n8+>clsqh zL1aey!)6ENq-%o>mfx!wO+Y6)x`C~q!9tNB%f9=lN?;!8|F5_%sp4eQLzZW+`ia#Q zMjWHy@=5Lg;*nS?s@7%VY~!RLqjy$EN8-Frgy<_CdoY2!4ZH7FBY$CltOH|bO9X=V zJ3ay|1-I3Xe*}WThO?oapddgC=?-I;|4Ggxa3=4{KQVYcCU-@@UT{@qe=78$xm6{* zKQb{FSbbyfTx2MTlVGu{hf4H8Z2XO0b6x(^FuO(%4V!v$qDWqHV?@;-(9V(fIk$+1 zxqWm=N|0N5ph?40jb#}n*_c%QUBVuga6-Er;w?{IGjU(4hL&K)>~b)piFtis0j~~p z^o-FIA;jW47lQNSb`2m2BvQ=JdirtZJ;npxL7dK}glKF@a`ToxXogkq+hL)9-g{Lq zJ2uQ(DMV7?o(wj#m5g$oe6ns?xvbIHx zoF{tcz~XNSz8AH*{?bQTFhycVz!nDL)c9~m+DR+y!57yj-f;segX!e&#j`*%6_+06 zb|a1=g>YWX$DIecWb&c4l*yR^s0h-VpZ*e7Hzw}sF6?GZ6uy)gy5Mo3#v=wprN>Qw$oq3I8{j#Fcs3)8o9yxlNe46CRSyNTW?gup$^O$YkUl&d@p+&_Ae=1W z8??jd&~%Xwbspj5&LNQUDGX5xXPrQ02uLYbY|g*M5bG zDDUWd=8t$1Ml%DyIUf3eWxsQ;7uO{>sE{&XeUH|@((P$ zpvwlu-rb)icwL{5ZqKb@gf#0$-*b^x?@;-j>n#0?TJdm?0KDj@5tN73A|qzUZ?&$I zmtME^bO@jI&CfIPK&ERTmaRVfPcMS&Sr|ySzG*0WIb0hkY~zJ)-HZ4Du3xM*b&Q;d z{*d0?M+cS2Dmzl=~v2eSg@DNruNpGpG?SrjMsyiaWHi}mo}eL^)&iEE>(FUa#X zNe@$>LgYaKf)wJg;l(AzGZ31n4_HlRAqs!J4}pYVal}$ipAF@{22u7eR?97|LII=@ zSXo17Fr^$@co)`g);`2jpMwzpBi_rlS(=X)pu;nUlMi)VDu{bCGRjXt(A-_{4dU`| zPj)|Ho^E}P6Y>sQ&E2x0I>qqZ;|NtO8=lZTvXvhJ>|&v6 z;o5khqECy{EPF!&zI{;Zoaj%GohS4lN-Afh(P#UCp9vPX@+3hoq!&|30&zo@9A|e# zNCp~@pb7#ejNL8lTq5)EIUgF&!A5_0Oy4_7P9R$t_aOywFwXMIRles&C4)W#mw2%r zv9b~37e#u(#cIn$1&LZXh~o-!2&r#m)Oxp72`cH%eFMUgkDk53*6Y4!3?_ffhTfXb z8Vmajo5aA(gRNBL0!g&WoZ~h|aAC48m6C^6oH|UO#`rbscrOvKtp8W6lp*^w0x1)p z;wqG5B)X?YT}k}ZaP0`Yd?`DEx7bf~#|~^(-uLNm%W}br362dpI!Qw7_^Y&n^Nseo zz|HTH9{O=vbWlSQ(_uMk4)B=TYnWV3j&0I}i%`K=ToG+lT1_3HlSV>-8$Y$(xpGON zP2#;v5CU~+R;EmXDJl|MQ9^g1OeO00M|Ip1g~?5&Ds8K7#?d|ZIYwrY(PF5V<)`=L zBy|Y}+y&0fTP_miTPs`WzTz7j@QamT2ABqag#2s$&qJ$AX91oXy!i{PVPTY3{%=tY z%!qOM$uNQvhr^!$CzrXIWOUXW5Vv;5u&|$Wt>ijkz zz;7xaSf?E@=MDe$g|f$RSW@uC={qw4KrafQr}byyDPzlfQ<{q4D$$MTmZqam4%=WN z+Cq+Ll)2P!CG;d8Ee0pvn^;SOLHaBkkB(pszZTy2leJjZYIggdKDIEUvTKgfda#n{8?sJR@7zp) zzz6<$Ne**8e78K9?@i;{C`INg-hmozV5Pj{Gq!eWf5Q4{qa!1 z>Dyx=U&;_@)Xl=?PbF^fE!F~fF6_B?m8T{-Mue(uPVaCDZkBt+?i4$X=$CFFBvUN{WkW5*&IkxzdSW=9THR0HZAMx@L?v{r5*+KV zD??rNbd)%SH#lq1>w)g{OdVHzGWQaT6D~%&Rk8QA-qtR9AYs_B=XTaw%IUMO1r_E? z)v+4aM#R5CEV>w5+1wDvs2g~*DV6_{iFA@xy$)r1)rQKxVp2jP=eHR^0^V~P@9`Yx z!sej&l;pBNkXIyx!^Jn{k*cL;HLMT~Vl6&*g+~IHy>skpY~$-CjIA$#?LE-7y0W8E zPC#JB(wKtuW>VvONqS1*d&h;F`PP&z6`&0;DxVX~ID=89r3@;jcX&4neBG-0kE&iC z$hw6?<0Xi;*qpJLx7BW+Jp^*E1IHU|M|NoG+ZpX8-XE(;8p1ryb4YTBKS>5j*nHmQ zDvC|0FeBC|H2LpzAbk&H8d&FgbbOboqQYBjv7T$m9ZPsUbJn{oUnV9GPLVbq8)h9$ zy~HZhRFMJsI4_tITcm82ASIeqj=a_?r3Ewv?2FK7BHIXV5Zc_sIBBrTS5Oa>hGHJ2 ztCUuXQoLE>oPrds?4UWG0Q%1on7a!iVq2+^5um&(!aCW*7Hogq2fymOC-r}dU6jXI zY2l_z*VB%k4&Br-XE#!m3f^EF7R`M1&L9Mnb+hevX@&dF;yAF`uBa`?KA+^Lm> zv0rRnsjTeS1^{!OHGHW==wI!kDY?SO0R#W&ZL4Tb4PE6d^G2Q0aXK`QlUtiJ7DZb= zfrJBh*(`%YQa{W(yOo8j@W{I5KUR9Hm|6gE%vz_}C+#3LJG?m9Y4{t52+}HZ3^0$t z+`C}Q65sm+6$p=SvMBleU-!-A)Ho)XP1d+90x`sCe5cC3Q@&*0pSq_+sm&xsS(R?I z?PF|pr72a}F836yus4K(kq59%YacdL)p!t2fQcCr zl8yYK6f$nMxSylBAy z`cD-#HRE4!CPIDjtDrrDk|BtY1CZG^?Ra_ZWJLXuy4ri5V?G;Cq`2icf+AxhSG1rV zs0=>iHUpSS&YrqVJ&FUKZo?H5U{}N17Gy@zJC3GmUaM zlYySY1Z!`kl9B<5OIN>Isl#4Zi%GJrkZZ$k`t*X9$um6nFoFd^1_>&LNQUE7Sr42ml0v1jwSx-^rj~pfyQqdJ!{?Fhn{(Y1S)w&XeqXu8kTn5fM-N z-eh`s3i;>~6oT(41w;O@K{z^pz97-4PVrX9nsktfK_{A8H0KT}pe%WMTdk;%V#!a% z+Hc-5VCF&={7oi)oHE9bCAq5`$#lAW1v~!;7`eqT>=}_8BEI(Lx01%Mh$f1|PmpKv zqm{!=_1&i#OEWX}TWQ6u>$>`A4&x4eeop92q~a!}vwN308>l=EV71$q7%rZ1TA&tC zRChQ=|5*d5gObjEE0e1@Dfa(pu$!^NX?=@ABGv#M;aft;!tXg&`{=%el7Kzp{UX%V zpD9Z2yg+ZpeuRgAA}ym{G~Tka9E#qd21vtLVaBDI?&V^z1c=Wpr-hUx zbRSoRd4H}t0dA;<^8F>Lm|cV#Gi7>Pa4LgGL$xlhRGDhS8AImqY>o= z^ifBCywtzWPYh-rV7@DlIzj=oJW4X=jpN@<=a_sGP{;b4n)JDAHhOJ%<;s8{ zS3mZ|#>u;_l4=PDnd&9-J7&8k_1AM74_=8fFxyre%Q$&~#pOZpJzVP1jTcRZGQ|ek z%KB4#B3g?RncpWs-XCO?cooLr!k(Gk++!)u9oT>vD1FMH=an>cGX(^r5~*pJ4Dbw% zNdkJQp&uJ45gEyFK5@?nR*uILE@KVC`48?tWhr+n zgDf`-ag%zKXxkkz8oUjKsKfxo$e8YPE;_|8F2WFK6j8E51^6QmaVSlG3k)gM9iUEr zHcSP7HZA)WFbv7`fMbM9+CZV1#d(HIxtRph3>t;ht*5{?2p*ayE(nBoaS1UcFe3&D zDuzgg_YDCF6)_eB6nfR~gGo)z^le_ap`z}&-kgJ6@h~wkAutIB1uG5%0vZJX1Qd6q jxT($2&avhR+GII*NQh75x19tC2(g+Q(2>izh*wSd~>bmfZkcc4RVnJv?NKiy{ zv`1`UScpKz!HaL_!)H2Ap1_~ZB=VTSl~9;MD1-$B3d25@pnal1 z= zB9hF{HFzweBx_hkT~`-Qv5N@^3=@8={?Q;wb$smX-T3`Egak1?yqqW5dCg$D@@Fuo zOm_C1!pD!`;6B;W&Dp_+X=m^5!~#y0`@CJ@_L6H=&TODLka1`CxO2UlUCxC{%$byz4a#6oc;7K%%; zP+W_J;$kdRfN!PEleCXewvgC_vIU`RK`2`g$`*vO1)*#~D6@%LY@!yMsKq8~v58ui zM6M-~Yf0o<61kR=Ttd^5(6k~-5`0($APb_W7ARiVg6OFQ(OM3QEfy?1S!&|CY@#%q zD9t8HW0^z|NkO~}hakm4@ndrcQXGO5hd3&SI4XxYFI=K7mr&ypYFwhOK*(it*j!vv zYT~+56YrSR#E&2~@h(bDyq{7N2PidhiV~B6A~pM}5qPAjebp>`t6BCn2Qzz{gPFa} z!OY&~U}mo_X7)A*GkbM0v!5bH5_y2eW z`?EfpWX#pd;_eoo)WgU-+@woBa1$(m03ZMe00MvjAOHve0)PM@00;mAfB+!y&mka7 zmBTtiM+zaN3weq>MjDVGkt;|AauQ1d3m^ap00MvjAOHve0)PM@00;mAfB+x>2>eY1 zWXTkmswLb;Ck)M-EwWOhSw>PAyep7jcQ+F{;yaH zDV8E57!8bc#v}$+@eFbT3ICfq2o4Jf00MvjAOHve0)PM@00;mAfB+!y2>}Wjg6R_} z2}&?(%NmD{p^>Lh$O>E^VRQ^LN+gP5I@sYabu&Fg(J{eMLT^turnk2nGfIfeCYt1gDbWW*iJ1R0${^$@;*Y2>&LirKOGpq>j3t2u5C8-K0YCr{00aO5KmZT` z1ONd*01)_ZARt3lf%ii*>3Aqac0f~WL0E_|B1ST`mciu)EdqgyQ3lku=zi0FGA>7Q zqaag@tJxP>dh(Ht`E{ZUX2nZLNEeJM^jt;|%nc*AB z^Z)B0WEXM_`2l+a;6Cy_l8nQhK_a3!*j^e%Aou6VqN%9l}p6erGJ*-;t!{m_4 zw#vg)l4rfw*@cpa67XDFzMH#)o$*(#eA4-5*+bot8wAl*;wb|>w`@zdsPnqFKi5}X zZNVkx-h)jmAjv}m>SPZ6OUG5jx=w|ukbIfkahix4hME6+%i197Qi>Xbp$Bd7fYcI{ zc>NG0C~^Ajec5DuIr)#JQZ`C7;;aaOkq3B3#V)9#xyX~W_Bu8DF`42ncL4Ab!z(iQZu(Q9pCIIU2dpdZXdL#UiQ_pK%3y%KgI4PkzokltAsL81?-pb zjWL5ESJZ~It=)L#h)rfMnklXij-Pm-e<%3z!{DUg)1&4$Jqb^buj)u{$f?ONS)t-# z%R2g6>+5LKR%-Wt^;d;+T*6b?(ORi-SDsI4nsYHhtM+UC!YQRm_aCNCEt!zF&n<5? z&rWau=>>aTu3YGP8hh~7`q8^rXUJ>SH7!`$}NfT42=9jK+Ofb0rhQ9cLq4#2R z9~9fTNU41`HJ;pnUt9wpk^kn>8t^N1Uvks17@{o3-HZy}_5>y312_NJ^5>k48n)oN z42}u@LDe)$s`hs9h9T^Uxk11N!!Rc2)qjO9%o9i6JGl9F8{>|7i|*z{kM_)Nbv&n^ z7JuRBf=1Vs8-}l;9A7(uOnBOn&;~Qy)AnbOp!S!0TB9`>3+&?gBub9?T1CtQy_EP` z82;>P8#t}sb*zK%Mj+OK|J$|x?6OcZB6#fCO-GE|!i@ZdEk~;87mr4$q8;Zw`k&tFoa&cyK}4I@S{WHcGVtwV_uz9GF@v1 zwgnYV=bKYXX3Qh;-$AX1OzeeRQ`k;4ea4M$tL>&C{2zuKcAX}OPr0_OuIjMSTc>^J z;_JLCw>n2Wb&C2XxhIoiPWkZ8`Gt{i8fWQwZl|^8fwQhk`$^|pmzwT1$(=KCA60(2 z!Gp>bc{LB=S>moKd$JoM5|a)cHK6$a3D-Kq*T`~fx098FQ)qp+kHf*KmyT*pT^U-u z_UV*o!W&1FGYjWc7DteaoDt{^M1K!X1(#QeRY6hnf*;kCntWdggx_gfGNoZOu)v($VcNha7^(5>{8iaxUrLVNG zm_+L5N!9v$5xnugvkc6WV!xi%=Sc^lgCv;tTVI;x?s7ZRY4V2A?LS>#u6L_md9(85 zKq%6maWRT@^A&C9)g?je*V@B`FXcfS6fj@<355jhzuK2#za55Q#(n7*?<-anYx*7CC!$*63t(A`iV&tF`l zU8&;tLc8)ohF)4bIalJ$s>F4zMiVQJaF@Um-8yfAR{HMx^3y! zvu%oJYL*Q3G>?c3I$g0$xqePsU|aT`^+T_3JtkVY=UVQ5r1X_CQ@>n2H7oh2VFjC; zO0FA(+`7%HHYUjw=&7!q$o#vctq^O0~ZS%c6fswLy zw0mpN%hCDEeaOp1wT83rKGL2{ez~l5?vh-Yla{_KHjcR7Eu_8bxSo35c2RP5Mc3WZ z!@e&2)q0kt8!ww?#};H5m${yuO&jI)I$Ykg>!x|lrQK!O3?pi2=gLbRLHftPdt2-_ z&PaQ=U;X-3Io-?U$yKzNxweo^4)fO{YgIFonW|fg4qGRzbItk@cR_>U{_yK(kOuRY zrvETL|EI{bL5ya(z4UC%01F@h2mk_r03ZMe{IdwGLg{_erv6=1Q{g}i>>m~{!opK3 zs}-Qnrc^{${~CYR#(%RIt3x6JPGiG?R83T5rpRdk(OwEIoWrkJe`RdNEiQacj)$i$c zl^Fk7HQUE8JUMRP(xuNlY&n8OdFleHm2hVSgZAP(Y9%*~4(t?Qcg&8r!y6VPK zd)#)XU5SbfF5fPkwX>l$uG~$>YW5qwfIRKo7LCp3S%NGbP2*M6DjcUk~)DI4aG)VR>`U2O>;cs``{v~5+&M&zu^A+=)6Ki;D6`QzQo^4d&WnXNQ zoqXW?bo(VuGDg{|0XC3;r_WCkM--*qITYLIQKzb6KuRx(OW$pXisfqC69c|>ICRDJ zT^y}s6G?A=fuqBl`7<}IDs}d_8Xd;C!Q& z@(`3Lo+}}rP&i|6k2|A*k9y2U4939z(k*mYtV-+eN&Da9{p&qxa?xOV(l6c*{;hL$ pHJlrAf7J<5relNGq7!M~S+s;`1{)kYFu$FZR(T}eaT-_M;a{1idFKEC literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db b/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..a3c30ee146f36500198bc5b7401260affff556e5 GIT binary patch literal 45056 zcmeI53pi9;|Ho&{#bw5f+({ZE<=zZ4W9Z@*DMBvQNy0G6{Vu66DpZt8N+?N%T#_i! z<)DO8Iw4Bw9=cGHO7)+;ah%?IXXbg||MUFM|9#gsv-WTA-&)`OU7x*MX6^lC9GBYo zgtJL&f}Fd>l;2n25Y&0WC@mRq97V`zo^OZ?A597303Bu*Sbh=@5L z@MvNk?hRLzmc467cF(RAlccH z%_dGbJ;K?-l2$tu_%G~nb<8u}WRXsp~+6{Opk?Fg1H+cSJp1M`DM*jV}}6)J_Q zVUEJeDNOXnCoC+29Xct4{y}Ce`;!Wjs*yMsDJ-X=g4}5ipR!4T$w+8iYV5R4?ib|5 znVQ)-IBAnSDBL&qym{zx-}+Dt?|}ADp7y;Z3LtlLi%Zs9->a0aP%d!VoGv zpn}CM3}GqCSP3gqAPp*I>^P7Ll>*67DUc480trzmkP?*wNl__~7L@{tQ7N8KIc{&v zAFQl57Q@PVu(BSktOqOW!OD8DvL39g54X~XTj|5C^x;Lc02JZGE`5K3todgsY5IgzC^> zQZx#5Y#L0829u(}N2S3>rNQTg4!5PlYIInQ4!8AW)AeckbVzbMgmlM4sAJf(3^^>aLg0FH+c#jy~EG9FGggYk^-oovRKXvUbd!wo0waKi~Z+;GAUH=NMrh7)$U z;e;+X{EIGh%|Hj{?u9O#@esOt#zW{58V|iDL-u62=Fbqm5XS1VChf2wJ6?1TiWdte z&VsHTDLth9hw@~Gu4S|#YR^6zRF^c;eMFje-BF=pyMPw1&7gzuR zKmZT`1ONd*;J=!{E^j0UiIyf1nE!}DnxjM`AhMZ=CoUug^_G zwf@D0D~dp16xsW@D-;qL7Un-Yj2#-u4%G=|M+W(^y>vZ8!y#>oB~_WCghe@{ad;W~ zps;Z7P`2Yz8&WtsESwY;!JQ0JXHdvc9)+Lk859r@6sQx(or~%Qd+Tsjp=!ENA+50I zK$@1_!F$hMFV$iWXBF)Z&P>_*Jry(5h<7)8 zKK0n;Wu+YiGlQJ!5R?4q-HG=Py?&@_PAPr3HRo&LNXg>UCI;$zp2bO>P7Pdd*#6*U zCevoHpCa9ZYfmrweytrldS)3z#xaKY;n<+@@44LhHIfpKWKh(xIL!pBgpcA#JO+uP zD4?a02Nla2Zpu|D9@{!;xp6Z9=WD zuap*=id@z5}89F3mL^|y7S^~wFXfo2@SJ8 z5+YaMUbQFc^SbU;pN^#Fe0A4D#j4JY*!t-Cz-pbT6%OCeRGzZH45|&=cn-XBTBfZ3 zaWPWS$5KL7&2H(n%(x)R)B|j_qWCx?EBwM<>`P(Gwa3<0A2B_fnri0KNa0lc0$g^c zTZj4C!%h7kv=cV9w`I-~cGQQ!agsXUwGazhUY_IZ*yj?a-Ev*xQd7~eQnT}&13N6w zt$x!wT{X)nzJDe$?}&JKhjh>PK=HjVG8Ub=-rJ8qErPqonk`(<&xUrfW_ zzA;y?K{>lZH?H6*M=Pp%Wrv9R9f~HU|Pp~J9%jg?`V=xa<`sk z6w%R;p!rFabtvi!V%k|kb^490)-<-ed9qQoh1+>$cCu0a!p^Eg4fmIJ&HrTNUh^bE zL&ZX^3Z=<>cr7ly{=kM$Z=M{C#O$Fd4*OJ6E&{a)E@dMb70swtOB&05+`UDq|n z*l;M_Pe-Hg5U`tWJATgiD9o|$E`HWG5Kvu#?RyfQx~S7K$ha@LO=~15_*2rI{Ex*S zE6-3>*&;#vD;|8UZ&aG)U&N_2wk&fi8g*UveTL7keLt!9$G_gcsbSl-+()C8qM^4G z=ieUlE#dlMirvg7t4rK+>gzMLN0^Pp1sewU81v($N>2ow~UV?D0GK?Z2murAddcrbr5t1 z5C8-K0YCr{00aO5KmZT`1ONd*01yBKU;-!2mk_r03h%;B4C5&D2e`W{m-|t`TuhS@%i7VhrkLT00;mAfB+x>2mk_r03ZMe z00MvjAOHyb3j`EUOwnKe6`is9|4Rh%<-Z^cng9ZT03ZMe00MvjAOHve0)PM@00;mA zfWY61fE2mk_r03ZMe00MvjAn<=eKpAC< z4D<1J^JIsHyHV&=4+hW3oKcOc`Ej z7G0WGn$D8qm1fZ-d8O$dQ+TBr6p5eGdWKAcKRZU`nPw7rrCD@wUTHcD&nwNM;drI# z9%8)G42tMKrkUKU(Cg2RiSSG_g?Xh}bS$qlorU3*X3@~R(sU0LuQY=qghNde4fY5N zTNf1SCC(jRxc2fgTjfUtip&4nLc*u;AXemmfELY$@fCrFfd8vji}iS9jFvsfI?<-bBR8!@Fv{jg|av zQIe-Ry{UPR4>!nu%FkrwviRRTbEeKar&(*x>>Wj(iOaAaI$SEFeCdp1!G{&m9I_-& zlPsD5CXd)u?Q(AWgthET?ddmFGre`QS>_|j{gimqh;8isLpuCS26irvx}Q%Ak-)BK zXNq?Bv=wf9HfvtRt<_&K$*BH?6b^X`Pm^>(h9H>^`|qyW-iLle-QRE#^4{>8_YF`!4l~iRI()4t4sxB^U#RJVe3jcQJvl)L(8-(&CUM zc$ySw2%0}zX_JBQfo3e*J1`HSQmL3DE3WdM%-0E?sNTni7B3-v+nhX(?)eUNEH*R-ay1HPs~1;mQA95SA#Nr8qS zO~z~CCV!=>%)o{PZ=AQ5t-qWjOinkyDPy99a5_aGZ+AKs^;%v9s|LiGlwWwb z@a~j5y6&N00`8gbdzUg=!6D;#niOaVa@HJ8i%r{nf?VXdu~61fvF=^`hN8EH3q?va z?m88-CHa}m#7S?l-Z5mm`h%AaI|CClH~q?u^ghFr@=_{Qc1+Ao4q1$+Nr8r-Q~j-u zbAx-f3!N#AE>~GU_wwAD<+)O4OdfbGye&*hm*!_O__A#A%O+=2`L=--LoYhA3O$~F zshr*Yg{~@+(78>1IfpFD)1*K{&^y01qHTs#f?ES)w4cg0=BaLci+p%&mZsFci)tB2 zGa5gW4}+>lT?!=?{MrjzUTreJZbgd`lHB)4{^CZvuWnhRwH&g@PbPny1PCw$9k3S} zFx-^9v9?I{^AiO2L&fvtT_JDFYdxPyJNHBpO8A*P=Df6a_T#eoeT8b(r?)7*A3`Df zoL0IebQIh_yrW0|Er%@3+oT{vP~fE)dRw47d+n5B|K+|}&#q{#$a9_NPPoys$zKw) zZ5Kb2U&{jAUwV!og6Zjr%8c^pvUJtdLmA0 zm6$Z)#L^a&MCCW;ZyFG@7mqYtcJ0b_q!wS38r>t+l#n>`mAcQXoo-hg%t=7G6vkGs zm0+55%~(d@kTE<>3N!?@q{yXiiHb-u9VvD)&O}Tzd6^rv%D8BYg<|p5tBv>i_?fiW z{BXwE`MHnI4=M!Q_5a@0zMGYuG(4=ASVyhj*L1v|Lq_v7DbNsPkG`Wjv&J>S`oYl( zli%BzZm}lGx0c;7k}ut}JX!T3nx9GOWEV}#tHmc;rl32DzbTGHJw7EFB(p2nN1^`( zVymAxhm7KBQlKGdchN0vH$TjMs_FLf4D>7S=YGkV&G|tWNR3kuzpb+I<7aZ#krB1@ zYZ+Dpc_e(wi(_eY^VYZ5W!^18A8i&d`nH~XO$zZeDbNt~y7cYC^v^jv8|%x1164UD zH23h+_j(PDk5dDNE9+}C_?c|!QPuZOnbPyEH>74cX3m`yLRGYQ)m;v|?N%%@NJGpG ziJ3;@h)m4Z&(XB?buVdU-y}Y~655|RV*W`soHCc9j>U~nY4I2&ilTs)CO1rPm7wNf zNA=ay1NoM^>?)6o21RE&-wx)3S}Q^fu84R}>t ztXLO!7gzuRKmZT`1ONd*01yBK0D&`1qZNC($qLFqhgKX35`9 zkdSOIR}@!~631Wg6*JD-#`k_P>B^jAE1rv(p&}1%?Vq{II68^(@zHepPaiuFf*G^HiN|nVf+#j3UJVW`U`NGHMYm^$=NBGV;uX;vRuUcxH zXj^l&Rt0z8;Hk`-4c`@nDDstIPT3n@Y~rX)#~6=4vijxYasfc@w#xQgLtB;her99I zIi2vCqECjiYPL(}79Y=bKJOs9h2I=x`2zoSFJ0YMYOOGf^>D(M=O6QR*=&)WsvE6h zXM5}QcaDlOPmh9dyz#QLYgDJt)X!`vzIk+8cfOr$cr;>p<1^H%CAPh(cKkeQC!aVf z(zYUhOUL5}nl=06BDd{qnA75z5c=9ZtNljC4i0(RPbd3_M}LL_fNTtUz{ys;#?)zbgL$6r>#ai%`ag|Vsqr( zJtBUW6+b5Tf8V_iuibOerulRcKan)x!$yOFJIyWdLUOl+49 zCnj*niabpUbgRa+zPSa{%pQKi5NTKemUk(#4)bR^Vw;pj$O{!k?a0-6MV7z5lJFP=aUO58DsnYElF`vXnnUfsI%u-+c4Quy}L z>0v;V1t(rZE*25VwQ~Nc5be)?@cG^^e$Nhh%1xjOMWyY5e58f3*`0^V9Wzv|J~)Ix zYFU>FU)7*A)BzIeh|RFkHqF2M-Gzx{RqXABu#IR|{i%GD+)4a|^vY*LjHFBTCEy4t zqGYyY%URR=-`?u)fx6*}JX0NiW$es4RqvJ(awzEpmFWs8NEm6V;ru7~TLEDWjIinS za5YV;))HtI>#akPU3i6nn2fWfPcaku(U<$s4hdKyb?=wmjO}y%`_yHOX5rLLXq9X4 z-!)+bFj!SsdRatuFZW~2?`UX$bj6F-^xZf-m>>Xw*;%#{p{0b&9215slt)^QB_kO* zL8Tz62*xrli%J4740^=dIw49Yu4edvnI|$SLebd!QGHfVlN8%qP>DuInN$)^t3| zD}<4Wllcpd+tU5C&JOnFj1?Ail%1tcilF3|Eq)F??D%=5?~8UCg3R`d$~Z^@{#^+w z@5Uu2LoZ>9fRNZv|K@wGotLIkmTy{_a|C~Y-V$-m@c+`r2~8ZmeHz(YFgnRauu)!X z${pY2#1hSTU865Nkuf6Q+pzEmumL}t0+UKCsq@HBynvooUijr$chxcn4n^EoeV8R3 zvl;f(h_Z7>Q25o~sQU{X!xRPhG(t2lZ>G;ed5+Jb!gAQH;H8U~D{4ym{EUryAmP(t z4qgd{R~3@Zs&SAWWL3TOc&L}WECg!S?9P+lXA)|&Tl5&uKidkS-pH3Kzv#T%?RDl0 z{G9A1qc~RouYqrswYrP>;7{Qv9V9@6dHF6Vt{*-Be+h_fwEh=d8VH+4DCWF2#Bw!x zW!74aU3CSepw^(AM=x&u`g#Nfc*p3Hh{A1h-o`fIAU@YS7Bqi%7BA!DWRCu=aTvqEQ%bSS(M)4|8V_nlt78|zAjCBh zl2mP!XFuuXigvMs5Eq1=tzW#b`XMESBK0^`tZpvMMLJ!#FPm|(y4}iL{q0>C_mO@P zA?Nr4lM1MDGCF|Wb2s5g``%#n{of+e+O1T3zVj0&0f{TKfDz_RX*=~}FAAdhS+r7v z?!9tQGD4BFvFcyfsssf87`1y>X`t>uR2U&RX1gyQUw@FFkvO~4TzqexLMWg#+m7_) zi2+%zk`2g=qqSRRL&2|D)$x~=x})HEHshZjZvXbxzjcs1N2^!kXBeh1B|>6i+D=p; zj1+0E$7xp|ksFMvN|EnneyYAzFBC?vNg z0_=C0*Y{Iyb}gM<^nYyE$)l+koSp~FH49~ud9Ln)7YgkugBj6orfUtPtIS)QLtMu> z!Oi`-7yDKtPZXet!?@fDd0}OXM?vfqHhptZGW$`4YOsdbrEiRv!*C@Z24JfR32J-C zJ?yhn7Lnxn_<=Hqc$>I8nbtvm;5N|?v?9}78n(dUvcj~IGPXXH&LNQU7b;_t!(KvQ+Uj2^6bMwz#-C zQmJMBttwq6@|Llj8R)C=chV5$i@iA9!w@ zMwHBiZin>?O&(zTK4j2>W|WfClyV=_fC z>_U`q^$YQl3xl=~xMMR@qP*P}$AT>@%{%cAnr+(RcMTzeP>*)%?}#~>DB|q4qv8>Q zRpc+@^)aqliEE78>Q+*His~^I6X~Wyvu);$|0(ZI23ONhJ7qar^?+f6>rt7<(tYte z<3U`93RaL!M@eKbDosuy^DFv%lYJsSLlAn^S%r=t5i8l1gz3aSM>o&I+O!NfpQn z1IzLNA2p!kmi?~})d7P$ppbGJJB0ldbsf_nrz^xqTcG8oV7ZsJ=-d=xYCt=(h`*zP zLBAcXiIxmWGjUm%tX0~~%UEIR)Rlp#{^ckkyF>kA&O+Z&Q7nSsjiJQdNYszU<-1?5 zc1UtBC>CAg_c^+Fu<+#kJi7SM^QpV?kZ?7qCWvuX9BZUB?mH;2ldm!=Cp6?Y?9`^W z!VoIzmje^f$8%Da0gcmgt=jN@{+16vl`~w8APf$Uc}`<)9)xaaV(dc1vlZAn+$n+MXtoOdgbC`p z*A4{vFhie9M8QzA;;Rw+YjzQ4;zmR$+Fd9>6y@Z9A_C?=|2fb(Sf6`rU=W!Lz$~^x zod6Q-TWe!^{um4JXqdyyZFGG$4iT{jXWjtH&3FHjPpm|#?8#@B@IG4xyXVVh5PJ}Xp}Wzw)MI5SxOA= zQG_Qrs5=fqdwoBpI4h>P8MCr`SeAo& z^(H5VmY{=Q#w(?6P~4FJpH5NMDM2f=-tdoLmISJ4P}2d*1n~=Y8{pAi4Gb5-!?qw6 zKxl1m#JC^^#&K&HyfZ%KwMhOjy+SlhI*DRg)_wC(^T=H2b(L=ZxnLSlrt!hRs(+@L z`|Tj~P}{Ybl{IKIGX_AAViCSL35-Y|$CW^uG{`v1tYeszI@w)BtZ$Chxvexz?xx(1 zcjY3YrX$eadBJ)zGA-d%RP!J0p+U~dI_|8V9teksAUkus9hgLo{ zs(u1=VCa*dTP91KPC_;0% z1C{)6GYpZQvRm)fwQo#(Pa3L8~s6n@{xit_fri9!qB!LQROENoku`aR17!rg9!N} z5kcms8paIm6cb29UPT2;vxxTg3FdyN{=py$brx7yI$Dq95a365a(&-Uzxf(3Od9euoMQCWQ^?^W4p%qE>^^t zjcqvC#t_>WVH;y?V}fnGv5gP9F~Ow}!4_9UFbxJGI1Z-5Krk5wg6S|2Oo)MCN(=;( zVj!3n1Hr@?h%dGkHc!w#T$w4bab+g1%*2(MxH1!0X5z|BT$zQ}V&Sz|cr6xQi-p%R z#B&YtTtht95YIIfr!xTX3kS!iOqEW9)e zFU`VBqnUUSK|!nx8z;p^uw%1vQf!KCp^5b#p^0@Nq3Jhla)-_3A56R>2+H~l zH^&ESjvvPx@$2mk_r03ZMe{Pz$L zrHG*?Lxal+a39h$7S7L=zaX5u!pPTtr~#WK)Gk76mt?TUU^UMjT0C}5~tx4aLC_ug5a=#03ZMe00MvjAOHve0)PM@00;mA9}ysv2oTMd zyhaK_%o#I~X;hLcnKX{GfEyJ}j|>ZordwHHAL^z%g+)d4BDwRO9qIGuJJKV$=uT8r zKv*a}8Y>zVgU%Hf9U~o)G18%qkq%{ybjV|*L$W8Yk%JIRhB-1raJ`K1>-7gO6*n@L z8%g)&Mn*>w?NBA!SSaD+f5`^~xCvedn@G09zrZsjyWvzc2`qpBAOHve0)PM@00;mA zfB+x>2mk_rz<&?{5t0nFkFc1AMNC9TH3Ihy4&a7H3r64~nB15JDljqfsM;1aB050A z|3Q}+G!+m4 z1ONd*01yBK00BS%5C8-K0YCr{_{S3%icbh%MWsnoAVH+T%hy}qH!@m8m_vn0Y7jQJ zLzqqxrjxN6g7LpFha}7)s*>zzQBlDLf?U0*fKXmASI;{*S})W)go}v_#{c02xD~F2 zi{K4t6d(<5gTvuV|9Ehqfq(!Y00;mAfB+x>2mk_r03ZMe00Mx(KbC+3i4A2am7fk8 zID0B>XO)?iN8!}u#Zr$2(-W}V1!0WV`juDa2Gl*RJ3t{i-*x#uRxsND%cYh&&a<-6 z8Q*D5Jl`%_JQ%UbH;RH!AHZ@?We$e*{y5)@;~_5>evw{K)D}+=%m$Drv1y+>t^`Vo z0*xn#UlyyQCQ??TCRo<{QC5-VBqh}do16%8Yov@vAXy{D9-QywmSt+yU;XuJ|aP->8!I`_gVsi z#3_W)e=G=5mX|=kZG^!zVzAI}1Ys|hmtY$rYzAAnI|fJKLuwf z+wi(sF)#jk*lwa@oSAnrm%7ue@2$Akv;zkMRK4G5+<2^zu63@|sq=^tO?`zkEpyiO zPKENYLovx4-jL^+KiZvQqhc0VyCz%|sZ4J7$hkVW)cAVZw;O8*JCD{JRh(i^4eDX~ zmAG6f+)(EE|h&`XUng9x(`Gh$AcPU7Uv`Y+nav+o~2 zabM#$?@}u-g;zZ_uu;lyulfNA-2z zSzY-lHM{fY*rqQmtz6r(M)O`jZN+`9`74k@LQG4XRM%2U5~&%xxkle3|HZ8}>W|oc z&TT_{0(k}IW@NCouaUxEF!PTsf6mFsp$n!f$=1bQDCmEMxi;TwK14vL#*G0s2!c>K zmys)>)}J47r)bNqr;@h~I#jmAJ<4C&X>(R1BdNA5yk&OcCiQjX8#>E63ZX>Rb*z(#Y+ zk~rHF!7%OGj@~RS^|G%Lwl@{`8(d4Na8q>Wboe=&7&Z=0+w^lrP(`!#G3O4Eila?7 z@3ueb`Py*1ce`|Nm-_9nInznkA31J&X4iA#RrjTL=iAdN-2I8x1BA|ET}v)U53&ez zb8i?l%GC?7zB1{+>_xswY1eaZ)*sM*V^?@K>E`^pEc?)IyU1M|-tQzEklzj1ztH9` zVy`;S={1?S|NGfe`-tZ|SLqe#9$aQyND*JHdA}~cq_GuR!tZm<-_snLoKjq-N%r~^ zuGQT`+c0a;&dACx=)=)bC+ z-qoVIsN4VH9etB;f3du_+lYHEyDnX6S<9W%%g0|!e)A-kV_@BX@bnVW`j|V;YF~M^ zCUdu!bnwL{r3B66S5lkHt1{QtCrq4BEAM$fg@4${J|Mew-2LoJ%M~rpP2PD<>T>nq zGLw^pMKKhuYtER%7=5oNqIc35bnMT)#fA7p;s{SFH`0q>jsL7?^Gweyn-~@>f z>G!^Lz~J1)xWkz_I#(Z>KKMm3sj%TvR&b|DwZo#E$Ay;+g0}En#;s>UE3rQ(c7#nj zs4xA9g418_O7pEz%9tztw~rf9-ztu}rsqQ6O8V5djsd?fde<+`iTkm=7k}ev6n)j9$CL_mS!9m_+#kzh6^tMBY!_y84RB7K>F+vch+q zCkNHKQGJj0zp}pK8NWDVn!HoS-M0?1$M;?vD7s*v#gbnXotin%Y;{nk$G8*6Z|N(f zhXe*>`=@vr)?dD&(%jT?MOUvj?k&$%C+)`~(knmBet7Y(^%ofZrakqi^K|+aKFp0% zJhnL8#cBLYW~um@32)2n`iq|L&zs^fAgV>lk=)hN?J_>Ccd7aw{nX%m$wZ&ZOnvQc zX9ge9_%3imd{=3ly1!iEl+e`g-nE#;8)SHhURKSWb>luSI9+mWu4~@4U5EEf75Gkl zL>JM)-j+&})e%*`is0$8{)eZ_;XFOGGhkEA^|8$-ml}W5y5PCkYVF*{-kyCI{1xmc zE?N4t{$`SXi@A4eX4%O}sm9r=7CB0roZ{jJ*tYIUG#VuRWcTG6E$VIzx9SOTDbheVN_y?(mG-7eQKX)u}{y=397J0_gn<~$TS`afWqCAU=6n3{2%1pR% zrjL4C|L0V_EY>CIPWH+Nu@;2VWmTLFey@Lir@7^9HBZ-L*G%zn{=5igaJihq1@~z# zacUfw$Z$78ejng00BS%5C8-Kf&VT7-ypQ%VbaJ`lapZ+B+(xvqskVvo`iWi_tnnJm7>?M&nMOeM5pqlCV7V_y7C5Y&7&sKx2fW!_oPHZ(qZ+cf+{$m?o!Biw|?cNnsIk4!`a-NjlENSJR&=!R1+#Z(?#z- z_SG}iY0_~IjyBkG!?vB4)%9~5r9so?QB9YoU&uEb)yj`0-w6qO7X%yssMz#Vp4j+O zP1>&K6^kbvc_$LQci+p3>5h&s%ib4xStPNn`HJ*po8~SFL*HWM+I9dcT>xQ16D=%slU?a|toGQz|^PCN?ixweRM1 z%6rEh8J8ntcs04)CEJ=i6KWiljh6PSd6y_1>`>TZu-kXH@rJ+Q6D^qa~n zHFp!lO|%?wHW?$D>K zTkqssA#t{XbYk3TOH0fdjlS2TK4L67_U9gujy%0r$Q+5w_E&*(L5o#u;Wuz(k&A@&3RrMn>JCB%4JXd8_{c?;K97 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..ab1762634ccb5a0b9a25ed5606495032285f73e8 GIT binary patch literal 45056 zcmeI5c|276|Ho$-!z^ZyeH|0Bn;A2crNxp6Wr;2#W*8#7kwh_~RLBx7N}IG1N=1@( zX_cs?=xVviO=&N3e{&A5+qZjX=JEUMcfY^SG4na^bKalN>%2bCb9`n#a~{k>57%%m zhZGtUAI0L5%n>pOBobjmA|Vh6-1w8ff)_NuM2*ML3i+4#pF$kMlwu`K{DP3edLr;B z;ze9DE(yoL4q-j9=l-b?*bfK*0)PM@00;mAfB+!yZz2#WDXFBPf#ex+S?owo6o<>2 z!{V|g)>8JK4z^wnBrjV#R|nF>UXp%z2+7@Z-h5k6Uy_T1FUfnsJP&UNlG_53z1xDh zuJi1@NS+SvuD13L#w7mx)hO!Nie_LYg;uiHKqA7ULpUoE;v)IUKvp6*2Hp;w&<~_e zL>N0XT1iP8xfrexyo?nd5}lCX9v{A(#pOtjo13>_j)M;gPC^zYE0FYAR0_?&MgrFO z1=fgUu{n{GRnR|Zz{#I9%njzE&`N6B$iOk%iR=hYFn3Zz;s=d{vGh+WR0`F=UL38Y zGSQpxgoH#+{G<%(2br<#PbwBvgLN~Il1kdz$UJ-aluZguMq=YqW2bF$zbGfp*3Qk- z%b3KX@Spti#-j0`=1>gpfc8+KT^7)$1+-}aZ$ecp=up9c3MN!chYAa*u!IU0RIvGl zB`if5D`7zgOzDx zF|163m1(dt4OXVX$~0J+1}mGxt<2$8=5Q->xRp8FiV0_#aFz*YnQ)dlmW4H$u;z5Q zCd`Kl1ERq_rBR@^G`OcU*e#vHUuaZl_jm~Dn!~lt;o9bKZGIB2GFB0)Lx)MxDbTU$ zFey4riVh!@4j+{cpBDz)mI13VU^NEZHkiXOr<*e%$?*`<9S@<7jfc)n!lGVMBI87%WN%8zyc6om&cw z9jZ$=XTsMl&CSA&>&Uy)2?+iVfq*~|&nF zJtl!07SCDe;Y#9i61b#l>yq%}5?fuJ*vixLTAfW}ZAK}M;T;8B= z!a164Eq$LW>G!id?6sM@5zY+hmx?#_k#L5y!&%U;M)eoF# z{h?*G>*$GAo5};C9-Il98ELQWk4!Gsli8ZP|GMvqnf>l>aF~PAcBd}i`BE=Y7)J13 zxBl`eQs+BQrDsR-?)RPi`mnI>L?b7k9F6n-u65e=SYgMDTh%#grAAb>t(r4O>5@M4W2YXLTVrrPD!Q;w zbH4K}pTXDNy{Sc(%cIJRrL1^qrpu#rG(NYmift_iKga0QOrIk`DVN{Dm8|!?^XS@3 zPb@KS)s;Avq{GzX8XzQ;GRleMEWM{hm+z=AS&{A=9k^f#YRU)z+7xf`bgX zX~w`L?$zldvO8d{` z%M3r`4YnBO4x7IVIQNbh>9}Nc&T-Qj%5Di2wa>*C z%)op=VGAzq(!e{!l&r6qRb4IaefEIF7spJGg~`gRPs%C%vc*R8>Ig=`=GEap%yZ6F*$+$H;Z8YW zL`b&p>(+Celd?`Tf*$0(TX`E*o3MAyv?Ghtr*978mA=ivUzGUt9Pw!Pp1=3qKh$iT zvGUXF==|1IJ|07!PKg!yW4^NoTuDb>N-FAY@9fjkLJVX-xKa7GP?Gp0rBDsopf(sZ zn4GPdz?2O*v36E~(cyzti^A;j!7H?_Ty#wiG^{a}+04y7apB0vRf-a54XHhS#dS$8 ziA&XER(S4x`u;$|n-eT9DA zs*C>KxAn_Rw?*5x$$iyb;QPs=#8^jfr{kFK2LB}ny3UqPDRb77MyZ!T& z=TFw&`9=Fuei&8(6>Jlr9qi{)6mGPa(W2D-C2EeJ%9W^)uXTDSo*o;hJG#azHLTOT zRjL_Ty5q@QUyb+B{cGg^_mLe7LEzt?=Rd##2mk_r03ZMe00MvjAOHve0)PM@00;mA z|78Ru#ZegOGxV|f{|JIO@?X|L&>cVk5C8-K0YCr{00aO5KmZT`1ONd*01$u)h>IgI zWAp!q2;xHk1rPuP00BS%5C8-K0YCr{00aO5KmZT`1pa*lbj952mk_r03ZMe00MvjL_k~I2_yLbNSDr*4kw_buMnn6KbJm$ug2#~8{uC|J4@s7x9|+SB0e7P^`kP_0t5g7KmZT` z1ONd*01yBK0D*rC0ZnmRWI}jYU@#}18%SYLX`IjyM&Q^Nkke?|0@D&( zl%}yP8Gm+6QDE9aK~S2_kQbC@u%`%0v*~hz(hQcYpfr;r^Pg!d$9%fQpB*C#Oj{5H zrP&N=L1_jXFDT8X;{>G{EUch3lY;pv&7#toe|AhtVA?`bP@2s^3raKC5`xlfI!aKQ z!4emgW>Um(;u@G(RzgBjOnitme@IeB+&~a_5xx<;rE8>d_)y$=oH{lM(~dEb%9ea8 zISai_;)8@6>M%+|JV>ljOc5E!Z}5L`;gOXkY%}B#Ka5;|9Y0tUUOL4ejT!$ATL}Wi zjbb~wiKoy}q!oXZtf|PbDcq-MSzDARMZw*3`qqLw{bn>VfJa$v@tyx2mSRW}1&fv% zQxU`bHAaz4PSq~?Htl}(vW2qeugy=g(O5KNxr3kC+?Tppi`)0zyTcEd|pU30woo{!Oxn9>~mm!rj% zJ`tH}HyVVQ9MF`V`=-KsFz{rTzP!ROckjsF2$wsmmv+I-eE*J6YfBzkL9j^+5lqT` ze%2vQyH}F2@c5Lj`3$jd)!YpmHD|7x>JYuv$NB*Dm8AktH#f!Ia+n!(P*LUE7TG;+ zbdC16`zqUQD|{CX1a$cl28f9l1Pf<*0{^v2l7#<(;?R zS;NXX%SYA=Guf`yp@O_5r65-KeOgSvYQ*eFE%(I1O}ty9RasJ_z7KfhDFRJ0*dmy` zHg8s^xw?06$J0QQ!fNqLy6URxmG4z7e*JvVidgDVC(LB-!Cl(6@l+q=w$$q#cL`kC z#amXk6qtQ&C&yMzRsExzN0t+4l1&%EWU7Tx>1m_+J@QQn7m{QQ(!M(v6h-KecpuZ2 zBu7?7wh1$t6|G{W){E=Onop40-8k>}UHbWX3*Y8DknU9Oe!safh)0$cXp$ky5M(a# zF|j&y&&m7L$_ptu1uI%UluUhke%RD%N!`*Og|0ARCU+;LrO%-xd->aF)p%}fd@{}K zoAT9jzwa`fx#HQoOa~txSw^5qk%k~w-8)x`7dfqqZn}~?r7hkQT@oq(y6niIt)nV& z$&EagFq4isOa*EB1zGP4dM_HoZyJ?Zuq2n>JcDU1j?mT#s@C9*koZQZ3_D2H!Z$-?Y!^$PCJ9`%fqA} zJhb_$ZGT%R#3-O8r->T*7EC(YvxO* zkLdEzqP$Ly-Nc$jgU^ zcI~WSJs>Mq1Q#s2)K}kIoSsp)u3&M>qKJ3GOxEs0^f$E4$T@%Is_W7x+BL5W%Fb2l zM^D|0NXn}B8(PjI;{}=&X$YEfIl|_;y4Q@`t9(DSVXo}Zwl0XY{Mg&~sYYuQ8EJSx zn8|(foVpN;%kP{cY%Y^Pjs!K!$s4%W*cg~ zdB>a$O?hOjK$9X3L1^p(yOb!g6NGg;EH!&Jr)8%cSzMT~P_5>2okrcv4+vonh(;v`^xu*kiNP$`Vo4YeZ=006xABOPUeBp24CFMI#S1gJX+NuZNenSymWpHcn|l@;TJx8!x|nCs-yz*Qd*x$; zR32ICXOlln0z?>sHf(utt$cxWAtk85{k==^>ZeLarpmoR8{DpJ)jOoza!;7ay4}aU zO$LG!jq3yNKQVLh+0NeDdf})AHu@CeruVSw2Oe2cut`ydAl$AlO|6vJSG|ql-lR^9 z{=gSP{nGo77V2OJX6d>%CyQ)1GD1H5fUk#o|ONMRT=nJ_Yaz>P-M=o7&^JFN0tz1Qlufs{7r03j(l5d(oIxna^}{gmT+F4 z_$YRBSV-^rup>w9g_(R=7_jpJr}h~(snNglQEYP6(SZG>ZbJjkjugr43#oJ-870u9 zNJCI~wmrhX{}eK|W=cv@h-`Dd>tH=0Be<$y?}usOn032_nRMJCrZ;M&G&u0q#KB$p z*7J{s-h?1pSxlfwk%l1B z#eBUd;jMaw2M?RpZ0>z_&aNV5rJIY{9QOXS#BWY6!b}El-L+wRWp#U)+U}1RjkULJ z)v+*~7O^(Uo@v2(eNXjbAW}ku&Xby$t=~SKO_cNeq*+}WQPJeP{6XvQ=>wD*6n!*q zd`gR#K#EgTQ1UJ`O!*wU;ze7CiH6ZdmWt&(CFms@C9{ffD5Z7q){SoaQAyqDXUNd} zAA@Beh>Hm)39{0W_!j(BTpIQve-~H)0YCr{00aO5KmZT`1OS0C0z9(zPj8)nyhSX+ z#P}FO_fwFsQB?Ag?_W=y*CR!i+e!NS>ZC)@1l(L zqwF>rlcQ5K7ddappMlYCCR|<1Ba;N16y-*X7_lsF80o(-;eAe>`)`lBJ~if2Y!x*Id+du*dT;mLlT_vEb*t96mGS5*^Ol|DX=_Q$9=~Pv zx3|kh0O?$Y^0*t|W3X(!io|Hil_%-YtuNx_pZGEZrB|d9ABHZL`LlWep{Cpqy`>Yd08!o3Pv~G zt!sWBlZO4J#{I?ZDzD@lS;rHD!Up_!WOczNMfs?vrS$IOO*2D_7pys^wtv8^q~6&o z6X&g@pw<}XA2TvPN0`YV%1wvLu=e}cVyCT-c{T4fNwe$WEcua{DymCRzgeM+cw{w! zCPn(F#`N7#f$kq(m6vnc&-UCmZA`A1w)D`N7Yy&GgTn;d7@;>&XH{GeUtt|Ka^USJ z!&|th&d^W&%(}Ce)VJ!3#oL&!kl~S41)3D;qnf}a1&zg*wlwwa+kYzbTU76}FV9O{ z(=OHeqDhySh<96sk!)_-*#6s#dok~)?JbGAz4xO!I^~e*BWJtnHn$5G>aU#OkyQkm z6zQWHIVNNJiNv$Y$0)s~9Aw^~8%mLi0pFO4^XKz{V#r_P0|=lPay<|Ue-u3G91I`=6ky1efEe<}f3Y+a z13LOo1S-IQ*8ZX;d;s3xH}jta0A&G@{&xd800gA~60a*{1T<<5QQ+ef9N*Y!NS_#GS$g;4x(al;nZ*5}XSC6a zcgfS(Yl&)0^*9ezUV;HYbu)i9V@2-`cYv)Qm#=pXW3 z!`Dfy_5Gth$kFIJ`n;p>dAt@jevqQGq_HA;%h-!RWXh&j>?JR(+V1{%t5F;F-mrFS z``T20(|DVhb?3CiAO8SFSl~)`MF!gtB2_C#|dOHIVkFIURoEoUt<%xjif5@x^;l%+tSZT$*OeG( zq0;JgRzPy}hiA#5jiN-#h*run>;g5R$b+!*e+q#hRf4zofDUR<%tvQfAE|mFQ77Z zEN#R~-DGzgh-+gMVj)?~Hq5!osB3olCGgHlMLo;7*&$kPGt&?(##x^>cE;dx)=`aV z{Q~X8b|Q2a@caf)Y^3{M$)B#632lcSAuC;YuBihqrAD<*P!$3BOL7O3Q&R)*MggRr?`M zQ;2J(vI1f}+>xY$`9iOq@T~smf@foK{Y?hC=h+w$8;^F!OOGA;-@3cuEoh3|GDM4P zkrFyS+LI`ps;$4XSxh+4yLJK{9BI0kX`>RJGR)|n_&h7jjZV4}ro6eyGXqP(7@ujs zb7N{#@o?+igqR+LjLXVb&wQNf*F9J^D)F-Raehh>2O#r5$o9~ZV}`uJq{oUQyHNE)N_5W;fbgvf8e)ASCNnC)CVT;h&{H; zq0W!243Nv_KkBy8c$(m!$R7eV(8Yrg8dtWLWw50e+D$61Q?nfL%_HTqo* z44ek^wuV@8s8FMuqS$6L87Y{xyfhEdsTL$l$WjO`6OLmuyOC8X2!Skumv#fsk4yHH zZhqg-p|=72b=Ws{SVrvx8=_>V zlQB=(Ys<9^xB_|iwZ~qo^n#uKNn$7ZX?1I9=G_F(b!HeqlNT&2ui-gJxpbKG-n{tI z`G+*t=fL1(P>S5|3yR&6M1B7N*elOzq|eOsF0!s;0~^d9C&GB4BIQJ=@$^#%!mu)V zk15d8tJJw_{$cs80TE)nle^yr70VOU4U!+-^uA~(gsl>I$fW#pX8ZcX`8ltKyA7&& zXU5T1fvF+CLxHo4Yl8rcf=A#F$CO90G}xR21mmR`f2Kt7tp#%N7CyM+mK-B|CZe?U zrJD>?zUDm0;cF*R75+hy>4}tucuUBLN;$)o?Kd7?kV{1Tl(q6s`Jf*+GZSCMNmvdo zDodi|5z|O7Y;t;-5O2?U!i|6V^O2qkj`6!MZb&jHdFkqQXRQ*6vd}r6bc5sZkeK@u zyj!L2iqJeLS+U{I+gPB9SNK-uEt)z{D~Ky#^!FA#or|8Fw|V4EfYu6n>3tRvNR+rB z9^_ut^ceTCTQoLJXNH5{MTyN)F+Mjs`6|jE4xZE0?66ZGoVa##nvMacv@Ov~@FUz! z-k`OQl5Twb8jzAF_>JJ1o~a+{?E{m}SDXT`L9j2iN#0Nlq4NI`TLFep6o?@d{)_ql z-UATX|7eaBfM0+C9zrp|-T!Alf`9F&CvV@~U8w!xU;6RvkY&-y(js$%gatovISn!E^b;;{w+qY@o$-*+NaP8@6qWnAEoO&{}7jXdp z2$9v^FFUQoA|^v=xLvatwj`Dz0={p*k$Iv0d1t8{MSctEsYr)bx(t&YL}kwfm~V7o zo>q0UE?;~iF?-QS9hAlDmv{E<2)vRq<7kkgAZudPCvIh4dE;_0x^}?u=QJe@NMg1A zPK1L-XJn*$r&Lbw{R-~hYn(l@V@bU{@#GE14uXSu(}zlJ$zq8XQxL*z*xp}^juPL0 zE$5Ifw4wq^8Um?8KrZ|2bt4~DYr80l4bR&e-MvllHY)R)RIC*R-85RTtO@H#9mDl` z8|vMWpy2R|{wSuZRWCftU!qn&MDR;IW+?D)#+3IW9<-_|UKR5pds#^888r{C!!@MsUKONqW;*aa&(YGG(iW^)udSB4m$ji${BdU1B)4wlu@ zWyVS9;#m&;ARaXeHXHY8JdmkP)sf|%fPv2?w9qZ~a?`EdD2IRu?a%&00wFm)Xo8m8 z9zWwrCXA0yb#|%&2FFt0%Jr246ce2v=|*cxN?q@M$ceOh(n&f};94T~+1>T29m5-* zCI9hv^wYL%x~pw*cn27j=gw7JVgO6h?O~Ndvj~zm^KT=}$+IPkE>p@RhU^#vvptoheges9D8sR-`GVD4Gt1R zuwEG7hu=h4$5XhYf(8Du?@Wlx(;RzPYPXs#R2;Xa2jY5$v4G(6CdWL;}TGAwR z&IpuAB|$2#0gNZyl!eq90WZn8%6Lqci1+f=sfnzf6builT~COll(_O9p|~BHvx|t4 z3MNZuc}W|_6CdZ=T*9@G66%B(J$_RZlD4Zi7 zEck}L)HBFfFG52{|GjBO29Ydu7y;QYee1QYLFC(%H2$$4vg?aXVI@<;sZbFp2b2Uv vC_q7g&qRm^q$y2a!92ruQc@VGrKdep#J?sVYt_DoZU=NKP#(DHi87v@kR@GB-3fF)%fa z66ZBBGcYkUfpQH*41|~%+0YcBIfJ>0k&z)cx-<6WM&pI2r!*dm3egYCR+DZEcFbs= zJLCSW&CW;U#5aBOwXHll$=p%k!bPiXhut}MT~u<8-g_X&?EdN?ab}a1JABr;+ig`= z<67*aH7|L#+SOR4x3|MWJEoZ4vY)6nxx9MOgT+t(bDezlrzuZUzqqQ}z2kL-Q>O0U zHbEu9KQFgj zG1J5K+BS|et`!}!yF)I0+pZ_l{^ZHDOBr?gx7Y$1Zp_zSS614#>}BGLu8NhBoGu3M o9tXbUKYKSkd*T+M_r-Y*A{D@~ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..0c8a303d1121dc443d26281cf1c9d688ff3613ea GIT binary patch literal 28672 zcmeI43vd%f7{~8&NlIGU6s<-m*b@{R2FhOUlC%y&9|T${l)iup7}E5hv9+;DDh!I0 zj8IfS%S%B~5fl)q$Ws&;gaJXFD$IytMXFVK6fIO#1Y6wQT+)_N2M5MM{cdJA|9$=U z+uv<6-6TzJcBacG^Ap{k2OK_LWTF|CWs-TGVHgglFr0#y1`BntfFId*`p+cCB%r$@ z_2(IFcq`Lcr{5c~FQPIc85iIJ0zd!=00AHX1b_e#00RFwfn=@LV2EQ2TxCV_6laOU zRaEBnj;tswbveV*a%?GiHa=s-VA~j;w((gb_)t3^?+}p5I8Z|!@~K0qqfjml_0V>3 zplz2sh{nNctsyp!9Z$!5D+=$IoxYHRrh|jhdbx*y1Y-)PHFOQG!{zl>$exgix`Roe z@p6wu!B~~Vh8g1G*m)^FM`5WP8XgiV#V0Q%HPhCfgR6)inUgU*C8vNNW-H+HM`UE@ z+sF)QStEvIW~AluDXCdGd3|{Y!b!l%gp)`#tspf5sY)cpL{dzoMbafvBAJ zmPoQBk~v6Lh_fVWg#tNsM8rctfq96FfQXHNh>w7Xk${MkfQXfVh?jtfnSh)mSHcU# zN1aUpO`T2D*+iX9)Y(LxP1M;$okcoIq@zSSN~EJiI?6&@Ewt4_TP?KJ5@@BK7V2rG zJt-f70y5E+nh+UlqANAgXeER%lR&B!Nqj}xTco{3+8a00E`g4uk3>mHh|DcfQW7O4 z(OD%rt3>aMnT|D6H#2oJ)3Hw3EJ~u8SSphEDv~Trkz@u%k|ipVtW%K$pdtyyfTU0q z**1*gQEJ&oDx|~{$-PAsJLxNl7P@auNk&1XHQ3@V^x?__jk@x#xMvK$$bcxRFL}^tnt!X!P0MAOSD1TIvM>-0&~o`| zuCqB$_WF2_+wJ4iQpg8t{7ARgH_0RCW@qxbxtY92#s#m}d9Z%i^f|p|skh7?%uXc;dNXqp zn3#?XX2eJ&)W5v`9)!!RFocV^3V&4Sl|2v19=p?#;Pm*ApNm9(_NSLP6|2H4Ly=lt zpIPa%eu-q+2n}=fw9u`FNPGYmOjbd}hg9iaL!@Luk{~HXlqw{nfr0yBrT60sZv|Zi z@02}0FJ3^;_JOk+hV!#}2G@tH{CLS<-}6w{vPpOEe0p7>nmbZe&ZpHSn~&NyWjBUx-uTIo)}<%UJZxF&IMt>3hh9hA!|&!k z`ZjaP+4M78e{OoebR?hoq z@!ho3{pa(SzjU;0X4UGNJJog-$1?1SXcUDyW70itRBI5& zvX|O3!#5i)&4R*nvm8-n`c^{#cd&4QqyLQA6ir zi{78uEp_)D%XUY9u)SqM(l%yvg(ki>n>=lH-DUKH;*&KJh-1< zvFgM$h7HFNs`O2a{yfg$0s=q)2mk>f00e*l5C8%|00;m9AOHmZ3j{iGYL>i%sS4xN zI`S@F;QU|C=(p+1{|gI*H2?u100e*l5C8%|00;m9AOHk_01&t?2nf00e*l5C8%|00;nqe>H(H?gkeBUWqE2>#ghX zlO2Kce*>d$(4Y8MuMmO<0zd!=00AHX1b_e#00KY&2mk>f@c$-2zc66nB;6nV0O0TQ CAa^7H literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/server_ca.crt.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..7724801ab7b783dee9780314a10c797f4b0bc203 GIT binary patch literal 36864 zcmeI5d2ka|9LKZG(ez3HDG_PxHsC;!|0O4vIT4=e_O`Bq|rI4h6h(J(4 zVFb&_Q4To-91a0Rkr9+4!f=d?1%z_QcomWA2*Pm4<-V7Vfnl2VU&}8udHL@9z4zVk z`@BusZD-mcIRi_5Zn~txQ!e;uPS#3BQL+r0mdRvt@fjsPgAbJ`6u|@Wm3l}wCgrjo zs8^i!mP{S(ki{yr`(yUTOo}l^UyXJ|*EBW>`hfrt00KY&2mk>f00jO|1j-^Kb$UJJ zf8Hm!%G~8{pU_+I3Bgyj)nT*b+UQ(M=0F=A?4`Su7Sq`d`yh*>fF58gpz{XXbMkC- z)?nJ2HMq|}yET_~*s=#&thR2n`2A`*6L?{hd#Y7BtDcgTjw^Og_D(1hi%y}^S3!=Q zL4PL`R8g5Kl}?vLjUWSxUJ*)*$9cWkp3;ee&mAd+vk&fV%cn^ZM+gm|y9f+olQWdW zV;J!$6I|}H&=A!l9;En~2bbJOq0)6oqMU))m9DYwB45Zu`G|)%P=3sXK}@n$uF|y+ zuBO!Mt#o@rHi}1V0@cS{%uMo}G%8Y;ltj(9k}V4vgj9rN71*{=e{(j@l9}bm?M4eo ze2V)fu;P=$nsneE26vh9p&1{V$srzM=5b@hjR`j?xH01<6*mHITw;?-tWcmOjtF}& zC~zL^!XRwJAnd~+Y{Ve!#2{?NAne5;Y{sA>+)D8R`G_+c(8QS~&Ma|ei8D)_S>ntR zXO7I`$SjV`;>awH%rcRxiBwIbY9durph`SV#50AABzzbGh$Sm!5uVGEm9iu)kHiPd z;BHA`Uyh9C$Y_p?7K>y^U?3jD6H+|F=jI71o{-|nS$T3+p6rW}%rz1>BXKj5xkYXx z$8$z(DM{=rNxU#g;xkARFHw?sosz@=C5b5pB!MEy&@_Ta>J3dZ1*e%paYPx6Bg$YL zQ3m6PGUzMHU>s2feMR|@FTQ5*iN#)g;Ybo+J(9$ikR*#k(jAf||4DKo1jf2Taa=e~ zu~9(9E<)Ul_ZAWCcr4GE$aTx6CUX%gUEid}J_1AURVNeD_}*TPzpBLHrWJ1B0R(^m z5C8%|00;m9AOHk_01yBIKmZ7|R07d>VQ~N7Qnwe@1q6Tq5C8%|00;m9AOHk_01yBI zK!6Z{`+v9)fB+Bx0zd!=00AHX1b_e#00KY&2()|xaR1-(_ZU_P1b_e#00KY&2mk>f z00e*l5C8%|0Pg?c8UO-700;m9AOHk_01yBIKmZ5;0U*%w3Bdh-%im*IArJrpKmZ5; z0U!VbfB+Bx0zd!=00I2>|J5-GGVLnOKbpL_?Qt=&B{BQN4tM|oAOHk_01yBIKmZ5; zfhUZB-=J1nX10-eOUF2i+#a738IiGsEh!R@$iMzdMgAFRq$;ZG?0&Ov#!*TQ%0iaV zVJzYmw7pB8r5`8NMml`=bDmR{cqG(K-2*jN4l@wGk8*LD48$r4G16L_Mq( z^z6E8ce=KYPx>n7mZPq&c;1+fRXYl{j2oZOaa;PxvG1+&8zRGpG&dt;>-=TT^lwmN z&GDZbuGp99drqF%kUqCzVbx^K=?^*onx;Z7w@tMVpQ_&*>v?Nhrxd#2rL10D?8akj zH&^t(u7ADrWxqicHl)kgjF7+7x3eA{Hg84rlsk*wOsuYa@!rc9mOWFmkKz+nxQ8CT z)KthTh1OYP=F}y+YBR2XS36oAXL@iZ|A!-$>#tcZuCy!5{RU;&kVaQCLJmmF9k3}& zGcD1SoA&ApWh)C$yi+CLx#_t4r1LlZhUIgb3VBz1`o7_fo9m8dK0A?F-sbDMopw8_ zJXGtq{RwwIb1dlLHz>k}bn(pyxun0-a9P-O%N$=)NhCg8`6ZD5pv?m?&Z~^$K1bIzUzeZV8*pSWTSLPzC3)G zT3tWjMtoi8rb5mf@$Rg4pZ`89Xfx`4?Df^_6Ml_r8e7+pfuD)6(fBF#VRQ|YOiSf(ecdn!*=$~ zHJrQG?lnzG+5Ecd1Tl-E)!DhHE>4g!dpuF2qO=Roj=;bFS8F@SwAZ!0v>miNwUf2q zYnNyXp0JO4SS}C%0zd!=00AHX1b_e#00KY&2t2t2o|Rju#((su4qG-yhAX>_s&Hka bOBt^0;uYb_MnN8~Y(fz+a(z_rCkp=p>@ 93; +} +elsif ($ENV{with_nss} eq 'yes') +{ + $nss = 1; plan tests => 93; } else @@ -32,32 +39,6 @@ my $SERVERHOSTCIDR = '127.0.0.1/32'; # Allocation of base connection string shared among multiple tests. my $common_connstr; -# The client's private key must not be world-readable, so take a copy -# of the key stored in the code tree and update its permissions. -# -# This changes ssl/client.key to ssl/client_tmp.key etc for the rest -# of the tests. -my @keys = ( - "client", "client-revoked", - "client-der", "client-encrypted-pem", - "client-encrypted-der"); -foreach my $key (@keys) -{ - copy("ssl/${key}.key", "ssl/${key}_tmp.key") - or die - "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!"; - chmod 0600, "ssl/${key}_tmp.key" - or die "failed to change permissions on ssl/${key}_tmp.key: $!"; -} - -# Also make a copy of that explicitly world-readable. We can't -# necessarily rely on the file in the source tree having those -# permissions. Add it to @keys to include it in the final clean -# up phase. -copy("ssl/client.key", "ssl/client_wrongperms_tmp.key"); -chmod 0644, "ssl/client_wrongperms_tmp.key"; -push @keys, 'client_wrongperms'; - #### Set up the server. note "setting up data directory"; @@ -72,32 +53,28 @@ $node->start; # Run this before we lock down access below. my $result = $node->safe_psql('postgres', "SHOW ssl_library"); -is($result, 'OpenSSL', 'ssl_library parameter'); +is($result, SSL::Server::ssl_library(), 'ssl_library parameter'); configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, 'trust'); note "testing password-protected keys"; -open my $sslconf, '>', $node->data_dir . "/sslconfig.conf"; -print $sslconf "ssl=on\n"; -print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; -print $sslconf "ssl_key_file='server-password.key'\n"; -print $sslconf "ssl_passphrase_command='echo wrongpassword'\n"; -close $sslconf; - -command_fails( - [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], - 'restart fails with password-protected key file with wrong password'); -$node->_update_pid(0); - -open $sslconf, '>', $node->data_dir . "/sslconfig.conf"; -print $sslconf "ssl=on\n"; -print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; -print $sslconf "ssl_key_file='server-password.key'\n"; -print $sslconf "ssl_passphrase_command='echo secret1'\n"; -close $sslconf; +SKIP: +{ + skip "Certificate passphrases aren't checked on server restart in NSS", 1 + if ($nss); + + set_server_cert($node, 'server-cn-only', 'root+client_ca', + 'server-password', 'echo wrongpassword'); + command_fails( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart fails with password-protected key file with wrong password'); + $node->_update_pid(0); +} +set_server_cert($node, 'server-cn-only', 'root+client_ca', + 'server-password', 'echo secret1'); command_ok( [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], 'restart succeeds with password-protected key file'); @@ -149,82 +126,105 @@ test_connect_ok( test_connect_fails( $common_connstr, "sslrootcert=invalid sslmode=verify-ca", - qr/root certificate file "invalid" does not exist/, + qr/root certificate file "invalid" does not exist|could not connect to server/, "connect without server root cert sslmode=verify-ca"); test_connect_fails( $common_connstr, "sslrootcert=invalid sslmode=verify-full", - qr/root certificate file "invalid" does not exist/, + qr/root certificate file "invalid" does not exist|could not connect to server/, "connect without server root cert sslmode=verify-full"); # Try with wrong root cert, should fail. (We're using the client CA as the # root, but the server's key is signed by the server CA.) -test_connect_fails($common_connstr, - "sslrootcert=ssl/client_ca.crt sslmode=require", - qr/SSL error/, "connect with wrong server root cert sslmode=require"); -test_connect_fails($common_connstr, - "sslrootcert=ssl/client_ca.crt sslmode=verify-ca", - qr/SSL error/, "connect with wrong server root cert sslmode=verify-ca"); -test_connect_fails($common_connstr, - "sslrootcert=ssl/client_ca.crt sslmode=verify-full", - qr/SSL error/, "connect with wrong server root cert sslmode=verify-full"); - -# Try with just the server CA's cert. This fails because the root file -# must contain the whole chain up to the root CA. -test_connect_fails($common_connstr, - "sslrootcert=ssl/server_ca.crt sslmode=verify-ca", - qr/SSL error/, "connect with server CA cert, without root CA"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=require cert_database=ssl/nss/client_ca.crt.db", + qr/SSL error/, + "connect with wrong server root cert sslmode=require"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=verify-ca cert_database=ssl/nss/client_ca.crt.db", + qr/SSL error/, + "connect with wrong server root cert sslmode=verify-ca"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=verify-full cert_database=ssl/nss/client_ca.crt.db", + qr/SSL error/, + "connect with wrong server root cert sslmode=verify-full"); + +SKIP: +{ + # NSS supports partial chain validation, so this test doesnt work there. + # This is similar to the OpenSSL option X509_V_FLAG_PARTIAL_CHAIN which + # we don't allow. + skip "NSS support partial chain validation", 2 if ($nss); + # Try with just the server CA's cert. This fails because the root file + # must contain the whole chain up to the root CA. + test_connect_fails($common_connstr, + "sslrootcert=ssl/server_ca.crt sslmode=verify-ca", + qr/SSL error/, "connect with server CA cert, without root CA"); +} # And finally, with the correct root cert. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require", + "sslrootcert=ssl/root+server_ca.crt sslmode=require cert_database=ssl/nss/root+server_ca.crt.db", "connect with correct server CA cert file sslmode=require"); test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca cert_database=ssl/nss/root+server_ca.crt.db", "connect with correct server CA cert file sslmode=verify-ca"); test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-full", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db", "connect with correct server CA cert file sslmode=verify-full"); -# Test with cert root file that contains two certificates. The client should -# be able to pick the right one, regardless of the order in the file. -test_connect_ok( - $common_connstr, - "sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca", - "cert root file that contains two certificates, order 1"); -test_connect_ok( - $common_connstr, - "sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca", - "cert root file that contains two certificates, order 2"); +SKIP: +{ + skip "CA ordering is irrelevant in NSS databases", 2 if ($nss); + # Test with cert root file that contains two certificates. The client should + # be able to pick the right one, regardless of the order in the file. + test_connect_ok( + $common_connstr, + "sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 1"); + + # How about import the both-file into a database? + test_connect_ok( + $common_connstr, + "sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 2"); +} # CRL tests # Invalid CRL filename is the same as no CRL, succeeds test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid cert_database=ssl/nss/root+server_ca.crt.db", "sslcrl option with invalid file name"); -# A CRL belonging to a different CA is not accepted, fails -test_connect_fails( - $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl", - qr/SSL error/, - "CRL belonging to a different CA"); +SKIP: +{ + skip "CRL's are verified when adding to NSS database", 2 if ($nss); + # A CRL belonging to a different CA is not accepted, fails + test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl", + qr/SSL error/, + "CRL belonging to a different CA"); +} # With the correct CRL, succeeds (this cert is not revoked) test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl cert_database=ssl/nss/root+server_ca.crt__root+server.crl.db", "CRL with a non-revoked cert"); # Check that connecting with verify-full fails, when the hostname doesn't # match the hostname in the server's certificate. $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -237,14 +237,14 @@ test_connect_ok( test_connect_fails( $common_connstr, "sslmode=verify-full host=wronghost.test", - qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/, + qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "mismatch between host name and server certificate sslmode=verify-full"); # Test Subject Alternative Names. switch_server_cert($node, 'server-multiple-alt-names'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -262,12 +262,12 @@ test_connect_ok( test_connect_fails( $common_connstr, "host=wronghost.alt-name.pg-ssltest.test", - qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/, + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with X.509 Subject Alternative Names"); test_connect_fails( $common_connstr, "host=deep.subdomain.wildcard.pg-ssltest.test", - qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/, + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with X.509 Subject Alternative Names wildcard"); # Test certificate with a single Subject Alternative Name. (this gives a @@ -275,7 +275,7 @@ test_connect_fails( switch_server_cert($node, 'server-single-alt-name'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -285,12 +285,12 @@ test_connect_ok( test_connect_fails( $common_connstr, "host=wronghost.alt-name.pg-ssltest.test", - qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/, + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with a single X.509 Subject Alternative Name"); test_connect_fails( $common_connstr, "host=deep.subdomain.wildcard.pg-ssltest.test", - qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/, + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with a single X.509 Subject Alternative Name wildcard" ); @@ -299,7 +299,7 @@ test_connect_fails( switch_server_cert($node, 'server-cn-and-alt-names'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -312,14 +312,14 @@ test_connect_ok( test_connect_fails( $common_connstr, "host=common-name.pg-ssltest.test", - qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/, + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "certificate with both a CN and SANs ignores CN"); # Finally, test a server certificate that has no CN or SANs. Of course, that's # not a very sensible certificate, but libpq should handle it gracefully. switch_server_cert($node, 'server-no-names'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -328,7 +328,7 @@ test_connect_ok( test_connect_fails( $common_connstr, "sslmode=verify-full host=common-name.pg-ssltest.test", - qr/could not get server's host name from server certificate/, + qr/could not get server's host name from server certificate|SSL_ERROR_BAD_CERT_DOMAIN/, "server certificate without CN or SANs sslmode=verify-full"); # Test that the CRL works @@ -340,11 +340,11 @@ $common_connstr = # Without the CRL, succeeds. With it, fails. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca cert_database=ssl/nss/root+server_ca.crt.db", "connects without client-side CRL"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/server.crl cert_database=ssl/nss/root+server_ca.crt__server.crl.db", qr/SSL error/, "does not connect with client-side CRL"); @@ -365,21 +365,21 @@ command_like( # Test min/max SSL protocol versions. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2 cert_database=ssl/nss/root+server_ca.crt.db", "connection success with correct range of TLS protocol versions"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1 cert_database=ssl/nss/root+server_ca.crt.db", qr/invalid SSL protocol version range/, "connection failure with incorrect range of TLS protocol versions"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls cert_database=ssl/nss/root+server_ca.crt.db", qr/invalid ssl_min_protocol_version value/, "connection failure with an incorrect SSL protocol minimum bound"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls cert_database=ssl/nss/root+server_ca.crt.db", qr/invalid ssl_max_protocol_version value/, "connection failure with an incorrect SSL protocol maximum bound"); @@ -390,7 +390,7 @@ test_connect_fails( note "running server tests"; $common_connstr = - "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR"; + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db"; # no client cert test_connect_fails( @@ -406,32 +406,43 @@ test_connect_ok( "certificate authorization succeeds with correct client cert in PEM format" ); -# correct client cert in unencrypted DER -test_connect_ok( - $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key", - "certificate authorization succeeds with correct client cert in DER format" -); +$common_connstr = + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR"; + +SKIP: +{ + skip "NSS database not implemented in the Makefile", 1 if ($nss); + # correct client cert in unencrypted DER + test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key", + "certificate authorization succeeds with correct client cert in DER format" + ); +} # correct client cert in encrypted PEM test_connect_ok( $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+'", + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+' cert_database=ssl/nss/client.crt__client-encrypted-pem.key.db", "certificate authorization succeeds with correct client cert in encrypted PEM format" ); -# correct client cert in encrypted DER -test_connect_ok( - $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'", - "certificate authorization succeeds with correct client cert in encrypted DER format" -); +SKIP: +{ + skip "NSS database not implemented in the Makefile", 1 if ($nss); + # correct client cert in encrypted DER + test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'", + "certificate authorization succeeds with correct client cert in encrypted DER format" + ); +} # correct client cert in encrypted PEM with wrong password test_connect_fails( $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong'", - qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong' cert_database=ssl/nss/client.crt__client-encrypted-pem.key.db", + qr!connection requires a valid client certificate|\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!, "certificate authorization fails with correct client cert and wrong password in encrypted PEM format" ); @@ -471,18 +482,19 @@ command_like( '-P', 'null=_null_', '-d', - "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key cert_database=ssl/nss/client.crt__client.key.db", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/?CN=ssltestuser,1,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions SKIP: { skip "Permissions check not enforced on Windows", 2 if ($windows_os); + skip "Key not on filesystem with NSS", 2 if ($nss); test_connect_fails( $common_connstr, @@ -495,10 +507,13 @@ SKIP: test_connect_fails( $common_connstr, "user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", - qr/certificate authentication failed for user "anotheruser"/, + qr/unable to verify certificate|certificate authentication failed for user "anotheruser"/, "certificate authorization fails with client cert belonging to another user" ); +$common_connstr = + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client-revoked.crt__client-revoked.key.db"; + # revoked client cert test_connect_fails( $common_connstr, @@ -510,7 +525,7 @@ test_connect_fails( # works, iff username matches Common Name # fails, iff username doesn't match Common Name. $common_connstr = - "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR"; + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db"; test_connect_ok( $common_connstr, @@ -536,17 +551,23 @@ test_connect_ok( # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, 'server-cn-only', 'root_ca'); $common_connstr = - "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client+client_ca.crt__client.key.db"; -test_connect_ok( +TODO: +{ + local $TODO = "WIP failure cause currently unknown"; + test_connect_ok( + $common_connstr, + "sslmode=require sslcert=ssl/client+client_ca.crt", + "intermediate client certificate is provided by client"); +} + +test_connect_fails( $common_connstr, - "sslmode=require sslcert=ssl/client+client_ca.crt", - "intermediate client certificate is provided by client"); -test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt", - qr/SSL error/, "intermediate client certificate is missing"); + "sslmode=require sslcert=ssl/client.crt", + qr/connection requires a valid client certificate|SSL error/, + "intermediate client certificate is missing"); # clean up -foreach my $key (@keys) -{ - unlink("ssl/${key}_tmp.key"); -} + +SSL::Server::cleanup(); diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 20ab0d5b0b..b50659e568 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -11,11 +11,11 @@ use File::Copy; use FindBin; use lib $FindBin::RealBin; -use SSLServer; +use SSL::Server; if ($ENV{with_openssl} ne 'yes') { - plan skip_all => 'SSL not supported by this build'; + plan skip_all => 'OpenSSL not supported by this build'; } # This is the hostname used to connect to the server. diff --git a/src/test/ssl/t/SSL/Backend/NSS.pm b/src/test/ssl/t/SSL/Backend/NSS.pm new file mode 100644 index 0000000000..837f0d9891 --- /dev/null +++ b/src/test/ssl/t/SSL/Backend/NSS.pm @@ -0,0 +1,64 @@ +package SSL::Backend::NSS; + +use strict; +use warnings; +use Exporter; + +our @ISA = qw(Exporter); +our @EXPORT_OK = qw(get_new_nss_backend); + +sub new +{ + my ($class) = @_; + + my $self = { _library => 'NSS' }; + + bless $self, $class; + + return $self; +} + +sub get_new_nss_backend +{ + my $class = 'SSL::Backend::NSS'; + + return $class->new(); +} + +sub init +{ + # Make sure the certificate databases are in place? +} + +sub get_library +{ + my ($self) = @_; + + return $self->{_library}; +} + +sub set_server_cert +{ + my $self = $_[0]; + my $certfile = $_[1]; + my $cafile = $_[2]; + my $keyfile = $_[3]; + + my $cert_nickname = $certfile . '.crt__' . $keyfile . '.key'; + my $cert_database = $cert_nickname . '.db'; + + my $sslconf = + "ssl_ca_file='$cafile.crt'\n" + . "ssl_cert_file='ssl/$certfile.crt'\n" + . "ssl_crl_file=''\n" + . "ssl_database='nss/$cert_database'\n"; + + return $sslconf; +} + +sub cleanup +{ + # Something? +} + +1; diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm new file mode 100644 index 0000000000..62b11b7632 --- /dev/null +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -0,0 +1,103 @@ +package SSL::Backend::OpenSSL; + +use strict; +use warnings; +use Exporter; +use File::Copy; + +our @ISA = qw(Exporter); +our @EXPORT_OK = qw(get_new_openssl_backend); + +our (@keys); + +INIT +{ + @keys = ( + "client", "client-revoked", + "client-der", "client-encrypted-pem", + "client-encrypted-der"); +} + +sub new +{ + my ($class) = @_; + + my $self = { _library => 'OpenSSL' }; + + bless $self, $class; + + return $self; +} + +sub get_new_openssl_backend +{ + my $class = 'SSL::Backend::OpenSSL'; + + my $backend = $class->new(); + + return $backend; +} + +sub init +{ + # The client's private key must not be world-readable, so take a copy + # of the key stored in the code tree and update its permissions. + # + # This changes ssl/client.key to ssl/client_tmp.key etc for the rest + # of the tests. + foreach my $key (@keys) + { + copy("ssl/${key}.key", "ssl/${key}_tmp.key") + or die + "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!"; + chmod 0600, "ssl/${key}_tmp.key" + or die "failed to change permissions on ssl/${key}_tmp.key: $!"; + } + + # Also make a copy of that explicitly world-readable. We can't + # necessarily rely on the file in the source tree having those + # permissions. Add it to @keys to include it in the final clean + # up phase. + copy("ssl/client.key", "ssl/client_wrongperms_tmp.key") + or die + "couldn't copy ssl/client.key to ssl/client_wrongperms_tmp.key: $!"; + chmod 0644, "ssl/client_wrongperms_tmp.key" + or die + "failed to change permissions on ssl/client_wrongperms_tmp.key: $!"; + push @keys, 'client_wrongperms'; +} + +# Change the configuration to use given server cert file, and reload +# the server so that the configuration takes effect. +sub set_server_cert +{ + my $self = $_[0]; + my $certfile = $_[1]; + my $cafile = $_[2] || "root+client_ca"; + my $keyfile = $_[3] || $certfile; + + my $sslconf = + "ssl_ca_file='$cafile.crt'\n" + . "ssl_cert_file='$certfile.crt'\n" + . "ssl_key_file='$keyfile.key'\n" + . "ssl_crl_file='root+client.crl'\n"; + + return $sslconf; +} + +sub get_library +{ + my ($self) = @_; + + return $self->{_library}; +} + +sub cleanup +{ + foreach my $key (@keys) + { + unlink("ssl/${key}_tmp.key"); + } +} + +1; diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSL/Server.pm similarity index 78% rename from src/test/ssl/t/SSLServer.pm rename to src/test/ssl/t/SSL/Server.pm index f5987a003e..1261d21861 100644 --- a/src/test/ssl/t/SSLServer.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -23,19 +23,39 @@ # explicitly because an invalid sslcert or sslrootcert, respectively, # causes those to be ignored.) -package SSLServer; +package SSL::Server; use strict; use warnings; use PostgresNode; +use RecursiveCopy; use TestLib; use File::Basename; use File::Copy; use Test::More; +use SSL::Backend::OpenSSL qw(get_new_openssl_backend); +use SSL::Backend::NSS qw(get_new_nss_backend); + +our ($openssl, $nss, $backend); + +# The TLS backend which the server is using should be mostly transparent for +# the user, apart from individual configuration settings, so keep the backend +# specific things abstracted behind SSL::Server. +if ($ENV{with_openssl} eq 'yes') +{ + $backend = get_new_openssl_backend(); + $openssl = 1; +} +elsif ($ENV{with_nss} eq 'yes') +{ + $backend = get_new_nss_backend(); + $nss = 1; +} use Exporter 'import'; our @EXPORT = qw( configure_test_server_for_ssl + set_server_cert switch_server_cert test_connect_fails test_connect_ok @@ -144,12 +164,19 @@ sub configure_test_server_for_ssl close $sslconf; # Copy all server certificates and keys, and client root cert, to the data dir - copy_files("ssl/server-*.crt", $pgdata); - copy_files("ssl/server-*.key", $pgdata); - chmod(0600, glob "$pgdata/server-*.key") or die $!; - copy_files("ssl/root+client_ca.crt", $pgdata); - copy_files("ssl/root_ca.crt", $pgdata); - copy_files("ssl/root+client.crl", $pgdata); + if (defined($openssl)) + { + copy_files("ssl/server-*.crt", $pgdata); + copy_files("ssl/server-*.key", $pgdata); + chmod(0600, glob "$pgdata/server-*.key") or die $!; + copy_files("ssl/root+client_ca.crt", $pgdata); + copy_files("ssl/root_ca.crt", $pgdata); + copy_files("ssl/root+client.crl", $pgdata); + } + elsif (defined($nss)) + { + RecursiveCopy::copypath("ssl/nss", $pgdata . "/nss") if -e "ssl/nss"; + } # Stop and restart server to load new listen_addresses. $node->restart; @@ -157,26 +184,51 @@ sub configure_test_server_for_ssl # Change pg_hba after restart because hostssl requires ssl=on configure_hba_for_ssl($node, $servercidr, $authmethod); + # Finally, perform backend specific configuration + $backend->init(); + return; } -# Change the configuration to use given server cert file, and reload -# the server so that the configuration takes effect. -sub switch_server_cert +sub ssl_library +{ + return $backend->get_library(); +} + +sub cleanup +{ + $backend->cleanup(); +} + +# Change the configuration to use given server cert file, +sub set_server_cert { my $node = $_[0]; my $certfile = $_[1]; my $cafile = $_[2] || "root+client_ca"; + my $keyfile = $_[3] || ''; + my $pwcmd = $_[4] || ''; my $pgdata = $node->data_dir; + $keyfile = $certfile if $keyfile eq ''; + open my $sslconf, '>', "$pgdata/sslconfig.conf"; print $sslconf "ssl=on\n"; - print $sslconf "ssl_ca_file='$cafile.crt'\n"; - print $sslconf "ssl_cert_file='$certfile.crt'\n"; - print $sslconf "ssl_key_file='$certfile.key'\n"; - print $sslconf "ssl_crl_file='root+client.crl'\n"; + print $sslconf $backend->set_server_cert($certfile, $cafile, $keyfile); + print $sslconf "ssl_passphrase_command='$pwcmd'\n" + unless $pwcmd eq ''; close $sslconf; + return; +} +# Change the configuration to use given server cert file, and reload +# the server so that the configuration takes effect. +# Takes the same arguments as set_server_cert, which it calls to do that +# piece of the work. +sub switch_server_cert +{ + my $node = $_[0]; + set_server_cert(@_); $node->restart; return; } diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm index b6d0cfd39b..c53c59229e 100644 --- a/src/tools/msvc/Install.pm +++ b/src/tools/msvc/Install.pm @@ -438,7 +438,8 @@ sub CopyContribFiles { # These configuration-based exclusions must match vcregress.pl next if ($d eq "uuid-ossp" && !defined($config->{uuid})); - next if ($d eq "sslinfo" && !defined($config->{openssl})); + next if ($d eq "sslinfo" && !defined($config->{openssl}) + && !defined($config->{nss})); next if ($d eq "xml2" && !defined($config->{xml})); next if ($d =~ /_plperl$/ && !defined($config->{perl})); next if ($d =~ /_plpython$/ && !defined($config->{python})); diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm index 89e1b39036..f141801478 100644 --- a/src/tools/msvc/Mkvcbuild.pm +++ b/src/tools/msvc/Mkvcbuild.pm @@ -192,12 +192,19 @@ sub mkvcbuild $postgres->FullExportDLL('postgres.lib'); # The OBJS scraper doesn't know about ifdefs, so remove appropriate files - # if building without OpenSSL. - if (!$solution->{options}->{openssl}) + # if building without various options. + if (!$solution->{options}->{openssl} && !$solution->{options}->{nss}) { $postgres->RemoveFile('src/backend/libpq/be-secure-common.c'); + } + if (!$solution->{options}->{openssl}) + { $postgres->RemoveFile('src/backend/libpq/be-secure-openssl.c'); } + if (!$solution->{options}->{nss}) + { + $postgres->RemoveFile('src/backend/libpq/be-secure-nss.c'); + } if (!$solution->{options}->{gss}) { $postgres->RemoveFile('src/backend/libpq/be-gssapi-common.c'); @@ -255,12 +262,19 @@ sub mkvcbuild $libpq->AddReference($libpgcommon, $libpgport); # The OBJS scraper doesn't know about ifdefs, so remove appropriate files - # if building without OpenSSL. - if (!$solution->{options}->{openssl}) + # if building without various options + if (!$solution->{options}->{openssl} && !$solution->{options}->{nss}) { $libpq->RemoveFile('src/interfaces/libpq/fe-secure-common.c'); + } + if (!$solution->{options}->{openssl}) + { $libpq->RemoveFile('src/interfaces/libpq/fe-secure-openssl.c'); } + if (!$solution->{options}->{nss}) + { + $libpq->RemoveFile('src/interfaces/libpq/fe-secure-nss.c'); + } if (!$solution->{options}->{gss}) { $libpq->RemoveFile('src/interfaces/libpq/fe-gssapi-common.c'); @@ -428,9 +442,14 @@ sub mkvcbuild push @contrib_excludes, 'xml2'; } + if (!$solution->{options}->{openssl} && !$solution->{options}->{nss}) + { + push @contrib_excludes, 'sslinfo'; + } + if (!$solution->{options}->{openssl}) { - push @contrib_excludes, 'sslinfo', 'ssl_passphrase_callback'; + push @contrib_excludes, 'ssl_passphrase_callback'; } if (!$solution->{options}->{uuid}) diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index bc8904732f..ac11d9ab26 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -484,6 +484,7 @@ sub GenerateFiles USE_NAMED_POSIX_SEMAPHORES => undef, USE_OPENSSL => undef, USE_OPENSSL_RANDOM => undef, + USE_NSS => undef, USE_PAM => undef, USE_SLICING_BY_8_CRC32C => undef, USE_SSE42_CRC32C => undef, @@ -537,6 +538,10 @@ sub GenerateFiles $define{HAVE_OPENSSL_INIT_SSL} = 1; } } + if ($self->{options}->{nss}) + { + $define{USE_NSS} = 1; + } $self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1); $self->GenerateConfigHeader('src/include/pg_config_ext.h', \%define, 0); @@ -1004,6 +1009,21 @@ sub AddProject } } } + if ($self->{options}->{nss}) + { + $proj->AddIncludeDir($self->{options}->{nss} . '\..\public\nss'); + $proj->AddIncludeDir($self->{options}->{nss} . '\include\nspr'); + foreach my $lib (qw(plds4 plc4 nspr4)) + { + $proj->AddLibrary($self->{options}->{nss} . + '\lib\lib' . "$lib.lib", 0); + } + foreach my $lib (qw(ssl3 smime3 nss3)) + { + $proj->AddLibrary($self->{options}->{nss} . + '\lib' . "\\$lib.dll.lib", 0); + } + } if ($self->{options}->{nls}) { $proj->AddIncludeDir($self->{options}->{nls} . '\include'); diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl index 2ef2cfc4e9..49dc4d5864 100644 --- a/src/tools/msvc/config_default.pl +++ b/src/tools/msvc/config_default.pl @@ -17,6 +17,7 @@ our $config = { perl => undef, # --with-perl= python => undef, # --with-python= openssl => undef, # --with-openssl= + nss => undef, # --with-nss= uuid => undef, # --with-uuid= xml => undef, # --with-libxml= xslt => undef, # --with-libxslt= -- 2.21.1 (Apple Git-122.3)