From eadce6d33f6406798494a35f4997f49ace5e4cbb Mon Sep 17 00:00:00 2001 From: Andrew Dunstan Date: Mon, 3 Aug 2020 12:32:10 -0400 Subject: [PATCH] WIP Support libnss for as TLS backend v8 --- configure | 211 ++++ configure.ac | 30 + contrib/Makefile | 2 +- .../postgres_fdw/expected/postgres_fdw.out | 2 +- contrib/sslinfo/sslinfo.c | 164 ++- doc/src/sgml/sslinfo.sgml | 14 +- src/Makefile.global.in | 10 + src/backend/libpq/Makefile | 4 + src/backend/libpq/auth.c | 7 + src/backend/libpq/be-secure-nss.c | 1032 +++++++++++++++++ src/backend/libpq/be-secure-openssl.c | 16 +- src/backend/libpq/be-secure.c | 3 + src/backend/utils/misc/guc.c | 20 +- src/include/common/pg_nss.h | 141 +++ src/include/libpq/libpq-be.h | 9 +- src/include/libpq/libpq.h | 3 + src/include/pg_config.h.in | 3 + src/include/pg_config_manual.h | 5 +- src/interfaces/libpq/Makefile | 4 + src/interfaces/libpq/fe-connect.c | 4 + src/interfaces/libpq/fe-secure-nss.c | 975 ++++++++++++++++ src/interfaces/libpq/fe-secure.c | 5 +- src/interfaces/libpq/libpq-fe.h | 11 + src/interfaces/libpq/libpq-int.h | 5 + src/test/Makefile | 2 +- src/test/ssl/Makefile | 172 +++ .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/client-encrypted-pem.pfx | Bin 0 -> 3149 bytes .../cert9.db | Bin 0 -> 28672 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/client-revoked.pfx | Bin 0 -> 3149 bytes src/test/ssl/ssl/nss/client.crl | Bin 0 -> 418 bytes ...ient.crt__client-encrypted-pem.key.db.pass | 1 + .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../nss/client.crt__client.key.db/cert9.db | Bin 0 -> 36864 bytes .../ssl/nss/client.crt__client.key.db/key4.db | Bin 0 -> 45056 bytes .../nss/client.crt__client.key.db/pkcs11.txt | 5 + src/test/ssl/ssl/nss/client.pfx | Bin 0 -> 3149 bytes .../ssl/ssl/nss/client_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes src/test/ssl/ssl/nss/client_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/ssl/nss/client_ca.crt.db/pkcs11.txt | 5 + src/test/ssl/ssl/nss/root+client.crl | Bin 0 -> 393 bytes .../ssl/nss/root+client_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes .../ssl/ssl/nss/root+client_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/nss/root+client_ca.crt.db/pkcs11.txt | 5 + .../ssl/nss/root+server_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes .../ssl/ssl/nss/root+server_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/nss/root+server_ca.crt.db/pkcs11.txt | 5 + .../cert9.db | Bin 0 -> 28672 bytes .../key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + .../cert9.db | Bin 0 -> 28672 bytes .../root+server_ca.crt__server.crl.db/key4.db | Bin 0 -> 36864 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/root.crl | Bin 0 -> 393 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../ssl/ssl/nss/server-cn-and-alt-names.pfx | Bin 0 -> 3349 bytes .../cert9.db | Bin 0 -> 28672 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/server-cn-only.pfx | Bin 0 -> 3197 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../ssl/ssl/nss/server-multiple-alt-names.pfx | Bin 0 -> 3325 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/server-no-names.pfx | Bin 0 -> 3109 bytes src/test/ssl/ssl/nss/server-password.pfx | Bin 0 -> 3197 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + src/test/ssl/ssl/nss/server-revoked.pfx | Bin 0 -> 3181 bytes .../cert9.db | Bin 0 -> 36864 bytes .../key4.db | Bin 0 -> 45056 bytes .../pkcs11.txt | 5 + .../ssl/ssl/nss/server-single-alt-name.pfx | Bin 0 -> 3213 bytes src/test/ssl/ssl/nss/server.crl | Bin 0 -> 418 bytes .../ssl/ssl/nss/server_ca.crt.db/cert9.db | Bin 0 -> 28672 bytes src/test/ssl/ssl/nss/server_ca.crt.db/key4.db | Bin 0 -> 36864 bytes .../ssl/ssl/nss/server_ca.crt.db/pkcs11.txt | 5 + src/test/ssl/t/001_ssltests.pl | 289 ++--- src/test/ssl/t/002_scram.pl | 4 +- src/test/ssl/t/SSL/Backend/NSS.pm | 64 + src/test/ssl/t/SSL/Backend/OpenSSL.pm | 103 ++ .../ssl/t/{SSLServer.pm => SSL/Server.pm} | 80 +- src/tools/msvc/Install.pm | 3 +- src/tools/msvc/Mkvcbuild.pm | 29 +- src/tools/msvc/Solution.pm | 20 + src/tools/msvc/config_default.pl | 1 + 101 files changed, 3276 insertions(+), 257 deletions(-) create mode 100644 src/backend/libpq/be-secure-nss.c create mode 100644 src/include/common/pg_nss.h create mode 100644 src/interfaces/libpq/fe-secure-nss.c create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client-encrypted-pem.pfx create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client-revoked.pfx create mode 100644 src/test/ssl/ssl/nss/client.crl create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/client.pfx create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+client.crl create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/root.crl create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-cn-only.pfx create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.pfx create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-no-names.pfx create mode 100644 src/test/ssl/ssl/nss/server-password.pfx create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-revoked.pfx create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.pfx create mode 100644 src/test/ssl/ssl/nss/server.crl create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/key4.db create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt create mode 100644 src/test/ssl/t/SSL/Backend/NSS.pm create mode 100644 src/test/ssl/t/SSL/Backend/OpenSSL.pm rename src/test/ssl/t/{SSLServer.pm => SSL/Server.pm} (78%) diff --git a/configure b/configure index cb8fbe1051..8b7d98c2ab 100755 --- a/configure +++ b/configure @@ -711,6 +711,7 @@ with_uuid with_readline with_systemd with_selinux +with_nss with_openssl with_ldap with_krb_srvnam @@ -856,6 +857,7 @@ with_bsd_auth with_ldap with_bonjour with_openssl +with_nss with_selinux with_systemd with_readline @@ -1558,6 +1560,7 @@ Optional Packages: --with-ldap build with LDAP support --with-bonjour build with Bonjour support --with-openssl build with OpenSSL support + --with-nss build with NSS support --with-selinux build with SELinux support --with-systemd build with systemd support --without-readline do not use GNU Readline nor BSD Libedit for editing @@ -8100,6 +8103,41 @@ fi $as_echo "$with_openssl" >&6; } +# +# LibNSS +# +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with NSS support" >&5 +$as_echo_n "checking whether to build with NSS support... " >&6; } + + + +# Check whether --with-nss was given. +if test "${with_nss+set}" = set; then : + withval=$with_nss; + case $withval in + yes) + +$as_echo "#define USE_NSS 1" >>confdefs.h + + ;; + no) + : + ;; + *) + as_fn_error $? "no argument expected for --with-nss option" "$LINENO" 5 + ;; + esac + +else + with_nss=no + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_nss" >&5 +$as_echo "$with_nss" >&6; } + + # # SELinux # @@ -12174,6 +12212,9 @@ fi fi if test "$with_openssl" = yes ; then + if test x"$with_nss" = x"yes" ; then + as_fn_error $? "multiple SSL backends cannot be enabled simultaneously\"" "$LINENO" 5 + fi # Minimum required OpenSSL version is 1.0.1 $as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h @@ -12436,6 +12477,157 @@ done fi +if test "$with_nss" = yes ; then + if test x"$with_openssl" = x"yes" ; then + as_fn_error $? "multiple SSL backends cannot be enabled simultaneously\"" "$LINENO" 5 + fi + CLEANLDFLAGS="$LDFLAGS" + # TODO: document this set of LDFLAGS + LDFLAGS="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5 +$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; } +if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnss3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_VersionRangeSet (); +int +main () +{ +return SSL_VersionRangeSet (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nss3_SSL_VersionRangeSet=yes +else + ac_cv_lib_nss3_SSL_VersionRangeSet=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5 +$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; } +if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSS3 1 +_ACEOF + + LIBS="-lnss3 $LIBS" + +else + as_fn_error $? "library 'nss3' is required for NSS" "$LINENO" 5 +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PR_GetDefaultIOMethods in -lnspr4" >&5 +$as_echo_n "checking for PR_GetDefaultIOMethods in -lnspr4... " >&6; } +if ${ac_cv_lib_nspr4_PR_GetDefaultIOMethods+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnspr4 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char PR_GetDefaultIOMethods (); +int +main () +{ +return PR_GetDefaultIOMethods (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nspr4_PR_GetDefaultIOMethods=yes +else + ac_cv_lib_nspr4_PR_GetDefaultIOMethods=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nspr4_PR_GetDefaultIOMethods" >&5 +$as_echo "$ac_cv_lib_nspr4_PR_GetDefaultIOMethods" >&6; } +if test "x$ac_cv_lib_nspr4_PR_GetDefaultIOMethods" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSPR4 1 +_ACEOF + + LIBS="-lnspr4 $LIBS" + +else + as_fn_error $? "library 'nspr4' is required for NSS" "$LINENO" 5 +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_GetImplementedCiphers in -lssl3" >&5 +$as_echo_n "checking for SSL_GetImplementedCiphers in -lssl3... " >&6; } +if ${ac_cv_lib_ssl3_SSL_GetImplementedCiphers+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_GetImplementedCiphers (); +int +main () +{ +return SSL_GetImplementedCiphers (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl3_SSL_GetImplementedCiphers=yes +else + ac_cv_lib_ssl3_SSL_GetImplementedCiphers=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl3_SSL_GetImplementedCiphers" >&5 +$as_echo "$ac_cv_lib_ssl3_SSL_GetImplementedCiphers" >&6; } +if test "x$ac_cv_lib_ssl3_SSL_GetImplementedCiphers" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSSL3 1 +_ACEOF + + LIBS="-lssl3 $LIBS" + +else + as_fn_error $? "library 'ssl3' is required for NSS" "$LINENO" 5 +fi + + LDFLAGS="$CLEANLDFLAGS" +fi + if test "$with_pam" = yes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 $as_echo_n "checking for pam_start in -lpam... " >&6; } @@ -13338,6 +13530,25 @@ else fi +fi + +if test "$with_nss" = yes ; then + ac_fn_c_check_header_mongrel "$LINENO" "ssl.h" "ac_cv_header_ssl_h" "$ac_includes_default" +if test "x$ac_cv_header_ssl_h" = xyes; then : + +else + as_fn_error $? "header file is required for NSS" "$LINENO" 5 +fi + + + ac_fn_c_check_header_mongrel "$LINENO" "nss.h" "ac_cv_header_nss_h" "$ac_includes_default" +if test "x$ac_cv_header_nss_h" = xyes; then : + +else + as_fn_error $? "header file is required for NSS" "$LINENO" 5 +fi + + fi if test "$with_pam" = yes ; then diff --git a/configure.ac b/configure.ac index eb2c731b58..23c07cabce 100644 --- a/configure.ac +++ b/configure.ac @@ -856,6 +856,15 @@ PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support], AC_MSG_RESULT([$with_openssl]) AC_SUBST(with_openssl) +# +# LibNSS +# +AC_MSG_CHECKING([whether to build with NSS support]) +PGAC_ARG_BOOL(with, nss, no, [build with NSS support], + [AC_DEFINE([USE_NSS], 1, [Define to build with NSS support. (--with-nss)])]) +AC_MSG_RESULT([$with_nss]) +AC_SUBST(with_nss) + # # SELinux # @@ -1205,6 +1214,9 @@ if test "$with_gssapi" = yes ; then fi if test "$with_openssl" = yes ; then + if test x"$with_nss" = x"yes" ; then + AC_MSG_ERROR([multiple SSL backends cannot be enabled simultaneously"]) + fi dnl Order matters! # Minimum required OpenSSL version is 1.0.1 AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L], @@ -1230,6 +1242,19 @@ if test "$with_openssl" = yes ; then AC_CHECK_FUNCS([CRYPTO_lock]) fi +if test "$with_nss" = yes ; then + if test x"$with_openssl" = x"yes" ; then + AC_MSG_ERROR([multiple SSL backends cannot be enabled simultaneously"]) + fi + CLEANLDFLAGS="$LDFLAGS" + # TODO: document this set of LDFLAGS + LDFLAGS="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LDFLAGS" + AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])]) + AC_CHECK_LIB(nspr4, PR_GetDefaultIOMethods, [], [AC_MSG_ERROR([library 'nspr4' is required for NSS])]) + AC_CHECK_LIB(ssl3, SSL_GetImplementedCiphers, [], [AC_MSG_ERROR([library 'ssl3' is required for NSS])]) + LDFLAGS="$CLEANLDFLAGS" +fi + if test "$with_pam" = yes ; then AC_CHECK_LIB(pam, pam_start, [], [AC_MSG_ERROR([library 'pam' is required for PAM])]) fi @@ -1405,6 +1430,11 @@ if test "$with_openssl" = yes ; then AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) fi +if test "$with_nss" = yes ; then + AC_CHECK_HEADER(ssl.h, [], [AC_MSG_ERROR([header file is required for NSS])]) + AC_CHECK_HEADER(nss.h, [], [AC_MSG_ERROR([header file is required for NSS])]) +fi + if test "$with_pam" = yes ; then AC_CHECK_HEADERS(security/pam_appl.h, [], [AC_CHECK_HEADERS(pam/pam_appl.h, [], diff --git a/contrib/Makefile b/contrib/Makefile index 1846d415b6..cef7bf7f61 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -50,7 +50,7 @@ SUBDIRS = \ unaccent \ vacuumlo -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),yes) SUBDIRS += sslinfo else ALWAYS_SUBDIRS += sslinfo diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index 90db550b92..961cb56358 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -8898,7 +8898,7 @@ DO $d$ END; $d$; ERROR: invalid option "password" -HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size +HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, cert_database, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size CONTEXT: SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')" PL/pgSQL function inline_code_block line 3 at EXECUTE -- If we add a password for our user mapping instead, we should get a different diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c index 5ba3988e27..84bb2c65b8 100644 --- a/contrib/sslinfo/sslinfo.c +++ b/contrib/sslinfo/sslinfo.c @@ -9,9 +9,11 @@ #include "postgres.h" +#ifdef USE_OPENSSL #include #include #include +#endif #include "access/htup_details.h" #include "funcapi.h" @@ -21,8 +23,8 @@ PG_MODULE_MAGIC; +#ifdef USE_OPENSSL static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName); -static Datum X509_NAME_to_text(X509_NAME *name); static Datum ASN1_STRING_to_text(ASN1_STRING *str); /* @@ -32,6 +34,7 @@ typedef struct { TupleDesc tupdesc; } SSLExtensionInfoContext; +#endif /* * Indicates whether current session uses SSL @@ -54,9 +57,16 @@ PG_FUNCTION_INFO_V1(ssl_version); Datum ssl_version(PG_FUNCTION_ARGS) { - if (MyProcPort->ssl == NULL) + const char *version; + + if (!MyProcPort->ssl_in_use) + PG_RETURN_NULL(); + + version = be_tls_get_version(MyProcPort); + if (version == NULL) PG_RETURN_NULL(); - PG_RETURN_TEXT_P(cstring_to_text(SSL_get_version(MyProcPort->ssl))); + + PG_RETURN_TEXT_P(cstring_to_text(version)); } @@ -67,9 +77,16 @@ PG_FUNCTION_INFO_V1(ssl_cipher); Datum ssl_cipher(PG_FUNCTION_ARGS) { - if (MyProcPort->ssl == NULL) + const char *cipher; + + if (!MyProcPort->ssl_in_use) PG_RETURN_NULL(); - PG_RETURN_TEXT_P(cstring_to_text(SSL_get_cipher(MyProcPort->ssl))); + + cipher = be_tls_get_cipher(MyProcPort); + if (cipher == NULL) + PG_RETURN_NULL(); + + PG_RETURN_TEXT_P(cstring_to_text(cipher)); } @@ -83,7 +100,7 @@ PG_FUNCTION_INFO_V1(ssl_client_cert_present); Datum ssl_client_cert_present(PG_FUNCTION_ARGS) { - PG_RETURN_BOOL(MyProcPort->peer != NULL); + PG_RETURN_BOOL(MyProcPort->peer_cert_valid); } @@ -99,29 +116,26 @@ PG_FUNCTION_INFO_V1(ssl_client_serial); Datum ssl_client_serial(PG_FUNCTION_ARGS) { + char decimal[NAMEDATALEN]; Datum result; - Port *port = MyProcPort; - X509 *peer = port->peer; - ASN1_INTEGER *serial = NULL; - BIGNUM *b; - char *decimal; - if (!peer) + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + be_tls_get_peer_serial(MyProcPort, decimal, NAMEDATALEN); + + if (!*decimal) PG_RETURN_NULL(); - serial = X509_get_serialNumber(peer); - b = ASN1_INTEGER_to_BN(serial, NULL); - decimal = BN_bn2dec(b); - BN_free(b); result = DirectFunctionCall3(numeric_in, CStringGetDatum(decimal), ObjectIdGetDatum(0), Int32GetDatum(-1)); - OPENSSL_free(decimal); return result; } +#ifdef USE_OPENSSL /* * Converts OpenSSL ASN1_STRING structure into text * @@ -228,7 +242,7 @@ ssl_client_dn_field(PG_FUNCTION_ARGS) text *fieldname = PG_GETARG_TEXT_PP(0); Datum result; - if (!(MyProcPort->peer)) + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) PG_RETURN_NULL(); result = X509_NAME_field_to_text(X509_get_subject_name(MyProcPort->peer), fieldname); @@ -273,76 +287,23 @@ ssl_issuer_field(PG_FUNCTION_ARGS) else return result; } +#endif /* USE_OPENSSL */ - -/* - * Equivalent of X509_NAME_oneline that respects encoding - * - * This function converts X509_NAME structure to the text variable - * converting all textual data into current database encoding. - * - * Parameter: X509_NAME *name X509_NAME structure to be converted - * - * Returns: text datum which contains string representation of - * X509_NAME - */ -static Datum -X509_NAME_to_text(X509_NAME *name) +#ifdef USE_NSS +PG_FUNCTION_INFO_V1(ssl_client_dn_field); +Datum +ssl_client_dn_field(PG_FUNCTION_ARGS) { - BIO *membuf = BIO_new(BIO_s_mem()); - int i, - nid, - count = X509_NAME_entry_count(name); - X509_NAME_ENTRY *e; - ASN1_STRING *v; - const char *field_name; - size_t size; - char nullterm; - char *sp; - char *dp; - text *result; - - if (membuf == NULL) - ereport(ERROR, - (errcode(ERRCODE_OUT_OF_MEMORY), - errmsg("could not create OpenSSL BIO structure"))); - - (void) BIO_set_close(membuf, BIO_CLOSE); - for (i = 0; i < count; i++) - { - e = X509_NAME_get_entry(name, i); - nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)); - if (nid == NID_undef) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("could not get NID for ASN1_OBJECT object"))); - v = X509_NAME_ENTRY_get_data(e); - field_name = OBJ_nid2sn(nid); - if (field_name == NULL) - field_name = OBJ_nid2ln(nid); - if (field_name == NULL) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid))); - BIO_printf(membuf, "/%s=", field_name); - ASN1_STRING_print_ex(membuf, v, - ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB) - | ASN1_STRFLGS_UTF8_CONVERT)); - } - - /* ensure null termination of the BIO's content */ - nullterm = '\0'; - BIO_write(membuf, &nullterm, 1); - size = BIO_get_mem_data(membuf, &sp); - dp = pg_any_to_server(sp, size - 1, PG_UTF8); - result = cstring_to_text(dp); - if (dp != sp) - pfree(dp); - if (BIO_free(membuf) != 1) - elog(ERROR, "could not free OpenSSL BIO structure"); + PG_RETURN_NULL(); +} - PG_RETURN_TEXT_P(result); +PG_FUNCTION_INFO_V1(ssl_issuer_field); +Datum +ssl_issuer_field(PG_FUNCTION_ARGS) +{ + PG_RETURN_NULL(); } +#endif /* USE_NSS */ /* @@ -358,9 +319,17 @@ PG_FUNCTION_INFO_V1(ssl_client_dn); Datum ssl_client_dn(PG_FUNCTION_ARGS) { - if (!(MyProcPort->peer)) + char subject[NAMEDATALEN]; + + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + be_tls_get_peer_subject_name(MyProcPort, subject, NAMEDATALEN); + + if (!*subject) PG_RETURN_NULL(); - return X509_NAME_to_text(X509_get_subject_name(MyProcPort->peer)); + + PG_RETURN_TEXT_P(cstring_to_text(subject)); } @@ -377,12 +346,21 @@ PG_FUNCTION_INFO_V1(ssl_issuer_dn); Datum ssl_issuer_dn(PG_FUNCTION_ARGS) { - if (!(MyProcPort->peer)) + char issuer[NAMEDATALEN]; + + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + be_tls_get_peer_issuer_name(MyProcPort, issuer, NAMEDATALEN); + + if (!*issuer) PG_RETURN_NULL(); - return X509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer)); + + PG_RETURN_TEXT_P(cstring_to_text(issuer)); } +#ifdef USE_OPENSSL /* * Returns information about available SSL extensions. * @@ -516,3 +494,13 @@ ssl_extension_info(PG_FUNCTION_ARGS) /* All done */ SRF_RETURN_DONE(funcctx); } +#endif /* USE_OPENSSL */ + +#ifdef USE_NSS +PG_FUNCTION_INFO_V1(ssl_extension_info); +Datum +ssl_extension_info(PG_FUNCTION_ARGS) +{ + PG_RETURN_NULL(); +} +#endif /* USE_NSS */ diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml index c237d4ba95..d15a206d2d 100644 --- a/doc/src/sgml/sslinfo.sgml +++ b/doc/src/sgml/sslinfo.sgml @@ -22,7 +22,8 @@ This extension won't build at all unless the installation was - configured with --with-openssl. + configured with SSL support, such as --with-openssl + or --with-nss. @@ -54,7 +55,7 @@ Returns the name of the protocol used for the SSL connection (e.g. TLSv1.0 - TLSv1.1, or TLSv1.2). + TLSv1.1, TLSv1.2 or TLSv1.3). @@ -208,6 +209,9 @@ emailAddress the X.500 and X.509 standards, so you cannot just assign arbitrary meaning to them. + + This function is only available when using OpenSSL. + @@ -223,6 +227,9 @@ emailAddress Same as ssl_client_dn_field, but for the certificate issuer rather than the certificate subject. + + This function is only available when using OpenSSL. + @@ -238,6 +245,9 @@ emailAddress Provide information about extensions of client certificate: extension name, extension value, and if it is a critical extension. + + This function is only available when using OpenSSL. + diff --git a/src/Makefile.global.in b/src/Makefile.global.in index 9a6265b3a0..2f25c51c6c 100644 --- a/src/Makefile.global.in +++ b/src/Makefile.global.in @@ -184,6 +184,7 @@ with_perl = @with_perl@ with_python = @with_python@ with_tcl = @with_tcl@ with_openssl = @with_openssl@ +with_nss = @with_nss@ with_readline = @with_readline@ with_selinux = @with_selinux@ with_systemd = @with_systemd@ @@ -232,6 +233,15 @@ CLANG = @CLANG@ BITCODE_CFLAGS = @BITCODE_CFLAGS@ BITCODE_CXXFLAGS = @BITCODE_CXXFLAGS@ +ifeq ($(with_openssl),yes) +with_ssl = yes +else ifeq ($(with_nss),yes) +with_ssl = yes +else +with_ssl = no +endif + + ########################################################################## # # Programs and flags diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile index efc5ef760a..191266a426 100644 --- a/src/backend/libpq/Makefile +++ b/src/backend/libpq/Makefile @@ -30,6 +30,10 @@ OBJS = \ ifeq ($(with_openssl),yes) OBJS += be-secure-openssl.o +else +ifeq ($(with_nss),yes) +OBJS += be-secure-nss.o +endif endif ifeq ($(with_gssapi),yes) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 02b6c3f127..8f4197d002 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -2870,7 +2870,14 @@ CheckCertAuth(Port *port) { int status_check_usermap = STATUS_ERROR; +#if defined(USE_OPENSSL) Assert(port->ssl); +#elif defined(USE_NSS) + /* TODO: should we rename pr_fd to ssl, to keep consistency? */ + Assert(port->pr_fd); +#else + Assert(false); +#endif /* Make sure we have received a username in the certificate */ if (port->peer_cn == NULL || diff --git a/src/backend/libpq/be-secure-nss.c b/src/backend/libpq/be-secure-nss.c new file mode 100644 index 0000000000..00ae054920 --- /dev/null +++ b/src/backend/libpq/be-secure-nss.c @@ -0,0 +1,1032 @@ +/*------------------------------------------------------------------------- + * + * be-secure-nss.c + * functions for supporting NSS as a TLS backend + * + * + * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * IDENTIFICATION + * src/backend/libpq/be-secure-nss.c + * + *------------------------------------------------------------------------- + */ + +#include "postgres.h" + +#include + +/* + * BITS_PER_BYTE is also defined in the NSPR header fils, so we need to undef + * our version to avoid compiler warnings on redefinition. + */ +#define pg_BITS_PER_BYTE BITS_PER_BYTE +#undef BITS_PER_BYTE + +/* + * The nspr/obsolete/protypes.h NSPR header typedefs uint64 and int64 with + * colliding definitions from ours, causing a much expected compiler error. + * The definitions are however not actually used in NSPR at all, and are only + * intended for what seems to be backwards compatibility for apps written + * against old versions of NSPR. The following comment is in the referenced + * file, and was added in 1998: + * + * This section typedefs the old 'native' types to the new PRs. + * These definitions are scheduled to be eliminated at the earliest + * possible time. The NSPR API is implemented and documented using + * the new definitions. + * + * As there is no opt-out from pulling in these typedefs, we define the guard + * for the file to exclude it. This is incredibly ugly, but seems to be about + * the only way around it. + */ +#define PROTYPES_H +#include +#undef PROTYPES_H +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef struct +{ + enum + { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* + * Ensure that the colliding definitions match, else throw an error. In case + * NSPR has removed the definition for some reasone, make sure to put ours + * back again. + */ +#if defined(BITS_PER_BYTE) +#if BITS_PER_BYTE != pg_BITS_PER_BYTE +#error "incompatible byte widths between NSPR and postgres" +#endif +#else +#define BITS_PER_BYTE pg_BITS_PER_BYTE +#endif +#undef pg_BITS_PER_BYTE + +#include "common/pg_nss.h" +#include "lib/stringinfo.h" +#include "libpq/libpq.h" +#include "nodes/pg_list.h" +#include "miscadmin.h" +#include "storage/fd.h" +#include "utils/guc.h" +#include "utils/memutils.h" + +static PRDescIdentity pr_id; + +static PRIOMethods pr_iomethods; +static NSSInitContext * nss_context = NULL; +static SSLVersionRange desired_sslver; + +/* + * PR_ImportTCPSocket() is a private API, but very widely used, as it's the + * only way to make NSS use an already set up POSIX file descriptor rather + * than opening one itself. To quote the NSS documentation: + * + * "In theory, code that uses PR_ImportTCPSocket may break when NSPR's + * implementation changes. In practice, this is unlikely to happen because + * NSPR's implementation has been stable for years and because of NSPR's + * strong commitment to backward compatibility." + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket + * + * The function is declared in , but as it is a header marked + * private we declare it here rather than including it. + */ +NSPR_API(PRFileDesc *) PR_ImportTCPSocket(int); + +/* NSS IO layer callback overrides */ +static PRInt32 pg_ssl_read(PRFileDesc * fd, void *buf, PRInt32 amount, + PRIntn flags, PRIntervalTime timeout); +static PRInt32 pg_ssl_write(PRFileDesc * fd, const void *buf, PRInt32 amount, + PRIntn flags, PRIntervalTime timeout); +/* Utility functions */ +static PRFileDesc * init_iolayer(Port *port, int loglevel); +static uint16 ssl_protocol_version_to_nss(int v, const char *guc_name); + +static char *pg_SSLerrmessage(PRErrorCode errcode); +static char *ssl_protocol_version_to_string(int v); +static SECStatus pg_cert_auth_handler(void *arg, PRFileDesc * fd, + PRBool checksig, PRBool isServer); +static SECStatus pg_bad_cert_handler(void *arg, PRFileDesc * fd); + +/* ------------------------------------------------------------ */ +/* Public interface */ +/* ------------------------------------------------------------ */ + +static char * +ssl_passphrase_callback(PK11SlotInfo * slot, PRBool retry, void *arg) +{ + return pstrdup(""); +} + +/* + * be_tls_init + * Initialize the nss TLS library in the postmaster + * + * The majority of the setup needs to happen in be_tls_open_server since the + * NSPR initialization must happen after the forking of the backend. We could + * potentially move some parts in under !isServerStart, but so far this is the + * separation chosen. + */ +int +be_tls_init(bool isServerStart) +{ + SECStatus status; + SSLVersionRange supported_sslver; + + /* + * Set up the connection cache for multi-processing application behavior. + * If we are in ServerStart then we initialize the cache. If the server is + * already started, we inherit the cache such that it can be used for + * connections. Calling SSL_ConfigMPServerSIDCache sets an environment + * variable which contains enough information for the forked child to know + * how to access it. Passing NULL to SSL_InheritMPServerSIDCache will + * make the forked child look it up by the default name SSL_INHERITANCE, + * if env vars aren't inherited then the contents of the variable can be + * passed instead. + */ + if (isServerStart) + { + /* + * SSLv2 and SSLv3 are disabled in this TLS backend, but when setting + * up the required session cache for NSS we still must supply timeout + * values for v2 and The minimum allowed value for both is 5 seconds, + * so opt for that in both cases (the defaults being 100 seconds and + * 24 hours). + * + * Passing NULL as the directory for the session cache will default to + * using /tmp on UNIX and \\temp on Windows. Deciding if we want to + * keep closer control on this directory is left as a TODO. + */ + status = SSL_ConfigMPServerSIDCache(MaxConnections, 5, 5, NULL); + if (status != SECSuccess) + ereport(FATAL, + (errmsg("unable to set up TLS connection cache: %s", + pg_SSLerrmessage(PR_GetError())))); + + } + else + { + status = SSL_InheritMPServerSIDCache(NULL); + if (status != SECSuccess) + { + ereport(LOG, + (errmsg("unable to connect to TLS connection cache: %s", + pg_SSLerrmessage(PR_GetError())))); + return -1; + } + } + + if (!ssl_database || strlen(ssl_database) == 0) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("no certificate database specified"))); + goto error; + } + + /* + * We check for the desired TLS version range here, even though we cannot + * set it until be_open_server such that we can be compatible with how the + * OpenSSL backend reports errors for incompatible range configurations. + * Set either the default supported TLS version range, or the configured + * range from ssl_min_protocol_version and ssl_max_protocol version. In + * case the user hasn't defined the maximum allowed version we fall back + * to the highest version TLS that the library supports. + */ + if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_sslver) != SECSuccess) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("unable to get default protocol support from NSS"))); + goto error; + } + + /* + * Set the fallback versions for the TLS protocol version range to a + * combination of our minimal requirement and the library maximum. + */ + desired_sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; + desired_sslver.max = supported_sslver.max; + + if (ssl_min_protocol_version) + { + int ver = ssl_protocol_version_to_nss(ssl_min_protocol_version, + "ssl_min_protocol_version"); + + if (ver == -1) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("\"%s\" setting \"%s\" not supported by this build", + "ssl_min_protocol_version", + GetConfigOption("ssl_min_protocol_version", + false, false)))); + goto error; + } + + if (ver > 0) + desired_sslver.min = ver; + } + + if (ssl_max_protocol_version) + { + int ver = ssl_protocol_version_to_nss(ssl_max_protocol_version, + "ssl_max_protocol_version"); + + if (ver == -1) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("\"%s\" setting \"%s\" not supported by this build", + "ssl_max_protocol_version", + GetConfigOption("ssl_max_protocol_version", + false, false)))); + goto error; + } + if (ver > 0) + desired_sslver.max = ver; + + if (ver < desired_sslver.min) + { + ereport(isServerStart ? FATAL : LOG, + (errmsg("could not set SSL protocol version range"), + errdetail("\"%s\" cannot be higher than \"%s\"", + "ssl_min_protocol_version", + "ssl_max_protocol_version"))); + goto error; + } + } + + return 0; +error: + return -1; +} + +int +be_tls_open_server(Port *port) +{ + SECStatus status; + PRFileDesc *model; + PRFileDesc *pr_fd; + PRFileDesc *layer; + CERTCertificate *server_cert; + SECKEYPrivateKey *private_key; + CERTSignedCrl *crl; + SECItem crlname; + secuPWData pwdata = {PW_NONE, 0}; /* TODO: This is a bogus callback */ + char *cert_database; + NSSInitParameters params; + + /* + * The NSPR documentation states that runtime initialization via PR_Init + * is no longer required, as the first caller into NSPR will perform the + * initialization implicitly. The documentation doesn't however clarify + * from which version this is holds true, so let's perform the potentially + * superfluous initialization anyways to avoid crashing on older versions + * of NSPR, as there is no difference in overhead. The NSS documentation + * still states that PR_Init must be called in some way (implicitly or + * explicitly). + * + * The below parameters are what the implicit initialization would've done + * for us, and should work even for older versions where it might not be + * done automatically. The last parameter, maxPTDs, is set to various + * values in other codebases, but has been unused since NSPR 2.1 which was + * released sometime in 1998. + */ + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0 /* maxPTDs */ ); + + /* + * The certificate path (configdir) must contain a valid NSS database. If + * the certificate path isn't a valid directory, NSS will fall back on the + * system certificate database. If the certificate path is a directory but + * is empty then the initialization will fail. On the client side this can + * be allowed for any sslmode but the verify-xxx ones. + * https://bugzilla.redhat.com/show_bug.cgi?id=728562 For the server side + * we wont allow this to fail however, as we require the certificate and + * key to exist. + * + * The original design of NSS was for a single application to use a single + * copy of it, initialized with NSS_Initialize() which isn't returning any + * handle with which to refer to NSS. NSS initialization and shutdown are + * global for the application, so a shutdown in another NSS enabled + * library would cause NSS to be stopped for libpq as well. The fix has + * been to introduce NSS_InitContext which returns a context handle to + * pass to NSS_ShutdownContext. NSS_InitContext was introduced in NSS + * 3.12, but the use of it is not very well documented. + * https://bugzilla.redhat.com/show_bug.cgi?id=738456 + * + * The InitParameters struct passed can be used to override internal + * values in NSS, but the usage is not documented at all. When using + * NSS_Init initializations, the values are instead set via PK11_Configure + * calls so the PK11_Configure documentation can be used to glean some + * details on these. + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs + */ + memset(¶ms, '\0', sizeof(params)); + params.length = sizeof(params); + + if (!ssl_database || strlen(ssl_database) == 0) + ereport(FATAL, + (errmsg("no certificate database specified"))); + + cert_database = psprintf("sql:%s", ssl_database); + nss_context = NSS_InitContext(cert_database, "", "", "", + ¶ms, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + pfree(cert_database); + + if (!nss_context) + ereport(FATAL, + (errmsg("unable to read certificate database \"%s\": %s", + ssl_database, pg_SSLerrmessage(PR_GetError())))); + + /* + * Set the passphrase callback which will be used both to obtain the + * passphrase from the user, as well as by NSS to obtain the phrase + * repeatedly. + * + * TODO: Figure this out - do note that we are setting another password + * callback below for cert/key as well. Need to make sense of all these. + */ + PK11_SetPasswordFunc(ssl_passphrase_callback); + + /* + * Import the already opened socket as we don't want to use NSPR functions + * for opening the network socket due to how the PostgreSQL protocol works + * with TLS connections. This function is not part of the NSPR public API, + * see the comment at the top of the file for the rationale of still using + * it. + */ + pr_fd = PR_ImportTCPSocket(port->sock); + if (!pr_fd) + ereport(ERROR, + (errmsg("unable to connect to socket"))); + + /* + * Most of the documentation available, and implementations of, NSS/NSPR + * use the PR_NewTCPSocket() function here, which has the drawback that it + * can only create IPv4 sockets. Instead use PR_OpenTCPSocket() which + * copes with IPv6 as well. + */ + model = PR_OpenTCPSocket(port->laddr.addr.ss_family); + if (!model) + ereport(ERROR, + (errmsg("unable to open socket"))); + + /* + * Convert the NSPR socket to an SSL socket. Ensuring the success of this + * operation is critical as NSS SSL_* functions may return SECSuccess on + * the socket even though SSL hasn't been enabled, which introduce a risk + * of silent downgrades. + */ + model = SSL_ImportFD(NULL, model); + if (!model) + ereport(ERROR, + (errmsg("unable to enable TLS on socket"))); + + /* + * Configure basic settings for the connection over the SSL socket in + * order to set it up as a server. + */ + if (SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure TLS connection"))); + + if (SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_TRUE) != SECSuccess || + SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_FALSE) != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure TLS connection as server"))); + + /* + * SSLv2 is disabled by default, and SSLv3 will be excluded from the range + * of allowed protocols further down. Since we really don't want these to + * ever be enabled, let's use belts and suspenders and explicitly turn + * them off as well. + */ + SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE); + SSL_OptionSet(model, SSL_ENABLE_SSL3, PR_FALSE); + +#ifdef SSL_CBC_RANDOM_IV + + /* + * Enable protection against the BEAST attack in case the NSS server has + * support for that. While SSLv3 is disabled, we may still allow TLSv1 + * which is affected. The option isn't documented as an SSL option, but as + * an NSS environment variable. + */ + SSL_OptionSet(model, SSL_CBC_RANDOM_IV, PR_TRUE); +#endif + + /* + * Configure the allowed cipher. If there are no user preferred suites, + * set the domestic policy. TODO: while this code works, the set of + * ciphers which can be set and still end up with a working socket is + * woefully underdocumented for anything more recent than SSLv3 (the code + * for TLS actually calls ssl3 functions under the hood for + * SSL_CipherPrefSet), so it's unclear if this is helpful or not. Using + * the policies works, but may be too coarsely grained. + * + * Another TODO: The SSL_ImplementedCiphers table returned with calling + * SSL_GetImplementedCiphers is sorted in server preference order. Sorting + * SSLCipherSuites according to the order of the ciphers therein could be + * a way to implement ssl_prefer_server_ciphers - if we at all want to use + * cipher selection for NSS like how we do it for OpenSSL that is. + */ + + /* + * If no ciphers are specified, we use the domestic policy + */ + if (!SSLCipherSuites || strlen(SSLCipherSuites) == 0) + { + status = NSS_SetDomesticPolicy(); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to set cipher policy: %s", + pg_SSLerrmessage(PR_GetError())))); + } + else + { + char *ciphers, + *c; + + char *sep = ":;, "; + PRUint16 ciphercode; + const PRUint16 *nss_ciphers; + + /* + * If the user has specified a set of preferred cipher suites we start + * by turning off all the existing suites to avoid the risk of down- + * grades to a weaker cipher than expected. + */ + nss_ciphers = SSL_GetImplementedCiphers(); + for (int i = 0; i < SSL_GetNumImplementedCiphers(); i++) + SSL_CipherPrefSet(model, nss_ciphers[i], PR_FALSE); + + ciphers = pstrdup(SSLCipherSuites); + + for (c = strtok(ciphers, sep); c; c = strtok(NULL, sep)) + { + ciphercode = pg_find_cipher(c); + if (ciphercode != INVALID_CIPHER) + { + status = SSL_CipherPrefSet(model, ciphercode, PR_TRUE); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("invalid cipher-suite specified: %s", c))); + } + } + + pfree(ciphers); + } + + if (SSL_VersionRangeSet(model, &desired_sslver) != SECSuccess) + ereport(ERROR, + (errmsg("unable to set requested SSL protocol version range"))); + + /* + * Set up the custom IO layer. + */ + layer = init_iolayer(port, ERROR); + if (!layer) + goto error; + + /* Store the Port as private data available in callbacks */ + layer->secret = (void *) port; + + if (PR_PushIOLayer(pr_fd, PR_TOP_IO_LAYER, layer) != PR_SUCCESS) + { + PR_Close(layer); + ereport(ERROR, + (errmsg("unable to push IO layer"))); + } + + /* TODO: set the postgres password callback param as callback function */ + server_cert = PK11_FindCertFromNickname(ssl_cert_file, &pwdata /* password callback */ ); + if (!server_cert) + ereport(ERROR, + (errmsg("unable to find certificate for \"%s\": %s", + ssl_cert_file, pg_SSLerrmessage(PR_GetError())))); + + /* TODO: set the postgres password callback param as callback function */ + private_key = PK11_FindKeyByAnyCert(server_cert, &pwdata /* password callback */ ); + if (!private_key) + ereport(ERROR, + (errmsg("unable to find private key for \"%s\": %s", + ssl_cert_file, pg_SSLerrmessage(PR_GetError())))); + + /* + * NSS doesn't use CRL files on disk, so we use the ssl_crl_file guc to + * contain the CRL nickname for the current server certificate in the NSS + * certificate database. The main difference from the OpenSSL backend is + * that NSS will use the CRL regardless, but being able to make sure the + * CRL is loaded seems like a good feature. + */ + if (ssl_crl_file[0]) + { + SECITEM_CopyItem(NULL, &crlname, &server_cert->derSubject); + crl = SEC_FindCrlByName(CERT_GetDefaultCertDB(), &crlname, SEC_CRL_TYPE); + if (!crl) + ereport(ERROR, + (errmsg("specified CRL not found in database"))); + SEC_DestroyCrl(crl); + } + + /* + * Finally we must configure the socket for being a server by setting the + * certificate and key. + */ + status = SSL_ConfigSecureServer(model, server_cert, private_key, kt_rsa); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure secure server: %s", + pg_SSLerrmessage(PR_GetError())))); + status = SSL_ConfigServerCert(model, server_cert, private_key, NULL, 0); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to configure server for TLS server connections: %s", + pg_SSLerrmessage(PR_GetError())))); + + ssl_loaded_verify_locations = true; + + /* + * At this point, we no longer have use for the certificate and private + * key as they have been copied into the context by NSS. Destroy our + * copies explicitly to clean out the memory as best we can. + */ + CERT_DestroyCertificate(server_cert); + SECKEY_DestroyPrivateKey(private_key); + + status = SSL_AuthCertificateHook(model, pg_cert_auth_handler, (void *) port); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to install authcert hook: %s", + pg_SSLerrmessage(PR_GetError())))); + SSL_BadCertHook(model, pg_bad_cert_handler, (void *) port); + SSL_OptionSet(model, SSL_REQUEST_CERTIFICATE, PR_TRUE); + SSL_OptionSet(model, SSL_REQUIRE_CERTIFICATE, PR_FALSE); + + port->pr_fd = SSL_ImportFD(model, pr_fd); + if (!port->pr_fd) + ereport(ERROR, + (errmsg("unable to initialize"))); + + PR_Close(model); + + /* + * Force a handshake on the next I/O request, the second parameter means + * that we are a server, PR_FALSE would indicate being a client. NSPR + * requires us to call SSL_ResetHandshake since we imported an already + * established socket. + */ + status = SSL_ResetHandshake(port->pr_fd, PR_TRUE); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to initiate handshake: %s", + pg_SSLerrmessage(PR_GetError())))); + status = SSL_ForceHandshake(port->pr_fd); + if (status != SECSuccess) + ereport(ERROR, + (errmsg("unable to handshake: %s", + pg_SSLerrmessage(PR_GetError())))); + + port->ssl_in_use = true; + return 0; + +error: + return 1; +} + +ssize_t +be_tls_read(Port *port, void *ptr, size_t len, int *waitfor) +{ + ssize_t n_read; + PRErrorCode err; + + n_read = PR_Read(port->pr_fd, ptr, len); + + if (n_read < 0) + { + err = PR_GetError(); + + /* XXX: This logic seems potentially bogus? */ + if (err == PR_WOULD_BLOCK_ERROR) + *waitfor = WL_SOCKET_READABLE; + else + *waitfor = WL_SOCKET_WRITEABLE; + } + + return n_read; +} + +ssize_t +be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) +{ + ssize_t n_write; + PRErrorCode err; + + n_write = PR_Send(port->pr_fd, ptr, len, 0, PR_INTERVAL_NO_WAIT); + + if (n_write < 0) + { + err = PR_GetError(); + + if (err == PR_WOULD_BLOCK_ERROR) + *waitfor = WL_SOCKET_WRITEABLE; + else + *waitfor = WL_SOCKET_READABLE; + } + + return n_write; +} + +void +be_tls_close(Port *port) +{ + if (!port) + return; + + if (port->peer_cn) + { + SSL_InvalidateSession(port->pr_fd); + pfree(port->peer_cn); + port->peer_cn = NULL; + } + + PR_Close(port->pr_fd); + port->pr_fd = NULL; + port->ssl_in_use = false; + + if (nss_context) + { + NSS_ShutdownContext(nss_context); + nss_context = NULL; + } +} + +void +be_tls_destroy(void) +{ + /* + * It reads a bit odd to clear a session cache when we are destroying the + * context altogether, but if the session cache isn't cleared before + * shutting down the context it will fail with SEC_ERROR_BUSY. + */ + SSL_ClearSessionCache(); +} + +int +be_tls_get_cipher_bits(Port *port) +{ + SECStatus status; + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + + status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + goto error; + + status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)); + if (status != SECSuccess) + goto error; + + return suite.effectiveKeyBits; + +error: + ereport(WARNING, + (errmsg("unable to extract TLS session information: %s", + pg_SSLerrmessage(PR_GetError())))); + return 0; +} + +/* + * be_tls_get_compression + * + * NSS disabled support for TLS compression in version 3.33 and removed the + * code in a subsequent release. The API for retrieving information about + * compression as well as enabling it is kept for backwards compatibility, but + * we don't need to consult it since it was only available for SSLv3 which we + * don't support. + * + * https://bugzilla.mozilla.org/show_bug.cgi?id=1409587 + */ +bool +be_tls_get_compression(Port *port) +{ + return false; +} + +const char * +be_tls_get_version(Port *port) +{ + SECStatus status; + SSLChannelInfo channel; + + status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + { + ereport(WARNING, + (errmsg("unable to extract TLS session information: %s", + pg_SSLerrmessage(PR_GetError())))); + return NULL; + } + + return ssl_protocol_version_to_string(channel.protocolVersion); +} + +const char * +be_tls_get_cipher(Port *port) +{ + SECStatus status; + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + + status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + goto error; + + status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)); + if (status != SECSuccess) + goto error; + + return suite.cipherSuiteName; + +error: + ereport(WARNING, + (errmsg("unable to extract TLS session information: %s", + pg_SSLerrmessage(PR_GetError())))); + return NULL; +} + +void +be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len) +{ + CERTCertificate *certificate; + + certificate = SSL_PeerCertificate(port->pr_fd); + if (certificate) + strlcpy(ptr, CERT_NameToAscii(&certificate->subject), len); + else + ptr[0] = '\0'; +} + +void +be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) +{ + CERTCertificate *certificate; + + certificate = SSL_PeerCertificate(port->pr_fd); + if (certificate) + strlcpy(ptr, CERT_NameToAscii(&certificate->issuer), len); + else + ptr[0] = '\0'; +} + +void +be_tls_get_peer_serial(Port *port, char *ptr, size_t len) +{ + CERTCertificate *certificate; + + certificate = SSL_PeerCertificate(port->pr_fd); + if (certificate) + snprintf(ptr, len, "%li", DER_GetInteger(&(certificate->serialNumber))); + else + ptr[0] = '\0'; +} + +static SECStatus +pg_bad_cert_handler(void *arg, PRFileDesc * fd) +{ + Port *port = (Port *) arg; + + port->peer_cert_valid = false; + return SECFailure; +} + +static SECStatus +pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer) +{ + SECStatus status; + Port *port = (Port *) arg; + CERTCertificate *cert; + char *peer_cn; + int len; + + status = SSL_AuthCertificate(CERT_GetDefaultCertDB(), port->pr_fd, checksig, PR_TRUE); + if (status == SECSuccess) + { + cert = SSL_PeerCertificate(port->pr_fd); + len = strlen(cert->subjectName); + peer_cn = MemoryContextAllocZero(TopMemoryContext, len + 1); + if (strncmp(cert->subjectName, "CN=", 3) == 0) + strlcpy(peer_cn, cert->subjectName + strlen("CN="), len + 1); + else + strlcpy(peer_cn, cert->subjectName, len + 1); + CERT_DestroyCertificate(cert); + + port->peer_cn = peer_cn; + port->peer_cert_valid = true; + } + + return status; +} + +/* ------------------------------------------------------------ */ +/* Internal functions */ +/* ------------------------------------------------------------ */ + +static PRInt32 +pg_ssl_read(PRFileDesc * fd, void *buf, PRInt32 amount, PRIntn flags, + PRIntervalTime timeout) +{ + PRRecvFN read_fn; + PRInt32 n_read; + + read_fn = fd->lower->methods->recv; + n_read = read_fn(fd->lower, buf, amount, flags, timeout); + + return n_read; +} + +static PRInt32 +pg_ssl_write(PRFileDesc * fd, const void *buf, PRInt32 amount, PRIntn flags, + PRIntervalTime timeout) +{ + PRSendFN send_fn; + PRInt32 n_write; + + send_fn = fd->lower->methods->send; + n_write = send_fn(fd->lower, buf, amount, flags, timeout); + + return n_write; +} + +static PRFileDesc * +init_iolayer(Port *port, int loglevel) +{ + const PRIOMethods *default_methods; + PRFileDesc *layer; + + /* + * Start by initializing our layer with all the default methods so that we + * can selectively override the ones we want while still ensuring that we + * have a complete layer specification. + */ + default_methods = PR_GetDefaultIOMethods(); + memcpy(&pr_iomethods, default_methods, sizeof(PRIOMethods)); + + pr_iomethods.recv = pg_ssl_read; + pr_iomethods.send = pg_ssl_write; + + /* + * Each IO layer must be identified by a unique name, where uniqueness is + * per connection. Each connection in a postgres cluster can generate the + * identity from the same string as they will create their IO layers on + * different sockets. Only one layer per socket can have the same name. + */ + pr_id = PR_GetUniqueIdentity("PostgreSQL"); + if (pr_id == PR_INVALID_IO_LAYER) + { + ereport(loglevel, + (errmsg("out of memory when setting up TLS connection"))); + return NULL; + } + + /* + * Create the actual IO layer as a stub such that it can be pushed onto + * the layer stack. The step via a stub is required as we define custom + * callbacks. + */ + layer = PR_CreateIOLayerStub(pr_id, &pr_iomethods); + if (!layer) + { + ereport(loglevel, + (errmsg("unable to create NSS I/O layer"))); + return NULL; + } + + return layer; +} + +static char * +ssl_protocol_version_to_string(int v) +{ + switch (v) + { + /* SSL v2 and v3 are not supported */ + case SSL_LIBRARY_VERSION_2: + case SSL_LIBRARY_VERSION_3_0: + Assert(false); + break; + + case SSL_LIBRARY_VERSION_TLS_1_0: + return pstrdup("TLSv1.0"); + case SSL_LIBRARY_VERSION_TLS_1_1: + return pstrdup("TLSv1.1"); + case SSL_LIBRARY_VERSION_TLS_1_2: + return pstrdup("TLSv1.2"); + case SSL_LIBRARY_VERSION_TLS_1_3: + return pstrdup("TLSv1.3"); + } + + return pstrdup("unknown"); +} + + +/* + * ssl_protocol_version_to_nss + * Translate PostgreSQL TLS version to NSS version + * + * Returns zero in case the requested TLS version is undefined (PG_ANY) and + * should be set by the caller, or -1 on failure. + */ +static uint16 +ssl_protocol_version_to_nss(int v, const char *guc_name) +{ + switch (v) + { + /* + * There is no SSL_LIBRARY_ macro defined in NSS with the value + * zero, so we use this to signal the caller that the highest + * useful version should be set on the connection. + */ + case PG_TLS_ANY: + return 0; + + /* + * No guard is required here as there are no versions of NSS + * without support for TLS1. + */ + case PG_TLS1_VERSION: + return SSL_LIBRARY_VERSION_TLS_1_0; + case PG_TLS1_1_VERSION: +#ifdef SSL_LIBRARY_VERSION_TLS_1_1 + return SSL_LIBRARY_VERSION_TLS_1_1; +#else + break; +#endif + case PG_TLS1_2_VERSION: +#ifdef SSL_LIBRARY_VERSION_TLS_1_2 + return SSL_LIBRARY_VERSION_TLS_1_2; +#else + break; +#endif + case PG_TLS1_3_VERSION: +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + return SSL_LIBRARY_VERSION_TLS_1_3; +#else + break; +#endif + default: + break; + } + + return -1; +} + +/* + * pg_SSLerrmessage + * Create and return a human readable error message given + * the specified error code + * + * PR_ErrorToName only converts the enum identifier of the error to string, + * but that can be quite useful for debugging (and in case PR_ErrorToString is + * unable to render a message then we at least have something). + */ +static char * +pg_SSLerrmessage(PRErrorCode errcode) +{ + char error[128]; + int ret; + + /* TODO: this should perhaps use a StringInfo instead.. */ + ret = pg_snprintf(error, sizeof(error), "%s (%s)", + PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT), + PR_ErrorToName(errcode)); + if (ret) + return pstrdup(error); + + return pstrdup(_("unknown TLS error")); +} diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 8b21ff4065..5962cffc0c 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1298,15 +1298,28 @@ X509_NAME_to_cstring(X509_NAME *name) char *dp; char *result; + if (membuf == NULL) + ereport(ERROR, + (errcode(ERRCODE_OUT_OF_MEMORY), + errmsg("failed to create BIO"))); + (void) BIO_set_close(membuf, BIO_CLOSE); for (i = 0; i < count; i++) { e = X509_NAME_get_entry(name, i); nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)); + if (nid == NID_undef) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("could not get NID for ASN1_OBJECT object"))); v = X509_NAME_ENTRY_get_data(e); field_name = OBJ_nid2sn(nid); if (!field_name) field_name = OBJ_nid2ln(nid); + if (field_name == NULL) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid))); BIO_printf(membuf, "/%s=", field_name); ASN1_STRING_print_ex(membuf, v, ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB) @@ -1322,7 +1335,8 @@ X509_NAME_to_cstring(X509_NAME *name) result = pstrdup(dp); if (dp != sp) pfree(dp); - BIO_free(membuf); + if (BIO_free(membuf) != 1) + elog(ERROR, "could not free OpenSSL BIO structure"); return result; } diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 2ae507a902..f39977b80c 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -49,6 +49,9 @@ bool ssl_passphrase_command_supports_reload; #ifdef USE_SSL bool ssl_loaded_verify_locations = false; #endif +#ifdef USE_NSS +char *ssl_database; +#endif /* GUC variable controlling SSL cipher list */ char *SSLCipherSuites = NULL; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index de87ad6ef7..33c3eebf48 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4262,7 +4262,11 @@ static struct config_string ConfigureNamesString[] = }, &ssl_library, #ifdef USE_SSL +#if defined(USE_OPENSSL) "OpenSSL", +#elif defined(USE_NSS) + "NSS", +#endif #else "", #endif @@ -4320,6 +4324,18 @@ static struct config_string ConfigureNamesString[] = check_canonical_path, assign_pgstat_temp_directory, NULL }, +#ifdef USE_NSS + { + {"ssl_database", PGC_SIGHUP, CONN_AUTH_SSL, + gettext_noop("Location of the NSS certificate database."), + NULL + }, + &ssl_database, + "", + NULL, NULL, NULL + }, +#endif + { {"synchronous_standby_names", PGC_SIGHUP, REPLICATION_PRIMARY, gettext_noop("Number of synchronous standbys and list of names of potential synchronous ones."), @@ -4348,8 +4364,10 @@ static struct config_string ConfigureNamesString[] = GUC_SUPERUSER_ONLY }, &SSLCipherSuites, -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) "HIGH:MEDIUM:+3DES:!aNULL", +#elif defined (USE_NSS) + "", #else "none", #endif diff --git a/src/include/common/pg_nss.h b/src/include/common/pg_nss.h new file mode 100644 index 0000000000..74298c8bb1 --- /dev/null +++ b/src/include/common/pg_nss.h @@ -0,0 +1,141 @@ +/*------------------------------------------------------------------------- + * + * pg_nss.h + * Support for NSS as a TLS backend + * + * These definitions are used by both frontend and backend code. + * + * Copyright (c) 2020, PostgreSQL Global Development Group + * + * IDENTIFICATION + * src/include/common/pg_nss.h + * + *------------------------------------------------------------------------- + */ +#ifndef PG_NSS_H +#define PG_NSS_H + +#ifdef USE_NSS + +#include + +PRUint16 pg_find_cipher(char *name); + +typedef struct +{ + const char *name; + PRUint16 number; +} NSSCiphers; + +#define INVALID_CIPHER 0xFFFF + +/* + * This list is a partial copy of the ciphers in NSS files lib/ssl/sslproto.h + * in order to provide a human readable version of the ciphers. It would be + * nice to not have to have this, but NSS doesn't provide any API addressing + * the ciphers by name. TODO: do we want more of the ciphers, or perhaps less? + */ +static const NSSCiphers NSS_CipherList[] = { + + {"TLS_NULL_WITH_NULL_NULL", TLS_NULL_WITH_NULL_NULL}, + + {"TLS_RSA_WITH_NULL_MD5", TLS_RSA_WITH_NULL_MD5}, + {"TLS_RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA}, + {"TLS_RSA_WITH_RC4_128_MD5", TLS_RSA_WITH_RC4_128_MD5}, + {"TLS_RSA_WITH_RC4_128_SHA", TLS_RSA_WITH_RC4_128_SHA}, + {"TLS_RSA_WITH_IDEA_CBC_SHA", TLS_RSA_WITH_IDEA_CBC_SHA}, + {"TLS_RSA_WITH_DES_CBC_SHA", TLS_RSA_WITH_DES_CBC_SHA}, + {"TLS_RSA_WITH_3DES_EDE_CBC_SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_DH_DSS_WITH_DES_CBC_SHA", TLS_DH_DSS_WITH_DES_CBC_SHA}, + {"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA}, + {"TLS_DH_RSA_WITH_DES_CBC_SHA", TLS_DH_RSA_WITH_DES_CBC_SHA}, + {"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_DHE_DSS_WITH_DES_CBC_SHA", TLS_DHE_DSS_WITH_DES_CBC_SHA}, + {"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA}, + {"TLS_DHE_RSA_WITH_DES_CBC_SHA", TLS_DHE_RSA_WITH_DES_CBC_SHA}, + {"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_DH_anon_WITH_RC4_128_MD5", TLS_DH_anon_WITH_RC4_128_MD5}, + {"TLS_DH_anon_WITH_DES_CBC_SHA", TLS_DH_anon_WITH_DES_CBC_SHA}, + {"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", TLS_DH_anon_WITH_3DES_EDE_CBC_SHA}, + + {"TLS_RSA_WITH_AES_128_CBC_SHA", TLS_RSA_WITH_AES_128_CBC_SHA}, + {"TLS_DH_DSS_WITH_AES_128_CBC_SHA", TLS_DH_DSS_WITH_AES_128_CBC_SHA}, + {"TLS_DH_RSA_WITH_AES_128_CBC_SHA", TLS_DH_RSA_WITH_AES_128_CBC_SHA}, + {"TLS_DHE_DSS_WITH_AES_128_CBC_SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, + {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, + {"TLS_DH_anon_WITH_AES_128_CBC_SHA", TLS_DH_anon_WITH_AES_128_CBC_SHA}, + + {"TLS_RSA_WITH_AES_256_CBC_SHA", TLS_RSA_WITH_AES_256_CBC_SHA}, + {"TLS_DH_DSS_WITH_AES_256_CBC_SHA", TLS_DH_DSS_WITH_AES_256_CBC_SHA}, + {"TLS_DH_RSA_WITH_AES_256_CBC_SHA", TLS_DH_RSA_WITH_AES_256_CBC_SHA}, + {"TLS_DHE_DSS_WITH_AES_256_CBC_SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, + {"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, + {"TLS_DH_anon_WITH_AES_256_CBC_SHA", TLS_DH_anon_WITH_AES_256_CBC_SHA}, + {"TLS_RSA_WITH_NULL_SHA256", TLS_RSA_WITH_NULL_SHA256}, + {"TLS_RSA_WITH_AES_128_CBC_SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256}, + {"TLS_RSA_WITH_AES_256_CBC_SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256}, + + {"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256}, + {"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA}, + {"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA}, + + {"TLS_DHE_DSS_WITH_RC4_128_SHA", TLS_DHE_DSS_WITH_RC4_128_SHA}, + {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}, + {"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256}, + {"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256}, + + {"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA}, + {"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA}, + + {"TLS_RSA_WITH_SEED_CBC_SHA", TLS_RSA_WITH_SEED_CBC_SHA}, + + {"TLS_RSA_WITH_AES_128_GCM_SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256}, + {"TLS_RSA_WITH_AES_256_GCM_SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384}, + {"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, + {"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}, + {"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256}, + {"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384}, + + {"TLS_AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256}, + {"TLS_AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384}, + {"TLS_CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256}, + {NULL, 0} +}; + +/* + * pg_find_cipher + * Translate an NSS ciphername to the cipher code + * + * Searches the configured ciphers for the corresponding cipher code to the + * name. Search is performed case insensitive. + */ +PRUint16 +pg_find_cipher(char *name) +{ + const NSSCiphers *cipher_list = NSS_CipherList; + + while (cipher_list->name) + { + if (pg_strcasecmp(cipher_list->name, name) == 0) + return cipher_list->number; + + cipher_list++; + } + + return 0xFFFF; +} + +#endif /* USE_NSS */ + +#endif /* PG_NSS_H */ diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 179ebaa104..6211510fab 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -192,13 +192,18 @@ typedef struct Port bool peer_cert_valid; /* - * OpenSSL structures. (Keep these last so that the locations of other - * fields are the same whether or not you build with OpenSSL.) + * SSL backend specific structures. (Keep these last so that the locations + * of other fields are the same whether or not you build with SSL + * enabled.) */ #ifdef USE_OPENSSL SSL *ssl; X509 *peer; #endif + +#ifdef USE_NSS + void *pr_fd; +#endif } Port; #ifdef USE_SSL diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h index b1152475ac..298d87ecae 100644 --- a/src/include/libpq/libpq.h +++ b/src/include/libpq/libpq.h @@ -88,6 +88,9 @@ extern PGDLLIMPORT bool ssl_passphrase_command_supports_reload; #ifdef USE_SSL extern bool ssl_loaded_verify_locations; #endif +#ifdef USE_NSS +extern char *ssl_database; +#endif extern int secure_initialize(bool isServerStart); extern bool secure_loaded_verify_locations(void); diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index fb270df678..31f808398c 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -893,6 +893,9 @@ /* Define to 1 to build with PAM support. (--with-pam) */ #undef USE_PAM +/* Define to build with NSS support (--with-nss) */ +#undef USE_NSS + /* Define to 1 to use software CRC-32C implementation (slicing-by-8). */ #undef USE_SLICING_BY_8_CRC32C diff --git a/src/include/pg_config_manual.h b/src/include/pg_config_manual.h index 705dc69c06..c28b84126d 100644 --- a/src/include/pg_config_manual.h +++ b/src/include/pg_config_manual.h @@ -176,10 +176,9 @@ /* * USE_SSL code should be compiled only when compiling with an SSL - * implementation. (Currently, only OpenSSL is supported, but we might add - * more implementations in the future.) + * implementation. */ -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) || defined(USE_NSS) #define USE_SSL #endif diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile index d4919970f8..97821fb39b 100644 --- a/src/interfaces/libpq/Makefile +++ b/src/interfaces/libpq/Makefile @@ -57,6 +57,10 @@ OBJS += \ fe-secure-gssapi.o endif +ifeq ($(with_nss), yes) +OBJS += fe-secure-nss.o +endif + ifeq ($(PORTNAME), cygwin) override shlib = cyg$(NAME)$(DLSUFFIX) endif diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 7bee9dd201..2814eb8ddd 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -354,6 +354,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Target-Session-Attrs", "", 11, /* sizeof("read-write") = 11 */ offsetof(struct pg_conn, target_session_attrs)}, + {"cert_database", NULL, NULL, NULL, + "CertificateDatabase", "", 64, + offsetof(struct pg_conn, cert_database)}, + /* Terminating entry --- MUST BE LAST */ {NULL, NULL, NULL, NULL, NULL, NULL, 0} diff --git a/src/interfaces/libpq/fe-secure-nss.c b/src/interfaces/libpq/fe-secure-nss.c new file mode 100644 index 0000000000..6401949136 --- /dev/null +++ b/src/interfaces/libpq/fe-secure-nss.c @@ -0,0 +1,975 @@ +/*------------------------------------------------------------------------- + * + * fe-secure-nss.c + * functions for supporting NSS as a TLS backend for frontend libpq + * + * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * IDENTIFICATION + * src/interfaces/libpq/fe-secure-nss.c + * + *------------------------------------------------------------------------- + */ + +#include "postgres_fe.h" + +#include "libpq-fe.h" +#include "fe-auth.h" +#include "libpq-int.h" + +/* + * BITS_PER_BYTE is also defined in the NSPR header fils, so we need to undef + * our version to avoid compiler warnings on redefinition. + */ +#define pg_BITS_PER_BYTE BITS_PER_BYTE +#undef BITS_PER_BYTE + +/* + * The nspr/obsolete/protypes.h NSPR header typedefs uint64 and int64 with + * colliding definitions from ours, causing a much expected compiler error. + * The definitions are however not actually used in NSPR at all, and are only + * intended for what seems to be backwards compatibility for apps written + * against old versions of NSPR. The following comment is in the referenced + * file, and was added in 1998: + * + * This section typedefs the old 'native' types to the new PRs. + * These definitions are scheduled to be eliminated at the earliest + * possible time. The NSPR API is implemented and documented using + * the new definitions. + * + * As there is no opt-out from pulling in these typedefs, we define the guard + * for the file to exclude it. This is incredibly ugly, but seems to be about + * the only way around it. + */ +#define PROTYPES_H +#include +#undef PROTYPES_H +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * Ensure that the colliding definitions match, else throw an error. In case + * NSPR remove the definition in a future version (however unlikely that may + * be, make sure to put ours back again. + */ +#if defined(BITS_PER_BYTE) +#if BITS_PER_BYTE != pg_BITS_PER_BYTE +#error "incompatible byte widths between NSPR and PostgreSQL" +#endif +#else +#define BITS_PER_BYTE pg_BITS_PER_BYTE +#endif +#undef pg_BITS_PER_BYTE + +static SECStatus pg_load_nss_module(SECMODModule * *module, const char *library, const char *name); +static SECStatus pg_bad_cert_handler(void *arg, PRFileDesc * fd); +static char *pg_SSLerrmessage(PRErrorCode errcode); +static SECStatus pg_client_auth_handler(void *arg, PRFileDesc * socket, CERTDistNames * caNames, + CERTCertificate * *pRetCert, SECKEYPrivateKey * *pRetKey); +static SECStatus pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer); +static int ssl_protocol_version_to_nss(const char *protocol); +static bool cert_database_has_CA(PGconn *conn); + +static char *PQssl_passwd_cb(PK11SlotInfo * slot, PRBool retry, void *arg); + +/* + * PR_ImportTCPSocket() is a private API, but very widely used, as it's the + * only way to make NSS use an already set up POSIX file descriptor rather + * than opening one itself. To quote the NSS documentation: + * + * "In theory, code that uses PR_ImportTCPSocket may break when NSPR's + * implementation changes. In practice, this is unlikely to happen because + * NSPR's implementation has been stable for years and because of NSPR's + * strong commitment to backward compatibility." + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket + * + * The function is declared in , but as it is a header marked + * private we declare it here rather than including it. + */ +NSPR_API(PRFileDesc *) PR_ImportTCPSocket(int); + +static SECMODModule * ca_trust = NULL; +static NSSInitContext * nss_context = NULL; + +/* + * Track whether the NSS database has a password set or not. There is no API + * function for retrieving password status, so we simply flip this to true in + * case NSS invoked the password callback - as that will only happen in case + * there is a password. The reason for tracking this is that there are calls + * which require a password parameter, but doesn't use the callbacks provided, + * so we must call the callback on behalf of these. + */ +static bool has_password = false; + +#if defined(WIN32) +static const char *ca_trust_name = "nssckbi.dll"; +#elif defined(__darwin__) +static const char *ca_trust_name = "libnssckbi.dylib"; +#else +static const char *ca_trust_name = "libnssckbi.so"; +#endif + +static PQsslKeyPassHook_nss_type PQsslKeyPassHook = NULL; + +/* ------------------------------------------------------------ */ +/* Procedures common to all secure sessions */ +/* ------------------------------------------------------------ */ + +void +pgtls_init_library(bool do_ssl, int do_crypto) +{ + /* TODO: implement me .. */ +} + +int +pgtls_init(PGconn *conn) +{ + conn->ssl_in_use = false; + + return 0; +} + +void +pgtls_close(PGconn *conn) +{ + if (nss_context) + { + NSS_ShutdownContext(nss_context); + nss_context = NULL; + } +} + +PostgresPollingStatusType +pgtls_open_client(PGconn *conn) +{ + SECStatus status; + PRFileDesc *pr_fd; + PRFileDesc *model; + NSSInitParameters params; + SSLVersionRange desired_range; + + /* + * The NSPR documentation states that runtime initialization via PR_Init + * is no longer required, as the first caller into NSPR will perform the + * initialization implicitly. The documentation doesn't however clarify + * from which version this is holds true, so let's perform the potentially + * superfluous initialization anyways to avoid crashing on older versions + * of NSPR, as there is no difference in overhead. The NSS documentation + * still states that PR_Init must be called in some way (implicitly or + * explicitly). + * + * The below parameters are what the implicit initialization would've done + * for us, and should work even for older versions where it might not be + * done automatically. The last parameter, maxPTDs, is set to various + * values in other codebases, but has been unused since NSPR 2.1 which was + * released sometime in 1998. + */ + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + /* + * The original design of NSS was for a single application to use a single + * copy of it, initialized with NSS_Initialize() which isn't returning any + * handle with which to refer to NSS. NSS initialization and shutdown are + * global for the application, so a shutdown in another NSS enabled + * library would cause NSS to be stopped for libpq as well. The fix has + * been to introduce NSS_InitContext which returns a context handle to + * pass to NSS_ShutdownContext. NSS_InitContext was introduced in NSS + * 3.12, but the use of it is not very well documented. + * https://bugzilla.redhat.com/show_bug.cgi?id=738456 + * + * The InitParameters struct passed can be used to override internal + * values in NSS, but the usage is not documented at all. When using + * NSS_Init initializations, the values are instead set via PK11_Configure + * calls so the PK11_Configure documentation can be used to glean some + * details on these. + * + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs + */ + memset(¶ms, 0, sizeof(params)); + params.length = sizeof(params); + + if (conn->cert_database && strlen(conn->cert_database) > 0) + { + char *cert_database_path = psprintf("sql:%s", conn->cert_database); + + nss_context = NSS_InitContext(cert_database_path, "", "", "", + ¶ms, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + pfree(cert_database_path); + } + else + nss_context = NSS_InitContext("", "", "", "", ¶ms, + NSS_INIT_READONLY | NSS_INIT_NOCERTDB | + NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN | + NSS_INIT_NOROOTINIT | NSS_INIT_PK11RELOAD); + + if (!nss_context) + { + char *err = pg_SSLerrmessage(PR_GetError()); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to %s certificate database: %s"), + conn->cert_database ? "open" : "create", + err); + free(err); + return PGRES_POLLING_FAILED; + } + + /* + * Configure cipher policy. + */ + status = NSS_SetDomesticPolicy(); + if (status != SECSuccess) + { + char *err = pg_SSLerrmessage(PR_GetError()); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to configure cipher policy: %s"), + err); + free(err); + return PGRES_POLLING_FAILED; + } + + /* + * If we don't have a certificate database, the system trust store is the + * fallback we can use. If we fail to initialize that as well, we can + * still attempt a connection as long as the sslmode isn't verify*. + */ + if (!conn->cert_database && conn->sslmode[0] == 'v') + { + status = pg_load_nss_module(&ca_trust, ca_trust_name, "\"Root Certificates\""); + /* status = pg_load_nss_module(&ca_trust, ca_trust_name, "trust"); */ + if (status != SECSuccess) + { + char *err = pg_SSLerrmessage(PR_GetError()); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("WARNING: unable to load NSS trust module \"%s\" : %s"), ca_trust_name, err); + return PGRES_POLLING_FAILED; + } + } + + + PK11_SetPasswordFunc(PQssl_passwd_cb); + + /* + * Import the already opened socket as we don't want to use NSPR functions + * for opening the network socket due to how the PostgreSQL protocol works + * with TLS connections. This function is not part of the NSPR public API, + * see the comment at the top of the file for the rationale of still using + * it. + */ + pr_fd = PR_ImportTCPSocket(conn->sock); + if (!pr_fd) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to attach to socket: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * Most of the documentation available, and implementations of, NSS/NSPR + * use the PR_NewTCPSocket() function here, which has the drawback that it + * can only create IPv4 sockets. Instead use PR_OpenTCPSocket() which + * copes with IPv6 as well. + */ + model = SSL_ImportFD(NULL, PR_OpenTCPSocket(conn->laddr.addr.ss_family)); + if (!model) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to enable TLS: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* Disable old protocol versions (SSLv2 and SSLv3) */ + SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE); + SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE); + SSL_OptionSet(model, SSL_ENABLE_SSL3, PR_FALSE); + +#ifdef SSL_CBC_RANDOM_IV + + /* + * Enable protection against the BEAST attack in case the NSS library has + * support for that. While SSLv3 is disabled, we may still allow TLSv1 + * which is affected. The option isn't documented as an SSL option, but as + * an NSS environment variable. + */ + SSL_OptionSet(model, SSL_CBC_RANDOM_IV, PR_TRUE); +#endif + + /* Set us up as a TLS client for the handshake */ + SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); + + /* + * When setting the available protocols, we either use the user defined + * configuration values, and if missing we accept whatever is the highest + * version supported by the library as the max and only limit the range in + * the other end at TLSv1.0. ssl_variant_stream is a ProtocolVariant enum + * for Stream protocols, rather than datagram. + */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &desired_range); + desired_range.min = SSL_LIBRARY_VERSION_TLS_1_0; + + if (conn->ssl_min_protocol_version && strlen(conn->ssl_min_protocol_version) > 0) + { + int ssl_min_ver = ssl_protocol_version_to_nss(conn->ssl_min_protocol_version); + + if (ssl_min_ver == -1) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"), + conn->ssl_min_protocol_version); + return -1; + } + + desired_range.min = ssl_min_ver; + } + + if (conn->ssl_max_protocol_version && strlen(conn->ssl_max_protocol_version) > 0) + { + int ssl_max_ver = ssl_protocol_version_to_nss(conn->ssl_max_protocol_version); + + if (ssl_max_ver == -1) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"), + conn->ssl_max_protocol_version); + return -1; + } + + desired_range.max = ssl_max_ver; + } + + if (SSL_VersionRangeSet(model, &desired_range) != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to set allowed SSL protocol version range: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * Set up callback for verifying server certificates, as well as for how + * to handle failed verifications. + */ + SSL_AuthCertificateHook(model, pg_cert_auth_handler, (void *) conn); + SSL_BadCertHook(model, pg_bad_cert_handler, (void *) conn); + + /* + * Convert the NSPR socket to an SSL socket. Ensuring the success of this + * operation is critical as NSS SSL_* functions may return SECSuccess on + * the socket even though SSL hasn't been enabled, which introduce a risk + * of silent downgrades. + */ + conn->pr_fd = SSL_ImportFD(model, pr_fd); + if (!conn->pr_fd) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to configure client for TLS: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * The model can now we closed as we've applied the settings of the model + * onto the real socket. From hereon we should only use conn->pr_fd. + */ + PR_Close(model); + + /* Set the private data to be passed to the password callback */ + SSL_SetPKCS11PinArg(conn->pr_fd, (void *) conn); + + /* + * If a CRL file has been specified, verify if it exists in the database + * but don't fail in case it doesn't. + */ + if (conn->sslcrl && strlen(conn->sslcrl) > 0) + { + /* XXX: Implement me.. */ + } + + status = SSL_ResetHandshake(conn->pr_fd, PR_FALSE); + if (status != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to initiate handshake: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + /* + * Set callback for client authentication when requested by the server. + */ + SSL_GetClientAuthDataHook(conn->pr_fd, pg_client_auth_handler, (void *) conn); + + /* + * Specify which hostname we are expecting to talk to. This is required, + * albeit mostly applies to when opening a connection to a traditional + * http server it seems. + */ + SSL_SetURL(conn->pr_fd, (conn->connhost[conn->whichhost]).host); + + do + { + status = SSL_ForceHandshake(conn->pr_fd); + } + while (status != SECSuccess && PR_GetError() == PR_WOULD_BLOCK_ERROR); + + if (status != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL error: %s"), + pg_SSLerrmessage(PR_GetError())); + return PGRES_POLLING_FAILED; + } + + conn->ssl_in_use = true; + return PGRES_POLLING_OK; +} + +ssize_t +pgtls_read(PGconn *conn, void *ptr, size_t len) +{ + PRInt32 nread; + PRErrorCode status; + int read_errno = 0; + + nread = PR_Recv(conn->pr_fd, ptr, len, 0, PR_INTERVAL_NO_WAIT); + + /* + * PR_Recv blocks until there is data to read or the timeout expires. Zero + * is returned for closed connections, while -1 indicates an error within + * the ongoing connection. + */ + if (nread == 0) + { + read_errno = ECONNRESET; + return -1; + } + + if (nread == -1) + { + status = PR_GetError(); + + switch (status) + { + case PR_WOULD_BLOCK_ERROR: + read_errno = EINTR; + break; + + case PR_IO_TIMEOUT_ERROR: + break; + + /* + * The error cases for PR_Recv are not documented, but can be + * reverse engineered from _MD_unix_map_default_error() in the + * NSPR code, defined in pr/src/md/unix/unix_errors.c. + */ + default: + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("TLS read error: %s"), + pg_SSLerrmessage(status)); + break; + } + } + + SOCK_ERRNO_SET(read_errno); + return (ssize_t) nread; +} + +/* + * pgtls_read_pending + * Check for the existence of data to be read. + * + * This is part of the PostgreSQL TLS backend API. + */ +bool +pgtls_read_pending(PGconn *conn) +{ + unsigned char c; + int n; + + /* + * PR_Recv peeks into the stream with the timeount turned off, to see if + * there is another byte to read off the wire. There is an NSS function + * SSL_DataPending() which might seem like a better fit, but it will only + * check already encrypted data in the SSL buffer, not still unencrypted + * data, thus it doesn't guarantee that a subsequent call to + * PR_Read/PR_Recv wont block. + */ + n = PR_Recv(conn->pr_fd, &c, 1, PR_MSG_PEEK, PR_INTERVAL_NO_WAIT); + return (n > 0); +} + +ssize_t +pgtls_write(PGconn *conn, const void *ptr, size_t len) +{ + PRInt32 n; + PRErrorCode status; + int write_errno = 0; + + n = PR_Write(conn->pr_fd, ptr, len); + + if (n < 0) + { + status = PR_GetError(); + + switch (status) + { + case PR_WOULD_BLOCK_ERROR: +#ifdef EAGAIN + write_errno = EAGAIN; +#else + write_errno = EINTR; +#endif + break; + + default: + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("TLS write error: %s"), + pg_SSLerrmessage(status)); + write_errno = ECONNRESET; + break; + } + } + + SOCK_ERRNO_SET(write_errno); + return (ssize_t) n; +} + +/* + * Verify that the server certificate matches the hostname we connected to. + * + * The certificate's Common Name and Subject Alternative Names are considered. + */ +int +pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, + int *names_examined, + char **first_name) +{ + return 1; +} + +/* ------------------------------------------------------------ */ +/* PostgreSQL specific TLS support functions */ +/* ------------------------------------------------------------ */ + +/* + * TODO: this a 99% copy of the same function in the backend, make these share + * a single implementation instead. + */ +static char * +pg_SSLerrmessage(PRErrorCode errcode) +{ + const char *error; + + error = PR_ErrorToName(errcode); + if (error) + return strdup(error); + + return strdup("unknown TLS error"); +} + +static SECStatus +pg_load_nss_module(SECMODModule * *module, const char *library, const char *name) +{ + SECMODModule *mod; + char *modulespec; + + modulespec = psprintf("library=\"%s\", name=\"%s\"", library, name); + + /* + * Attempt to load the specified module. The second parameter is "parent" + * which should always be NULL for application code. The third parameter + * defines if loading should recurse which is only applicable when loading + * a module from within another module. This hierarchy would have to be + * defined in the modulespec, and since we don't support anything but + * directly addressed modules we should pass PR_FALSE. + */ + mod = SECMOD_LoadUserModule(modulespec, NULL, PR_FALSE); + pfree(modulespec); + + if (mod && mod->loaded) + { + *module = mod; + return SECSuccess; + } + + SECMOD_DestroyModule(mod); + return SECFailure; +} + +/* ------------------------------------------------------------ */ +/* NSS Callbacks */ +/* ------------------------------------------------------------ */ + +/* + * pg_cert_auth_handler + * Callback for authenticating server certificate + * + * This is pretty much the same procedure as the SSL_AuthCertificate function + * provided by NSS, with the difference being server hostname validation. With + * SSL_AuthCertificate there is no way to do verify-ca, it only does the -full + * flavor of our sslmodes, so we need our own implementation. + */ +static SECStatus +pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer) +{ + SECStatus status; + PGconn *conn = (PGconn *) arg; + char *server_hostname = NULL; + CERTCertificate *server_cert; + void *pin; + + Assert(!isServer); + + pin = SSL_RevealPinArg(conn->pr_fd); + server_cert = SSL_PeerCertificate(conn->pr_fd); + + status = CERT_VerifyCertificateNow((CERTCertDBHandle *) CERT_GetDefaultCertDB(), server_cert, + checksig, certificateUsageSSLServer, + pin, NULL); + + /* + * If we've already failed validation then there is no point in also + * performing the hostname check for verify-full. + */ + if (status != SECSuccess) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to verify certificate: %s"), + pg_SSLerrmessage(PR_GetError())); + goto done; + } + + if (strcmp(conn->sslmode, "verify-full") == 0) + { + server_hostname = SSL_RevealURL(conn->pr_fd); + if (!server_hostname || server_hostname[0] == '\0') + goto done; + + /* + * CERT_VerifyCertName will internally perform RFC 2818 SubjectAltName + * verification. + */ + status = CERT_VerifyCertName(server_cert, server_hostname); + if (status != SECSuccess) + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("unable to verify server hostname: %s"), + pg_SSLerrmessage(PR_GetError())); + + } + +done: + if (server_hostname) + PR_Free(server_hostname); + + CERT_DestroyCertificate(server_cert); + return status; +} + +/* + * pg_client_auth_handler + * Callback for client certificate validation + * + * The client auth callback is not on by default in NSS, so we need to invoke + * it ourselves to ensure we can do cert authentication. A TODO is to support + * running without a specified sslcert parameter. By retrieving all the certs + * via nickname from the cert database and see if we find one which apply with + * NSS_CmpCertChainWCANames() and PK11_FindKeyByAnyCert() we could support + * just running with a ssl database specified. + * + * For now, we use the default client certificate validation which requires a + * defined nickname to identify the cert in the database. + */ +static SECStatus +pg_client_auth_handler(void *arg, PRFileDesc * socket, CERTDistNames * caNames, + CERTCertificate * *pRetCert, SECKEYPrivateKey * *pRetKey) +{ + PGconn *conn = (PGconn *) arg; + + return NSS_GetClientAuthData(conn->sslcert, socket, caNames, pRetCert, pRetKey); +} + +/* + * pg_bad_cert_handler + * Callback for failed certificate validation + * + * The TLS handshake will call this function iff the server certificate failed + * validation. Depending on the sslmode, we allow the connection anyways. + */ +static SECStatus +pg_bad_cert_handler(void *arg, PRFileDesc * fd) +{ + PGconn *conn = (PGconn *) arg; + PRErrorCode err; + + /* + * This really shouldn't happen, as we've the the PGconn object as our + * callback data, and at the callsite we know it will be populated. That + * being said, the NSS code itself performs this check even when it should + * not be required so let's use the same belts with our suspenders. + */ + if (!arg) + return SECFailure; + + /* + * For sslmodes other than verify-full and verify-ca we don't perform peer + * validation, so return immediately. sslmode require with a database + * specified which contains a CA certificate will work like verify-ca to + * be compatible with the OpenSSL implementation. + */ + if (strcmp(conn->sslmode, "require") == 0) + { + if (conn->cert_database && strlen(conn->cert_database) > 0 && cert_database_has_CA(conn)) + return SECFailure; + } + if (conn->sslmode[0] == 'v') + return SECFailure; + + err = PORT_GetError(); + + /* + * TODO: these are relevant error codes that can occur in certificate + * validation, figure out which we dont want for require/prefer etc. + */ + switch (err) + { + case SEC_ERROR_INVALID_AVA: + case SEC_ERROR_INVALID_TIME: + case SEC_ERROR_BAD_SIGNATURE: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_UNTRUSTED_CERT: + case SEC_ERROR_CERT_VALID: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_CRL_EXPIRED: + case SEC_ERROR_CRL_BAD_SIGNATURE: + case SEC_ERROR_EXTENSION_VALUE_INVALID: + case SEC_ERROR_CA_CERT_INVALID: + case SEC_ERROR_CERT_USAGES_INVALID: + case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: + return SECSuccess; + break; + default: + return SECFailure; + break; + } + + /* Unreachable */ + return SECSuccess; +} + +/* ------------------------------------------------------------ */ +/* SSL information functions */ +/* ------------------------------------------------------------ */ + +void * +PQgetssl(PGconn *conn) +{ + /* + * Always return NULL as this is legacy and defined to be equal to + * PQsslStruct(conn, "OpenSSL"); This should ideally trigger a logged + * warning somewhere as it's nonsensical to run in a non-OpenSSL build, + * but the color of said bikeshed hasn't yet been determined. + */ + return NULL; +} + +void * +PQsslStruct(PGconn *conn, const char *struct_name) +{ + if (!conn) + return NULL; + + /* + * Return the underlying PRFileDesc which can be used to access + * information on the connection details. There is no SSL context per se. + */ + if (strcmp(struct_name, "NSS") == 0) + return conn->pr_fd; + return NULL; +} + +const char *const * +PQsslAttributeNames(PGconn *conn) +{ + static const char *const result[] = { + "library", + "cipher", + "protocol", + "key_bits", + "compression", + NULL + }; + + return result; +} + +const char * +PQsslAttribute(PGconn *conn, const char *attribute_name) +{ + SECStatus status; + SSLChannelInfo channel; + SSLCipherSuiteInfo suite; + + if (!conn || !conn->pr_fd) + return NULL; + + if (strcmp(attribute_name, "library") == 0) + return "NSS"; + + status = SSL_GetChannelInfo(conn->pr_fd, &channel, sizeof(channel)); + if (status != SECSuccess) + return NULL; + + status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)); + if (status != SECSuccess) + return NULL; + + if (strcmp(attribute_name, "cipher") == 0) + return suite.cipherSuiteName; + + if (strcmp(attribute_name, "key_bits") == 0) + { + static char key_bits_str[8]; + + snprintf(key_bits_str, sizeof(key_bits_str), "%i", suite.effectiveKeyBits); + return key_bits_str; + } + + if (strcmp(attribute_name, "protocol") == 0) + { + switch (channel.protocolVersion) + { +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + case SSL_LIBRARY_VERSION_TLS_1_3: + return "TLSv1.3"; +#endif +#ifdef SSL_LIBRARY_VERSION_TLS_1_2 + case SSL_LIBRARY_VERSION_TLS_1_2: + return "TLSv1.2"; +#endif +#ifdef SSL_LIBRARY_VERSION_TLS_1_1 + case SSL_LIBRARY_VERSION_TLS_1_1: + return "TLSv1.1"; +#endif + case SSL_LIBRARY_VERSION_TLS_1_0: + return "TLSv1.0"; + default: + return "unknown"; + } + } + + /* + * NSS disabled support for compression in version 3.33, and it was only + * available for SSLv3 at that point anyways, so we can safely return off + * here without checking. + */ + if (strcmp(attribute_name, "compression") == 0) + return "off"; + + return NULL; +} + +static int +ssl_protocol_version_to_nss(const char *protocol) +{ + if (pg_strcasecmp("TLSv1", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_0; + +#ifdef SSL_LIBRARY_VERSION_TLS_1_1 + if (pg_strcasecmp("TLSv1.1", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_1; +#endif + +#ifdef SSL_LIBRARY_VERSION_TLS_1_2 + if (pg_strcasecmp("TLSv1.2", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_2; +#endif + +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + if (pg_strcasecmp("TLSv1.3", protocol) == 0) + return SSL_LIBRARY_VERSION_TLS_1_3; +#endif + + return -1; +} + +static bool +cert_database_has_CA(PGconn *conn) +{ + CERTCertList *certificates; + bool hasCA; + + /* + * If the certificate database has a password we must provide it, since + * this API doesn't invoke the standard password callback. + */ + if (has_password) + certificates = PK11_ListCerts(PK11CertListCA, PQssl_passwd_cb(NULL, PR_FALSE, (void *) conn)); + else + certificates = PK11_ListCerts(PK11CertListCA, NULL); + hasCA = !CERT_LIST_EMPTY(certificates); + CERT_DestroyCertList(certificates); + + return hasCA; +} + +PQsslKeyPassHook_nss_type +PQgetSSLKeyPassHook_nss(void) +{ + return PQsslKeyPassHook; +} + +void +PQsetSSLKeyPassHook_nss(PQsslKeyPassHook_nss_type hook) +{ + PQsslKeyPassHook = hook; +} + +/* + * Supply a password to decrypt a client certificate. + * + * This must match NSS type PK11PasswordFunc. + */ +static char * +PQssl_passwd_cb(PK11SlotInfo * slot, PRBool retry, void *arg) +{ + has_password = true; + + if (PQsslKeyPassHook) + return PQsslKeyPassHook(slot, (PRBool) retry, arg); + else + return PQdefaultSSLKeyPassHook_nss(slot, retry, arg); +} + +/* + * The default password handler callback. + */ +char * +PQdefaultSSLKeyPassHook_nss(PK11SlotInfo * slot, PRBool retry, void *arg) +{ + PGconn *conn = (PGconn *) arg; + + /* + * If the password didn't work the first time there is no point in + * retrying as it hasn't changed. + */ + if (retry != PR_TRUE && conn->sslpassword && strlen(conn->sslpassword) > 0) + return PORT_Strdup(conn->sslpassword); + + return NULL; +} diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 3311fd7a5b..b6c92ece11 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -430,6 +430,9 @@ PQsslAttributeNames(PGconn *conn) return result; } +#endif /* USE_SSL */ + +#ifndef USE_OPENSSL PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void) @@ -448,7 +451,7 @@ PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn) { return 0; } -#endif /* USE_SSL */ +#endif /* USE_OPENSSL */ /* Dummy version of GSSAPI information functions, when built without GSS support */ #ifndef ENABLE_GSS diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h index 3b6a9fbce3..27c16e187f 100644 --- a/src/interfaces/libpq/libpq-fe.h +++ b/src/interfaces/libpq/libpq-fe.h @@ -625,6 +625,17 @@ extern PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void); extern void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook); extern int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn); +/* == in fe-secure-nss.c === */ +typedef struct PK11SlotInfoStr PK11SlotInfo; +typedef int PRIntn; +typedef PRIntn PRBool; + +/* Support for overriding sslpassword handling with a callback. */ +typedef char *(*PQsslKeyPassHook_nss_type) (PK11SlotInfo * slot, PRBool retry, void *arg); +extern PQsslKeyPassHook_nss_type PQgetSSLKeyPassHook_nss(void); +extern void PQsetSSLKeyPassHook_nss(PQsslKeyPassHook_nss_type hook); +extern char *PQdefaultSSLKeyPassHook_nss(PK11SlotInfo * slot, PRBool retry, void *arg); + #ifdef __cplusplus } #endif diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 1de91ae295..12717ca720 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -362,6 +362,7 @@ struct pg_conn char *sslpassword; /* client key file password */ char *sslrootcert; /* root certificate filename */ char *sslcrl; /* certificate revocation list filename */ + char *cert_database; char *requirepeer; /* required peer credentials for local sockets */ char *gssencmode; /* GSS mode (require,prefer,disable) */ char *krbsrvname; /* Kerberos service name */ @@ -485,6 +486,10 @@ struct pg_conn * OpenSSL version changes */ #endif #endif /* USE_OPENSSL */ + +#ifdef USE_NSS + void *pr_fd; +#endif /* USE_NSS */ #endif /* USE_SSL */ #ifdef ENABLE_GSS diff --git a/src/test/Makefile b/src/test/Makefile index efb206aa75..d18f5a083b 100644 --- a/src/test/Makefile +++ b/src/test/Makefile @@ -27,7 +27,7 @@ ifneq (,$(filter ldap,$(PG_TEST_EXTRA))) SUBDIRS += ldap endif endif -ifeq ($(with_openssl),yes) +ifeq ($(with_ssl),yes) ifneq (,$(filter ssl,$(PG_TEST_EXTRA))) SUBDIRS += ssl endif diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 777ee39413..fe265e2dbd 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -14,6 +14,7 @@ top_builddir = ../../.. include $(top_builddir)/src/Makefile.global export with_openssl +export with_nss CERTIFICATES := server_ca server-cn-and-alt-names \ server-cn-only server-single-alt-name server-multiple-alt-names \ @@ -30,6 +31,32 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ ssl/client+client_ca.crt ssl/client-der.key \ ssl/client-encrypted-pem.key ssl/client-encrypted-der.key +# Even though we in practice could get away with far fewer NSS databases, they +# are generated to mimick the setup for the OpenSSL tests in order to ensure +# we isolate the same behavior between the backends. The database name should +# contain the files included for easier test suite code reading. +NSSFILES := ssl/nss/client_ca.crt.db \ + ssl/nss/server_ca.crt.db \ + ssl/nss/root+server_ca.crt.db \ + ssl/nss/root+client_ca.crt.db \ + ssl/nss/client.crt__client.key.db \ + ssl/nss/client-revoked.crt__client-revoked.key.db \ + ssl/nss/server-cn-only.crt__server-password.key.db \ + ssl/nss/server-cn-only.crt__server-cn-only.key.db \ + ssl/nss/root.crl \ + ssl/nss/server.crl \ + ssl/nss/client.crl \ + ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db \ + ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db \ + ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db \ + ssl/nss/server-no-names.crt__server-no-names.key.db \ + ssl/nss/server-revoked.crt__server-revoked.key.db \ + ssl/nss/root+client.crl \ + ssl/nss/client+client_ca.crt__client.key.db \ + ssl/nss/client.crt__client-encrypted-pem.key.db \ + ssl/nss/root+server_ca.crt__server.crl.db \ + ssl/nss/root+server_ca.crt__root+server.crl.db + # This target re-generates all the key and certificate files. Usually we just # use the ones that are committed to the tree without rebuilding them. # @@ -37,6 +64,10 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ # sslfiles: $(SSLFILES) +# Generate NSS certificate databases corresponding to the OpenSSL certificates. +# This target will fail unless preceded by nssfiles-clean. +nssfiles: $(NSSFILES) + # OpenSSL requires a directory to put all generated certificates in. We don't # use this for anything, but we need a location. ssl/new_certs_dir: @@ -64,6 +95,24 @@ ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir rm ssl/temp_ca.crt ssl/temp_ca_signed.crt echo "01" > ssl/$*_ca.srl +ssl/nss/%_ca.crt.db: ssl/%_ca.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n $*_ca.crt -i ssl/$*_ca.crt -t "CT,C,C" + +ssl/nss/root+server_ca.crt__server.crl.db: ssl/root+server_ca.crt ssl/nss/server.crl + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + crlutil -I -i ssl/nss/server.crl -d $@ -B + +ssl/nss/root+server_ca.crt__root+server.crl.db: ssl/root+server_ca.crt ssl/nss/root.crl ssl/nss/server.crl + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + crlutil -I -i ssl/nss/root.crl -d $@ -B + crlutil -I -i ssl/nss/server.crl -d $@ -B + # Server certificates, signed by server CA: ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config @@ -77,6 +126,74 @@ ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only. openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config rm ssl/server-ss.csr +ssl/nss/server-cn-only.crt__server-password.key.db: ssl/server-cn-only.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-password.pfx -inkey ssl/server-password.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passin 'pass:secret1' -passout pass: + pk12util -i ssl/nss/server-password.pfx -d $@ -W '' + +ssl/nss/server-cn-only.crt__server-cn-only.key.db: ssl/server-cn-only.crt ssl/server-cn-only.key + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-cn-only.pfx -inkey ssl/server-cn-only.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passout pass: + pk12util -i ssl/nss/server-cn-only.pfx -d $@ -W '' + +ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db: ssl/server-multiple-alt-names.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-multiple-alt-names.crt -i ssl/server-multiple-alt-names.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-multiple-alt-names.pfx -inkey ssl/server-multiple-alt-names.key -in ssl/server-multiple-alt-names.crt -certfile ssl/server-multiple-alt-names.crt -passout pass: + pk12util -i ssl/nss/server-multiple-alt-names.pfx -d $@ -W '' + +ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db: ssl/server-single-alt-name.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-single-alt-name.crt -i ssl/server-single-alt-name.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-single-alt-name.pfx -inkey ssl/server-single-alt-name.key -in ssl/server-single-alt-name.crt -certfile ssl/server-single-alt-name.crt -passout pass: + pk12util -i ssl/nss/server-single-alt-name.pfx -d $@ -W '' + +ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db: ssl/server-cn-and-alt-names.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-cn-and-alt-names.crt -i ssl/server-cn-and-alt-names.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-cn-and-alt-names.pfx -inkey ssl/server-cn-and-alt-names.key -in ssl/server-cn-and-alt-names.crt -certfile ssl/server-cn-and-alt-names.crt -passout pass: + pk12util -i ssl/nss/server-cn-and-alt-names.pfx -d $@ -W '' + +ssl/nss/server-no-names.crt__server-no-names.key.db: ssl/server-no-names.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-no-names.crt -i ssl/server-no-names.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-no-names.pfx -inkey ssl/server-no-names.key -in ssl/server-no-names.crt -certfile ssl/server-no-names.crt -passout pass: + pk12util -i ssl/nss/server-no-names.pfx -d $@ -W '' + +ssl/nss/server-revoked.crt__server-revoked.key.db: ssl/server-revoked.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/server-revoked.crt -i ssl/server-revoked.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/server-revoked.pfx -inkey ssl/server-revoked.key -in ssl/server-revoked.crt -certfile ssl/server-revoked.crt -passout pass: + pk12util -i ssl/nss/server-revoked.pfx -d $@ -W '' + # Password-protected version of server-cn-only.key ssl/server-password.key: ssl/server-cn-only.key openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1' @@ -88,6 +205,27 @@ ssl/client.crt: ssl/client.key ssl/client_ca.crt openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert rm ssl/client.csr ssl/temp.crt +# Client certificate, signed by client CA +ssl/nss/client.crt__client.key.db: ssl/client.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/client.crt -i ssl/client.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n root+client_ca.crt -i ssl/root+client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client.pfx -inkey ssl/client.key -in ssl/client.crt -certfile ssl/client_ca.crt -passout pass: + pk12util -i ssl/nss/client.pfx -d $@ -W '' + +# Client certificate with encrypted key, signed by client CA +ssl/nss/client.crt__client-encrypted-pem.key.db: ssl/client.crt + $(MKDIR_P) $@ + echo 'dUmmyP^#+' > $@.pass + certutil -d "sql:$@" -N -f $@.pass + certutil -d "sql:$@" -A -f $@.pass -n ssl/client.crt -i ssl/client.crt -t "CT,C,C" + certutil -d "sql:$@" -A -f $@.pass -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -f $@.pass -n root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client-encrypted-pem.pfx -inkey ssl/client-encrypted-pem.key -in ssl/client.crt -certfile ssl/client_ca.crt -passin pass:'dUmmyP^#+' -passout pass:'dUmmyP^#+' + pk12util -i ssl/nss/client-encrypted-pem.pfx -d $@ -W 'dUmmyP^#+' -k $@.pass + # Another client certificate, signed by the client CA. This one is revoked. ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config @@ -95,6 +233,14 @@ ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert rm ssl/client-revoked.csr ssl/temp.crt +ssl/nss/client-revoked.crt__client-revoked.key.db: ssl/client-revoked.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/client-revoked.crt -i ssl/client-revoked.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client-revoked.pfx -inkey ssl/client-revoked.key -in ssl/client-revoked.crt -certfile ssl/client_ca.crt -passout pass: + pk12util -i ssl/nss/client-revoked.pfx -d $@ -W '' + # Convert the key to DER, to test our behaviour there too ssl/client-der.key: ssl/client.key openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key @@ -127,19 +273,40 @@ ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt cat $^ > $@ +# Client certificate, signed by client CA +ssl/nss/client+client_ca.crt__client.key.db: ssl/client+client_ca.crt + $(MKDIR_P) $@ + certutil -d "sql:$@" -N --empty-password + certutil -d "sql:$@" -A -n ssl/client+client_ca.crt -i ssl/client+client_ca.crt -t "CT,C,C" + certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C" + openssl pkcs12 -export -out ssl/nss/client.pfx -inkey ssl/client.key -in ssl/client.crt -certfile ssl/client_ca.crt -passout pass: + pk12util -i ssl/nss/client.pfx -d $@ -W '' + #### CRLs ssl/client.crl: ssl/client-revoked.crt openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl +ssl/nss/client.crl: ssl/client.crl + openssl crl -in $^ -outform der -out $@ + ssl/server.crl: ssl/server-revoked.crt openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl +ssl/nss/server.crl: ssl/server.crl + openssl crl -in $^ -outform der -out $@ + ssl/root.crl: ssl/root_ca.crt openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl +ssl/nss/root.crl: ssl/root.crl + openssl crl -in $^ -outform der -out $@ + +ssl/nss/root+client.crl: ssl/root+client.crl + openssl crl -in $^ -outform der -out $@ + # If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the # chain, even if some of them are empty. ssl/root+server.crl: ssl/root.crl ssl/server.crl @@ -151,9 +318,14 @@ ssl/root+client.crl: ssl/root.crl ssl/client.crl sslfiles-clean: rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt +.PHONY: nssfiles-clean +nssfiles-clean: + rm -rf ssl/nss + clean distclean maintainer-clean: rm -rf tmp_check rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key + rm -rf ssl/nss # Doesn't depend on $(SSLFILES) because we don't rebuild them by default check: diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..2e541cdfc9c6da2ce489ad74bc2f32e25028361d GIT binary patch literal 36864 zcmeI530xCL`^R^45st73C`c_tML|H_To3`3Lqsq_I7CqqLx>pUP?8{6ixN>hS`mD` zUbF~kv4Vw)2wqiMvGsbbR;*g7Sgqw%3W}}bRo|ISIOIeB{rgJa&-=Eskjb-i{AT96 zyH7Hc$tEmBqEsumbCXjNWooVfGsAEk^Wt(b3^UX}z!SAGLCDbC@Col`|CVWpjq5@f+qM)=Td3h;2>^iI@eLgBl#o7F)4+qltO|mMv>5& zgY}96mDW>1Fk%9OW%ZUF9z~T`X=36Pa&@Ny^A!bsYEKOw$s6HKXITyG=!a6J(kN0o zMHsJ$=n{Ksh;30rE6#-*-FiH$}#c)?l?ZPZ# zAq+$?aD{;z48$-P0|OZhVn8s4k|K2>rAR^z9;vGbs_;lC!y};%kAy-z5-RaXD8(b8 z7LSBtJW>uree-nfqm=nNn^NXe%6v+hPbu>$Wj>|MrMx&avw(^hQ1JpPUP#3VsTiR? z2G$}ZVJ$+6jF2KDr1XW9zK}W&BC4#2Dl4MOiYTf;lO*{(Sh?PWtrx>slFBSshy+4` z2xicmFoWKNwd+mT1icA+t2ben^(G{$Hz8J?N%7H}UBxI;`q-{wuHA~kL!!&z*3|~L zjyAYUSM|1+fgxy?PxDBJ1PcdN5#PGs2G^=RD*2*COqHtCOql%W^9+K z=rZSan$$_7%Nx_xoEX@gSdom3jUmYqJQ~Z&&ko0Qu4Q2Y7|}<|H0oq(Kf3d}j^=fm zbl_^)(A~m8Jx)A>rlIZ$nrK4=5CKF05kLeG0Ym^1Km-s0L;w*$1Q3Bg4*@pQ2y}); zoWY28qLsKqG!U1-4%!d_L;w*$1P}p401-e05CKF05kLeG0Yu=xl>nR0!0iQ3PO$XG zXH3fAXHH`14Szai@MfFQ4Co9)d){n<8vmQF$4svf!%Q1Y*Avx5;(u!gQM(WUL;w*$ z1P}p401-e05CKF05kLg~JOun1nPxcY#T!R@vglJ8bQ4jyLZ#-WBqyu6zTWVA>Rf5E zN*$M?2n&&L!@?xo6b0B(sg%h{Ts6$9(tzdfECwCJnSCV2=p!9^03*{9Cw+KcS3Ql#j{{~C*5o$=Ex8Gxy* zGD)znw^RRSKicPa*}GpXd{3^TQ)>XM=t9HZ%5p%DnDnnO6KmsstnJJdz(gA&fC&7L z5?Ib>E@oJonws})zooelGX;MbW(rcxvrMp_S*Wz0#a?S4+5ObzZqwMQ4W}w2a6Rd&_LOCM9@~S>}+N&bJ>;$n*Pg zc-m&iMI#ejt}*vqI-ZKRsBwm1+L@%>kzGPk9j;%8T*-A#2k}JFo4>Hnf}_nzg?=(APdM;^V@! z%_Vu-R_6*Et658G#1(?OW2?)RWBTX2+dZAf%}HNfp4HaxNZ`J?ymHU&JEKZ#{AZqX zjr(ZAN_B*A{9coJKV8_gVdzG2QN^|W8C?f0(@gwY(7^$H&HNZ<2{u^BROo`)gB!&BBg{99 zIwEiW%{!W<8QaRCJ^%Ba^-}^J|1M4N{GvW63KePToCqUzjZ z{CmoQaSppbjBnxPp4_`^;xv(!@2Z9LCGcbxWA8~Z%U8iEU|89J?;wDK_r$BmiTo8u*ItvKK(p?G{Zo&fxqlW>L= zN9allc|!eeAJm}5hjec?&cx_ioWMveZbZ`p7zdVIZd=3Hx=`ym%2j))c^%v0`i)5k zeojkmjAJe2%xc&&tr)lYVx!Wn{j&bw0WPK;n1`Y!wnP8H(OUE@71hW{ge^x^+Q4SL_3f8y37S^ zvS!8IS)0zim@PiP?)^1&FPbZBD{Y1cu;$=-I7x}>Fa~q`YjnI&Xu@(on7F3 zeBaWhY*XO^S#jXTNedjPHmd=MW#*t0Q-umHQC?Y z%896&P`Xo6nkDugvg^o#;=nU??X8-UM{C`;W#t>&Ty9#hGWtTr^HkRpj|6Ks*f!5Q z>bZL~!>Ibjp>J*9`Tmqqopr($>o2t9&mX% zn=_{9pxxYO4+XimlaJ&!ZM$~CK7E$fc>17ajGTwD;zxkc+U&&Oa|!cJ#TNHTLQm(7I>unG#u}7;q}G0 zqI-B*(W_ooG~>5cQ-c=$-@fy&{&t7*ojnd13Y%Phg z{PNzx!bSsi-q*KtBeRMsv&eR*q2*6BmFh+2w5SLC9ZuV(g-V=LKmBIh$5X`b42!U* zwJqI41n=!%kk3?>DS|i|2T~<$mu-ZF`^NK6iNUa*N#n0AGBsyMt=6IS!( z+fUDbwf6&mqobyttjEe&>6x0Tid!YCzM3|p@)&z$UhQ*1i^wgt?RaD+C-jlRBKEMY znw1i=YS_`|yQL+2?&WFaM^BCYd6crE!B#HB{nKHt!ZL*9@uHzvA1(?cEHrGxg|v(6h`ATO{T=rlj>m+*D6Pd;Qgcx$wW{oEXe8NYaq`A^%*?6w6@ z8>+vJ5(azBZ>7z1TuL83JuWcuyO!14bNqIVc(%3HeR<8<+Ups{V@6!0Pq8W)idoZq z?%B&HpH6(b<;v~+#YMOGEG^@d2CTR!Ud3q=ZFum$xp>DHKe2;8Jh9Oyy~$w24hxwF zCKucLWowi6v724bWPbY+TjoH`p50PQ2uq&6@U3yskLjr!tjgZ z*KXR8EUDkrOn-FFB5qI0{-IAUrqN>9vBpeui_l9qF0+7_3?qu T*s62s2Dl?nWtfG;Up`)S-K%qC^)Z z-6)q7M_1KBDRD}tlS)ZS_0HZn&gE@p{?Gq;pXYzx|Jr7+`R(;v>$|_}vu4)V_Jg^e zuHixfby0L&Bu_|XqLff*G|GlbMWIkc@vb1=M>d=|kQ+G=KcoK;e=j7WOsBsgQ9h#Z zL@Sg+52Z%ohyqVRkJv`EA|Cx-Cr}Rv00MvjAOHve0)PM@@PCs)#F#M}Iyz|46d{iv zA&3+Rc{6!J-pDiF-pj$(+kxtBYv<}f9jT>G4iBYzc+GaR^_ow0ahOl_nKRqd$ARiT zhidOWXO`=1dvB_jgNLiFy~9+h_&d```p^@@Xc``;VXuQmg-3-7660ed#K|CDf-o96 z4jR!9qK`xbI~-0!gNF7;8iXw6g@;DP$9u$uFXIUXV}{Mmo-@!OH3(+B1i4MV1bO_d>L$DYf3W3XEdqe&Z zWyVm9C^Hac2BOSBlo^OJ15sum$_zxAiS%V6eVIsKCeoLQ^fg1WW=Pfy$(kWqv!N`a zY=$VCBP|h1bOaLv87~8Z`!bO6G7!&9q@Ib?Gm&~0Qo}-OSi?2&Sy&K!78XK=g^*z( z`Yc4Bh0FsR>B~m?vXQ=QgsNB*f*5r8 z2mk_rz<-RuHWFHdky9g+t^RrnH7gbwCH^9lQ7E#CN}3`{B||GsbL4BJxi}9u`(JEn ziU!PqD`EjG8XX@WF)bt_To5IkGV~M_!ZQtt6T%+`!hvyR$b0;r1iJ00df3*2>^lrb!mN=SkQ2foVtI<=V zYHPp6%{kGz9N$o2LBQY3E+EkoQd+M%FDgl~JjPhz?y*x|rKV#nIn(XSd@nlR_LsCA z6Fr-~Roi-gnviz-th2pAwr^>EVs2q}%Ihg7v@`-%Rd7x)f3-e)JlsNkx24{v#nh}7 z>yM}PDqnOywTOP)YVW~?#TAbJO=e+7W@ZR|S=9To-(H{r{{0k$elMKy!j||hW`!yxmvg1g`iPrCfA&v*6+Ed`Z^8`>>P;2~jmDs<5D|wT zQo#@)Z5$yu!wD_G%At+r$ZvYFY)*YjS<}JXJEbJK6toh5iM;o&l<;z6!U0wHrMrW; zCrO+7oW8a9yxxUsQ#zod@pNZr-Si`vYNOKZXK5!6?-;v9Z$K%iPNC4Mqk?NN^GMjO zX(l!40nKfS?mr|+t^o{RQIm?>)Hz)EEt#Sr!V+JPr`dT-J9rMP7 z1skRP8aepz^cKMkp>Ft>&X5~p+x&Js{rc+VRx0suQ~v#G!IFpb9TMxG^t3on&X3%) z*+1k+Zfs%T_0p6p^~-~8zK*wPs6Tb`i`~-HuWzAE)PYAu&o4}?y72b%qu5Kj=gcQv zR#?YPB8aB}BW)V03U55#Fom3UvAgG|+UM2y)2o?fPjyQfnY~$^rF92Aq)vnGtFoS! z0k!Kcvtl?OXmX-0rgCFDwDxdk1egx^CFvDBw9vdbr93UqRf|$%Us%37CwxHd#_7Qs zy;Q&W7@wb2GAn&M)|+-TmM;(B=F})^JDjlCkoU<;%aF|@a7*$+9O5h&Qn<%6v}oty}$I zZd!a$K5=Esz=938Clw52dD1qY*K~I^^l43hAygMC4KgurededHU3Id##?_OtZG7CT zS&KdHW#z8cQ$q6>Ej*iMmhxDO?f6n*$0VWh!nw98YdXgnmBTE&H{hZt!V`mhr+Fg7nXM` z8Fc38e(c>OC_z0-sj}&wewyc&qEr8Z_RP{rFFmJPHRWA`YrEC!%ow-rvQV&3IGb!f zf65$c8UL1|uW%u%SnY|?a(ZTK_)fL64de8sQm`3FElFN=H#5SJ(}>wCrqJ)ZjO%~P z-C!jzC&O|7%p>@D?WQ^INqpw6LGN1r2fJU5P27L|RR3z6)yZ@oH&ItkUc2hWtC#B>?@7t%eu<8EDBp%6rO9?;8B5}bS5vtQ`j-Ha5=Ht zYGV3yr;g?*VOo2aTLPBoHY2(AZT)?%k$my_Ih0MtQ~B zR37cvx4)^G{QBaJq5-R*CA`?h_hJ(Q91Xe8>ICFaOYN%*izaDScK7If3iKaKYvUx? zPSmHNlC8^QLfb>qgBrq)7wSN%dGZ(E2$uyci1|4GaFOGt^#xBiJc~JT*Q0p#H1kVX z&f0m~g1bbM`7!QA#w_8!gf{cH69_YZ6MCO=wye_s3m8z2A( z00MvjAOHve0)PM@00;mAfB+x>2>h237=x7~z_&q$uKx#7l)?Y90fONG0)PM@00;mA zfB+x>2mk_r03ZMe00MvjLI8_J5r(e+yHJ!a00j^L1ONd*01yBK00BS%5C8-K0YCr{ z00jQY1hlbMgzx<_Be?$mC(kVK4hR4OfB+x>2mk_r03ZMe00MvjAOHxA5`eG&zxRiZ zhOYm+QIzh{_8Tlr+?=7fNMYi5C8-K0YCr{00aO5KmZT`1ONd*01)^d0R=7i{{J|V8jA9sVoA}a zlv5HZ_b9oP`D7m1j{JzcpFBveB(EVcNou4Rk{79))Id5$+DtYeHz^j01yBK z00BS%5C8-K0YCr{_~#JN#oD6d!^46?1aZP328+pDWD&v$8v1wl42HJEG^C}22>j0pi1fAPZBtZG-~Uk(Bw7On;0VSUP8t0qv^*Jdhipd=6(N=!b>=Urj5EiQ zW|ZwR!Siz-?!GsoqpQo1o{GzLwDh&cR^3Wo5>zJNzd$k-nB>Vvr2PmbrR!xxoXeh55Hj6%P=! zHnb?$wQrAol=U2{@LAPIkVY)#V+O0+H&V5{LbUG1-TYkPPUc21hdt!P>a zRaHLkrZY4n4&A(yP}n%-Dr4#UUs#!%igR|mh-hOadX$A@DCY9&xyh;i#dW5SdoXw% z3(JNVPxS6vw7Ps*VKKe%t~8I?l8pH){-s_sX*dG}04b)<(_Hv#>qnr@$DfoweN%d$q@!G%Zsxf4U~vz$`U~m5%Na#xaqhI)E50RZqLt5BU#)7KVt2n%n#V$Y)b)>RgG$Yt9$cmH zKHrn?ZLWQrIq};%zxf+?Gn0!&G$n~1&1LZDH(u-gL6$|rr41H>CC-JjP2T3vZdDi= z_dSbamNu0fmgdp2>f|@Y^?j7&z_#i|g&h+r7hJtOS3u!5PSH%6dOmfXNT2ezMf}hA z1Y|Hdant<8TMpH2z4PHjhkCvG*X-4fCzY?o%@#gSy3Bo~YA4O)8_U24UbM{P#Yw9M z?bl{Br#{p}g|HrO_2{^td@^g_RFOVevPoHH`_SV#HC~yEm8Mpl8gE^m&~%cwjA-|I z!P`@Mp}Wabn|4Vv*_pb!%MXQ~o11Rf6KvGJ^?`F>o!)cQ?8p=%1J`CKC(3@oinQ(GK&-SPf|=->=TwBJ>F@nqF7)oa}47 zaPiIZgt^XWwlgvAMnT<^{pGFW->CZ_)Y%=TSlN&{y9wT-ZQq5!;A5&tE8D!p5PsL9YuY4th}yl>c#%O zTWt@jtO}bprt8As8RAkMKaoCBqDeMS29ns>aq8`y2)C8yAI+7UUe7A(DvT)7$88mb zO~1;G3}}~Ta##AbeAmj;j)Ln$z-g|nmJ}zzP>#e-X z$t!h}I(4*YCR?Iw@td6Xi1hJ)Gx_JccQTMX@q*>@S;;iUMSdEr%Fc8#SKG1TLUPIJ9=)5rBK#n)X0YIEI`UELO|=iJ;I zLeyK3V6@O_yJqHl!HP}eMfy02CS_WJic))b$p5T$-L|OT+J5OY`(-6b7c^_Qhf+u` zzE8f??~`UyW#Ovx_K)JH&=P}9&sW;rT=u5(WUEu_bISYCy1Xm7?Um~BqD@@Y-25Jl zheFhv?dqFJXZMNpF%nJ6v;=L>IQZ?_J<5yQhY|=%sLyX&j4N!$`9wtDS$iP;v0Kn1 zX(nI3I`gxWQ^B!l7ah|q90h9_ma@On*F)7LI`u|-=N=1@AzEICm7+FspWTYz?BlQb zSYg)JBmsTzRW$`?m3BxZf+9z+_eoIj-!A`y7^gaO<+E+`zDDLADtPTAI!s*BU=zGy zy(qul)8~h6|Hh^^ju4#Tgce}s(8hA)myetm7v|LELYf~ub$#WOo@LI6Hu~CJ@4TA( KtL=5`OaB6Y_1OIY literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt new file mode 100644 index 0000000000..dfffe92b90 --- /dev/null +++ b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client+client_ca.crt__client.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/client-encrypted-pem.pfx b/src/test/ssl/ssl/nss/client-encrypted-pem.pfx new file mode 100644 index 0000000000000000000000000000000000000000..940af9f2967aeb1d3be1c41db6cb2d1e21c757ba GIT binary patch literal 3149 zcmY+Fc{CJ^0>x*{7`rGUg9(LXnV~_l?~}2GPnMYyYV0XODhy-Iz7vhIWKH(nAWI?3 zkewmPzVA!(`p$XpeeeBo&pqefbMBw_2gfs`Xn-I%p7|VvK`dA|_<#jS2PEQ|0bo4S zDICvq2**P{{!>AScnI-N^o9lq_+yFxG(b2ngz?`C%s>d76-*B^sg)fCyam(H&;$JO z5FBk3u(<#@Tp{AY)Ix+PJuFYL6FZG=V1Jq!^lg8gG73&qCcPD5h)?g`9ab=dF?M%L zP6$Be?j#~zI{XO7GGQi@Xi3#;-iaYi+p_To2Tkj1r&DbqX zPH}h`b+{|n!5l{BRe>Is<(6jwO^QsZw&;aNGhFDdt&rRyQg7~`GpA)TY0~u)JMYn*E%PEP=;qt&MHw^X&wyZ4eA;+_U!N^Y z3JFQU#G%$qTmV|hoVatG-}yMN_r@*n6v%AYeqm(-l}q$Hen;|u09)UNzLk{)2~=Ab zMvu%$$uA?wnR=Q$541Aw2GR&N3{_mV3?VoqR7E=4VphrShBpqWd(pSw=)2J@Wt{@` z!|#ZTwro-&HvWPQg6NL3vgH78r;mQ`rIHyfwi!fi#u;8mjksNTt=2#W_wT-syEW70%YoOnIVG%2d>461O7l1I$Y^u-WE+YwY{9NkYZ3eJ z)}R&G#KR%c?AXosS#@6{Z+bHzRcH&sh zylPhV%Z7bFwskTCGry#d2R0w0Lz+)f0wwV*vd?oUM{(uX?V?VmRlNOT8Am+I`8Bs-@1`9 z4}wL!CL}U~87^RKUVl?dyP?Jy5gT$-h04lbhO1;u{R@3d_{xw&6fVUf$y)kafD#tK zcl=;hbZOuSW5W%7s_MqmvzqOPpy}<1Hd}MfAqf;}>F;57glnBY;g^hl`PJ{rj0M9b zRY*06*&#dHVph*z8)d_+thd@KbMM@ukUc6(rQOdWpaeu%XY#=m@ZcR?+d3cp+Yt>O zX3b+=g@CvguMYHayevE*M#}m%F4}*5hxhuu{D>9YOzceAnNwD@mT9)n{xb_B(jI%h zKGT~!Mx-?0vl^uQp%k}y+R<@{t&!~&-So$`8CGbL9q3cW&x_wJljEGf4g4(eyFA%I zpK{&|Vlde5FQ~nC66LNp>SU=U03y=gYYi;tEVENfjaJ`gegn=eO%hnw`W(tICkFXK zv1Z8ie3BCRLg&2B#KZ>b6G`3yBT=w$-SKXlEEM~yAnpfZ|42@#VBs9U>KJ2S{h-Tn zfZI_Q)XyT1OjvZ@4Zok6QLiAG_^YMvDOZY}sL&Fg35NFf2rvaFX?}M#?8}fVWg+|X z)iw16AQ`LF0#{A;*fwGLB3HppREf|A=oW6}P8LlO>2gWi$p;Pc{_}K+J6`p~x`?lZ4~2euwYm?AI@K8t zV30_S8HsaW-%Uc#Ns3}LDvyNkb~$-kTxnT1Th_HQ@=6-c!YGEm@-{~+PjjTxJ=+_v z`OsOQt+-gVbJtvhN0uN*vvJen$NohnN^u3fJDb$tNIna_ag5lMKz`_l&G5dJ*Hazj zDRE`v`g(p8(J}6P$KcZ2!udkG%%1$!xF)e@eG&Y%`6jLw8&U|u>}2aUe{(|RR_k*Y zeZT~i{7N0~Wq1x7x(A8b+O7iDRRH zAGpT(1IT0Wd+IS~8X>5*8#Pv5LH!J%a7cg8feygeHiXs}8x&MM{K1OX)xv0errLI& zC$&@2)x3^Z{#c@9^vTA$?2Iub$m4bU`s@j5#6B9ls{3JjU9ljGAE+<=zS+cJV@GKG zNp$*GW8^|0UQye%v4TqB9vCM1$|$uyM!@m3YX1W!BA!+njHi|S6N~+kFofwpm|_Id z5b@x3I3B$GfAj+VO)oio6CF%6`orJ!0^`A5x%(LtgF5rIa=O=DPaqQ=bwM(|dZ;;< zrV*ohWVo~T9!9TTt*U#OKRdKUHBZch{^}1;6h^C*x|C5GpJSCC!oNDJ<-|oC4zCVG&&6~!x#Ko zB`5>kJcdd#sbI29jb}R&p-z`1T-Dlsi6hmZ`iWez0v3~UZWHXCrL`E(Z-B01v{sH(M`uK3LdWo}ruEhhCG!OTf2_w3M*N^Z*SbdAVNs5)9$ z4Dd&2AVIc5M(A@FUB--}4L>Wc>JGcIegma%m(u!cQ}Pt|5d@+)qy zs=Df)`IjEBetOWh)2G;P3?SYLDOWo^Xc)J1oP2Xa^olLfiiiw5KWW`2G&Fto{Pm=ZI6gtNz2KS2Du{J)>0_#`bWu!WdmU#!J>9|Cf51%5vHLg0e?T zE=dA@KcFU*hK56|`H!D={s0MPb1?})!_bv~_En%2duaa`9u(|;39(?(IR!VE&{ub2S(Ddv))SIdfpYM+au|{?uYX=}8XS`q^9>bLP08C+hY)Wny6UCdO5dUY5lrthC7bepy7 zzd~Gv3;p*U88{Ia!5onBbjyCNI`7l1QBXs@$^Xn1G=U=CPI jn*)YVu~usO@m9O{+XN)C$E?%e(g`EOO}awZ(T%Pw&9oe0TZ& zbMNoo`I4C|vC-kFCY^Y$-jJy_iKT=+L6StESWFOvHQ24d-nsFB!R^d|N3w_gYo;|Z z&i9TT-A3>SG!eEx&?jswY}0H#Kn8D^049J5U;>x`CV&ZG0+_%PBoN5wi$u<3LTXmB z?nQ07IyE`VXjEluGE%ixAu-CJIHfo&a*}d}7}bfRBE?gJoFvAc`*<+BuF?qcK}& z=n~;RB4V!Wt)XDu^P@;Bk+U@mhLN!F;1(11UI9xP)L5(Ymdd2wuz|&d4J;-+ zy2XTDu$XYP784HHVnU)86Jj-+h>ykWc0;5rrQL4w9&T_-%nf|H`{2{r2YGjYf!Wz# zV0N|zW{vkp+Ml!d;CHN86g0F1R(&m4l4!{y_=xA-fq7s z@7lV<9XN1EVka>ZdV&XTp@eW7p;%jRwe=NG*6&kwb^2uzY_JaemxxAd=jQAw->Gt% z5w@mg+}DeyeYk(q(q>o5$pTK+(zJ?($X04kV6@*-|Abrb&;7QfHpJd=xORqL?6Q9} z9#Llr_Y6K%FjDeD6x-Hr72+IIq=}UmOmW^@dZl7((XIBt+HdrALfumpb86N`x5T-Y z660hghS7DSOxF&0Qunvb?T9@4a7*CWTQA<2dSf9w`Gcntnxh667gwna;+pp39*&_u zzqaJmrP#uR&3Oxrr_1?Gz6&mJQpPP_x#06lgcmpJ0YAb)HS^{hM+=WO$R~Ui8sWQM zzT)PcRnz0Q2UxrBe8cPPz{>qc)~wj)(7GkP*5vr`q)+LfL&4weF{F0z4j%h~1h-+y zJPx;e(w5oxo|wnY0i3wswh6%oJp?i@!nI{$)4yXwV$qB+fouTd$EV`C)IjezozWyV z==COXND#ckELQ1_rWAuNHac7!8yhY*=s?D3Ox0(JO|Ypk8$5AwNDc|)VtVexLs25_ zF(L_!bd4A6UrVx zz~7FcrzXH~4dlVX)MljWvP?-@^*F7;#N<(SOdi=%LVur1Io$a@D=c$=( zxM4psr!sMab>mg-ScOM}M?!{a{HC*$uiLzK`^zTYX}8ett8cp{XD(msQgLAA#Z3J# z>9peWVGU=B2Ryac&1TyVl`{vw|BF?|+dEq-{lmjs-s{+v6g){pg?x8v)>U2^G019U zP1$Vcw0h$^pE)Kr7dn`dX4MxyyWpdMcNQ(WtMXMek{uhlZ;m7;C#n>Qe+w-BAi9iG zc+-AfR`r5n)5x|j{COSWTVMUukeyOpsGC)E>1IxKxRcME2QKQer%P`P*))E;cDvJ1 zkMxw5xb^D&?{eLOvh%8xK5nCIA95&g7VfZT1k6A{dW0jF$515M(UTdNY`}~poIc3E zH}9uQ2QMbdqI}bvInR&DrN+-lnVR|4?KN+1Q0{bZFRGrn{7_wWV~*_v_j)Qqw9Azk z!U?|djCNXW=1;GmyHdR9?JK3Zd+o}?R@N(4+ckL?+&SPHZw_AAWaVDs zsP-kaif5Ghd0FqjdVY8IH>xij9o#sZD|0q)9mC`eXt=#nJve0dr_~(uE@|bV zArI1KZd`sSOm)hb;hl70SFtwVdFpM!65qoU1#9;n<5azSeR9ga)8%Kf&P~?(tA@x2 zy%ksg?7A%_`tXJ=H>uWBjwz*v1FjG1U*u@4%WFp6OS`kR zfq41|2frsDPVWl?%;D5%%ouMDMq>@S1^RSdvN^7D>OlB8&__t^2WXECs)Jb}<6sV| zwxEOX=_}i)Gdwm>{?%Wupg`GISTuzB349ytg`P>F@{3ujyTrbI2l7sz-t^qIpD)XO zSG;%p;hyg=l%?mc);GT~=)r8og@r9Ayj-pi{!g<(u+`N+(8-=@+vJw(?h`RJBsJ&d z)43iSk`#;Ah)zA{*JyR2@z91VMK0ycrekk;?k4Y?k5A0paz2)F4m>=4#LPm^&!Y5) ztA31bi~p9r?{c^D%?(qJtg^YF%#5`;@_Ez%`&Q+xK>LHk+3lK%`|y-i$feI*YhE>Wo9@K))m2j>+(raMq^SQnf0)|~Jl)aC`itw6x1EbW^^zYM*`A-j z(SKU*lBA;Ctrc#|pD!5d`LE*Gl9+iPzLh?vU_QDQ?~jNE&xc=GoPEBM9so`<9(|Ue z+vsNcDt!rOaK$W1TX3jr=gki5yFjWO>d;H(3|Pi zcnM(wm;fe#319-4049J5U;>x`CV&ZG0+_&)B49;1kl^dAJb2%N+i&*?C@9AnPWjpV z+Lr>%*Z&_AbRGEg|5x;J`r{`xLad7kU;>x`CV&ZG0+;|MfC*p%m;fe#319-hhd}2& z1Ir_K5H*^7qW99Zzo#eI2NS>qFab;e6Tk#8 t0ZafBzyvS>OaK$W1p14>5K2b&^&@`f4-LTDzJAZt{22fdC9~-g9-v7 zC>Dxc1Ph9aA_9tl9mED><0c0f#yc}f-g@h<_2#~P$l3YM{`UT#|NiZ;lfzknn~Qx2 zmyPE{M20cBcw?A63=W5x;qfpSOoqS9^7rvgk{?KnAMl^ye~AAslz|z|eTTsf!=zHz^j01yBK00BS%5C8=JZxRTVl2X&whV!O#nSr6~ zFgBNI#pE)_pQSBbtEvi*Z)@p}ceQr5H@CE&f#-iR4I_^}Q4D8EOR8CF!(k!eLF~Aw)uH^PKQo#e0Ui5~ z>-&?(BeaF2q?#H5?h7?wtz?D-g-1m>M~1{OxooL1bGD9F)?RohDX=in06&#UCQ%H{ zP>_Zvq!G#tWQR^Pk^D&mO8!a1*w98oQca5h_aC(#9k_zc;!bFwe$t2*DAt};m2`Q2U8f4Pwc?2qCl0b$`66lag0wFRKya?IYS zKS-G}8bityNSOjDQy^suq)dU7DUdP+QZ|PA8bf`Jp}xjYUt_2*9m>+7EFH?yp)7qg z3n|kfWfQ0+M2QSxqCn%NkOX}x(0D13XJe?|7^*jh>Zwo-6{?|*)d4=q8ww(FP_H9!$nP&?o%z z!*Rd-aJ(%){6pLE6Z31w{qn={6Z6CI6Z6CI6Z1pCOHJT`9|~S?W1-+hHx>p>gzSls z^Lq%rXhz!xPS^<)*a@OBNkM@mlA$p|Qf(pO?-s_1?_huOM2zIWqeu(hRWSS=E*S~q zKfneE00MvjAOHyb2MMIh!g&Y@Wh|EQ?2>CXmCxXU4ORs6;Xm@!3|O2E#m9=Ab-Zl1 zTs7)iYgc`Icfx=kr7;~5p0J|gzT;>}smZCwILPm=QHE z(%^8~1wg>ow$sRVv;CPOAI%)i_7uuYSEeP08k4#`>Eb zZrR?MiEEY zf`G#ja6CyyQhHPcfhK85q61PE!P!U&_%sQuvgg&#tVHcKgPhFL8nQ$pTz+GDY--Ji zs_;vQB^}bTbT6C3F>8{w7Y8-nvTHTlT7sya({8I(amdCyDwlS8$0_=qy4FQ$*KPVA zwq<5$Zm38c*|~A#414g_;EKioyCZ(cIkBpi+~>Xy#tm9~-w!YUbn=?=T+jS|jcc?| z{`A{(c9TDvU(vj&p@dwg7t-PUDz0={76Yx{9jb4p?eVKSjIjPdzU;=AMXakMKbCH~ z_i9Ih`?|F=EbHF&N){jQDL?X{*AN%sKI3ZVlxO`0<(vHC5t^)q{c0Lt>U08M3 z64!NyE8b>!Ht@Q-G}F}r5%DLswnT6Fbj?f0zmt<6mT|&KYsXG>In!_f+$4F| zw${&xH(LH02@SbV<@wWq5H$^|5$g`tJ~(`IPy&8imB(F-fF0SDO8(y7sn>jGCDXJ+ z3++8fW9t)cFj zM)t4^sct)3|K;S|+rj5Ix4FrFRKB^dznL}ouo#)~va29j{S2YN@M7JA=CDfL?bvJS z`%K-k_nRwUZM)WU{s<#ICwK6|naY#jTr{4WOMZo*?jn3Q_A6GG!?`W#~`!Hbj`DsIkB@)wy-P8iRS<6xHpIo{1)05eYL)2Be+V#xl&NLnFNZLh=)ElX4 zz85-ad5r53^{^XS%QwvG+*mlQ9)p^9iMpj$=BOR(-BNu|XXYE&0g}9WN1nyU&6}tR znHQWA?!+z?hr&4*zdDvf&4Z%BOYjXDw?>XFQP^3ws`~hf@F?Af)u)C;Qc!R&&YgdB z|F@kthYHr{@+nm24dqPM&j=vq=5u!7hiXQC+jXgBTf=fQc~J@vX z-QVkeA9%XxxJ#q87W1Hk=G=fZ%kEWmYp5k7t| zT42DZpq8xc5nHbO>!xSk+m;Sg&TP0cWJVi|-iA7pt!Kok@6)MEDW%mP{xYLk@5`Bh zC(V;jdQ$OREC18o{W>T6a~hXg`;HVH(weu=p|)-xVJ7-5HnM2*Bc^^rWyYlCS`p-# z+h?o38Ze5rjyCo8#8qJBUxa_zVWFAO?YHH6&Wp$1yOaCh{%E9Yd+^qHA90?yOdJYK zhdcX5Zf)Hk9;R4_lv)Avp8I3(59>41{nAx=+w|+^i=;3ox^U`T`C*0uwPwB*i%;QQ zCR?%ivYN$(23gw=RI9E@)k}sE3SNHCrMzXr_g?#ux+mRrAm-JGx@)bX?KHAf%O?F@ zkB2S3S!@dWe!$wd3s$bF>hXQcx4j1vwl#W|wuNfF9&XH=TXg#DP|)hgH_x@sS-dT* zCN9{PuM`$=eJ5APXUpT?+EC4?5q7@B+F4Br)+2mk_r03ZMe00MvjAn;#CKnf{=7Tg3Gz5f3O!+rZN z8z2}CAOHve0)PM@00;mAfB+x>2mk_r03ZMeKm?FT7<%;jzXyiv0Z;$|KmZT`1ONd* z01yBK00BS%5C8-K0YKoNOh5~1ivGJ_W*oi#?}Op`{>dW*-T?tX01yBK00BS%5C8-K z0YCr{00aO5KmZ2QKr+yO{fCZ5um4}ba4!HSKmZT`1ONd*01yBK00BS%5C8-K0YCr{ z_@@(4LsHRy^@od5{DHx7Uj@UH8GZVvj}-U^1ONd*01yBK00BS%5C8-K0YCr{00aPm zp9#on3hw`FV3c9FkGMHFEnGD&4tF1yjq}Dbu@=}4Y%ca2wjP^+F~%rkR$*K*FECA* zQcN0lGFI|uC2#}?00MvjAOHve0)PM@00;mAfWSYIfDY0e9u>0OpT&;k`csTKbfz(7 zw*TnAyQfgJgr-TF+QjIcBkrD=gEVd+4sgs?P?i4>NmlMu22mk_r!2g^8kEn$*PgI2c{g0AJyabY;BzjuPqLd*F z9EBx0k<2F!wk6Fb{NhJ zTZP49LgX&X>B_E^xi3RPZ~I*7IKRyc*<;XkqQh?>HQ zk;EXDQRKcVGhW)?v-0yr^Ka5E7cINfD~_!^o!S~Z(3I%?MHI11_}59d_n>SaaL^!xT^NAL)$ zLOqJZG4|fM3rDMl@acKJzn-rwtN(?2`t!x|gKh>3I=a^@{L(DSqX*e+aGS((|5)D_ zxvhjOpPeQf=I<-+VY@EOkveBS=*c6f2=z!8gJV_7RE@*9g(gzo3ZKwd7$F|>;yA}t zWv%lM4TQ<6XYxdOR7+HN`c6Y*p{&D0J6Vh1!YO{-T`WuUCTz`@UDFlxAMgmuLOs&N z@Q5awuMX|@-J=wzQ?`L>U~3eUkuvN2iMHuML%D{p?_Cz<5mw4X)~zea@(yEU*U%nk z+Lxa+b=ox)7uK`GPOdFSi$_or>X9mj$KGdECOhw*_uIOIjJfg4qgiT)PC2ZxhsP{D zIxs!HP_xFE9uX_tq&TxpI&k;6?4%i` zDZy$ggT;;!sloBPD>e0bi#Iz2{ZI<^5@qruilT!%WcS?OC|hQ2;LRG3f@59=vtjw+ ztSdermu21M5ivqd28y%%bhadNOfCnKkGMZLwP;Pt2KSVT6Zbz|NiT17qS)iNuN7rd zs$A)Cb^fKSRVCWD&zYpVWnK;RK&g_;Z$XOUb0w}>O@!@5)yE&HxjSk$C==7OmdxQ1WrUifF~uPH?UZdxo8dtNIQz!3 z16gmwY&^}^)^^#Zs-@1uXm8$-A&Ml;dYM(1U!LCeoxQL*Ey+zBpClQ-q=flHil!<> zi7jP3B3h_Px;P&#=C;?MY~NTMsZHr^JvpxeW#^ZC_I(8oZszLIZ*{vUU6je0zKVfE z3ij8pCo$Tcr`ldYJdb_8YZcYt;mCm~pIaq?JfifUO#XcLP7IPM+h-dj7jId~jwEqD z&37gGbriS`H_kZF_I_Gj05@}=D3ewgf4E9|YM@8%SxNLv)P~2Iuf1QTT|3z~3H{(% z*>9yhqLgrx;w(YoI*TU<;3af(rUX3ll|M+9eJHd3uHW-nv_;Pcr-Wzvh%#B9xlp4m z-3v*vDwTT~9eVY*tGYQ$->%<(OzUl3VnvKMk0>eBq*zN3e2z6HX!v{2O(WX7^WO`- z-_O%IYlSMM#D*=Jvu zY3#B7G)r||+pP~$7k`7*gk@_omF}n7eCH7*gqjp<2}--=V866>1FCsB=dwu*H>Pmf z>Uad%>wCQ_^P@|h@+wg#0~X2Ia%QA)n)^=JD`1~ZSx$M)psOe;!sL&?tnslt$0H(z zniOjZ`jGHBFY@c5X~FVajHX1Ku$nj7>3E;SwNL`Seen+Y!26 zeOtA8wEmicSt392R;yA;P6o|y8oS`Ep@yd?YC`MlF$)j4Z7UnHd%d&fK2INx(xxUV zkKbosRr=w|;XyftSl^O+FN1a$FTT~2O5*WIVH4N;7*fEWF8{F|ZK}Pg#ftha(R*J< z5OaTQ(Z~q6*R^uWkKI*OPW$8kf~A%uIv`~coQ;%#Pm{pDOmmI3_e@0@=$Hq`CrZc{ VuUpY+#=ZPFXt>|`T2$G?e*uT81eX8+ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt new file mode 100644 index 0000000000..67ce598fd3 --- /dev/null +++ b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client-revoked.crt__client-revoked.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/client-revoked.pfx b/src/test/ssl/ssl/nss/client-revoked.pfx new file mode 100644 index 0000000000000000000000000000000000000000..2ab711880535eb3cec99c033365797487765f042 GIT binary patch literal 3149 zcmV-T46^euf(%Il0Ru3C3=akgDuzgg_YDCD0ic2m00e>y{4jzG_%MP7uLcP!hDe6@ z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU8p)rM|xM@#2Lc)Z?)XrKX3Dmj10NiKJQM*upw5 z8Hh%s|NsAzvJ>1e_M{DIf_brPO-+=trP^=8rB9o*aUPJXma?LXQZA@UpGO#ZD~Sw= zKI};c)(sgEU|q0e8rU2S5JNU=wCX0CV9^9Kpapf9z&>bRw=FF$k5a7ka3p*!s9@1L zo`YoMf=K=ydZ((=n(%-%5%nMkZ?$v{DA01Ctw9_p*Ivv()Yb#kI;UP{A(gezW6aOF z+U^@)PCs@>k!L{~SncOm*le}XxF#!2#bA}V`Z#-`F#G(Hf`Wr{s~*4vFs#OyOFU^P zgAR_LfR?J5F){^=eQ`3p4OR$H#M%%cvvg<^ek(3XLEEz8p#^|Fe7Suv*z&WoJmouF z?Gc4p##+MC=7!hr64!*^A4zDy!HAhwWFtA*CoJyHS(iDCo;2N-F6HBXSR9`Y(s$BG zj^f#^Mt+HdUM&r;x&&i8O+?+$ky|%ui5+$z993~;!&|W>r*`>j>dCn^@IYudf0*#M zz|BkDoL7cH7`#}JfLp=3Gu0abhO%%V{8I1xUDks?HG~o!S)%Fu9AER|ymyDXhiK0Z zTCNv&i(Z(7b6i)O#%pSh8Z=O^*Q5-ZSWmxYb>WC zZml|^CZQ9AxugM$8Isu1C#M*beH3=tKSGT=(L2rXC#_icKP%!Ce(U(N$kRjW{S+Br z-f4}}^$CigZg(P&<~V%ZPqo@UX>bmhPlLwlH1|4$rtCvZ4Yyv1M%qPsjb~eV#6b5* zj{RaHS5pLx*yUt6(YA4J)tZHRaVN@(qP1IiFealHrhilm4b#kD!$BCQ>L8wKfwh3ea=p4Ox|UOjF>ER)mYDAqQC!as|E+*Z<$ z?5paC)2Ymsz8xY1>eSOm|DD+LWRnH!9Vd*a1=|Su)&LG`WjU0imaU+Zw|*6^uBk-A!^#7|V_>%k1U> zP}jPDkD6>PK$|GKWdru~tu-c;PC}C|rxf2qw8qHWr90>vggkz-qB!k73q;w_qQ^rjAs1Ib6KEM48<(&`k_&f@Z{HzdQ(j{y3g%WLT-C1(-uM zXDx{cfnNus98g`B7ypCNOv(`mrx$OFv z&pQPoxtCj1&5e}+v2XJjrmGiF)BN3XoXaE;lJ{!fW+y?cQ^q@P?z*{f0) z#}1%i7iY+6*48{z8nUsBvY>Qwhb8TS(_@3;b&z>4w{Qwy`DyqUj0iORoa>}E&T{J& z4nYe6IH_9ZWp<&IavmK>e%2oAN|i!XmY+5zR@L#_I6hb5ot$X&FoFd^1_>&LNQU$m^<(cwGYsQ2s|^DH`xb0bD^D) z!TY0aCbp)j2M8cH@R}yCQUaXMF`UCposg|pJECO{L`_3PvNkZ|`zNs#e`&nFVhm{K zguy&ymGUC836RS(GvBD_WvApWJ`VX>vz7~Y8bm(DaP^FuA_jgL)4A(# zG=e$y=6W6xs|Yr_3(oFC$A*cYG}WKKccJXUtSbH~Od8wqdg}Mz6)=*b*kj7)eu&m` z>n~m~)+AV%ZVpdtfe^dVNYkNk&jTK}FexyYXbMux+#MYK^Gf>!i40XGeJtHEan8^m z8)~TdXAyCWJU8=ZZkL}uffb;+7Zr!WvBarp;k}-6%}IFd*F$EFwkusV6&vC)J_-y< z5tmiXBs8PbteJqnmD&Id)FWPK8F?0t<#0Q;`@$(_3o#;Tut4gAGzCYXf{v>u)in_* zm`BBbTkDSCfjxjQo1YsghVW1uc!?b3Cqk1tpYt`Jx?MM2wLDS=R(yW{@%ft=m`mVP z*bP~4BU6nljz!LQ#TBj8$mX>)v>fCLN!Hwc1a)>@fOdBS@vizq2R&H*Q7E0yH72uM zXa&_u=`oBFW4sQdRavg<@UN&6i;@lWlVww?^Mc!`Dkm*zO@}Nk6U*(CP8-uU)}zj# zyN$8OX6P`tC!@4;RFxA{5AB(goVK=f#~Q|J<0(`3DN-(WADoQOAGO=>kk*0jYhKJl zaR;Atq{UDDp;xW~%Qw`K-V^w9ZK+~zYp<)$9I!v+wN-C@ zIe`>|1+HKeAyJzU1Tk(}<&GXyunilpab)bYC4UV^)Hz0_J*4TYvv@DbM(w&}S@xe~ zL16JK8KsymZ=ZlVdMaL4`NWu~B}unol|Y|QcQ6-t6#`*eynmPcz>^FzK1ddna2#!l z%HFCq`+2A}SC|~1v4-E?ICdZ?R8k~yn=*yY3q&>05r(Tv7Nq%P77ij3=(zG8Ol_GZ z{lAw#(Q^BNJR^b4_NkSsW2dKF3x{Z{h?olJ{gh#Rdk@*nK0fLX$|EU8es@5E*R+}8 zD67NTx&trLTL8hr{w{kTqL?fOU)tukBh5pCSs=Fu=O>6oNF@+SKv&2Xy{Oa`vvvFRCH82Qf^9&#DQQ{W#F#v%t`&R0v>C zI4pD>!p`Jy6Y~1^YLxpyh2-4&boYXz{>RKHR0<#`B1>VM{$QDn5t|@~wn{QFS$z!Q zZ@1enHkC~XzJx}J80+em0YPa7;aLFL4qs}V_+`8JWuv-}L*dXr9F(W<(w*-V9v=uA zn%k5~B3Qsy8MuRa71HK5YEwpQ0Gq=A8WD8&GNRQ969J?sY=etOw9vQsYNBl;=G0yhK5GwhQ=larlwKi zye4J_CWa*0_IV z2Y54&+qGrPUC4dt$>ZO*)%q{4x14vAo8!GyW3<{9)zs`N>D*O{55fF?J7Ex5h5F!RyEJ+ZoqC^yzRs=6D z7cBx>s9@oO2yRu{Vyoh{E?Bivu~^Gh3W`;6t9Q;MY}S5WAL)1d+@6t{yk~j;=bT?= zUNdKAl8_*gTq$EOOiYTGDA_#32tiTAoy|rNM2}c?iM4y769%n2LA;`U?B6r>knyhf zSXdXr&}&8XA7J(R75cII_Cx|MkN_kA2|xmn03-kjKmw4!A4tHR!7wwkLc`?=(Xtfj zVu?IDL7@<pwDQDYBI5>CgWICxZlT?V4M9JcM zYB2gKkY%qb@WxK1G0cWpp%J9NLKPJ&lPY@@==~J5rLSsmaL!l{D#L7O_c-JVg-Vvx zBSPyZqA7e;L&zDM8HnnbSy`c*;+2x9I9ZQ-k3rGugnD?2y!&#HN3+Gjelt9R!`ail z!`U+f{DNkBgBH931AIh&UZHFc&%oeNN45kfRt~XpiIoRzG6UprK$Z|Bg&-*;lc0)_ z4>kg@aRM7>un~gIM6i*7O%$=2NJ`O_`0k)=+WQc~H8RCXq7l9V_kCN4Q%E)IOThCgAaT z0#HF~f(lv_w5~Nl7qliAt=0rX)|!B*)&y8JCdo%@_PUXzw7I=*PJP_KTcWAp+}j7| z?mjs6_Lnfb`%9SJbqTXi-R_2o-0uDoW_QDc+1)T@mrmMpHMcw>wdwJJA9O9vy|_V>uLtnYR^+XhO?-al{#Yq(r4mB-4>S$8{v9 z$D|UWmI=ZwIH^amXTa3eyZ{p}kN_kA2|xmn03-kjKmw2eBmfCO0+0YC@V`TV$p9Dm zb+FG7tPAVFZevZ@CF~55gbO492|xmn03-kjKmw2eBmfCO0+0YC015o52r#KM)W&DX zFdfpEvhE^7Yn-Q(hHJi%rZt?Xq~To2rRY#;x;D<0IC=hWI1MqJhK)9CGR!rcfz@E~ zf2sk(&Oic?03-kjKmw2eBmfCO0+0YC015nw2+*hqs^d#bH$riD&Scz;L7hpX8VEvV z3MD%!F;U6(@&FH+v&D%DWlWMRBuK;#2@$cAWJE%tkS8Xvm7uCZMclj27$6<`0O`;M zNQdf2OE*PvPmVi2S;NPfSMsBEPxno zz~%|4K#nqu>ZXei;h5sanpp>Zg(42jwx|@cB+dE%UWB;szZz>No&adT_G5ehyI^7K zkN_kA2|xmn03-kjKmw2eBmfCO0+7I8l0f%NgZ7m%go>l!rV0n*1U^}o6e*RAmnJFc z+G5%u>KIgWw}7^Usx6@mqT1;aC;t;PrNBvZ{=W&qTCjSo7%RhCu}#?Nza(WiXh;AO zfCL}`NB|Om1Rw!O01|)%AOT3=|A~M(m5;iY+`sDenO>?W4Al{Qbh?hQ>5RAL9s^Ly zC=&&GdDstb^QL@phgtICy$_@cI(gFoC=E^Iw46$92#}xr`Q#^bO3?M-&yqFw0GLtv zy024a5hG(D-iU#<{xHS``dKuBNWAT$9?V!qGc`0c29D`Q!ngD{e9QU>VoEH)$&l}e z*brZN@Xrvh5ELP9#(4LKPbj8FOf%cAyf5}N&hWSUyExA6tHyv3lxQKi?}|*fTPXj2 zbxqK^TW}L;)wO>1J?PC^->eG>TM~hpUv522D z;c%TfJmQB)_;buyd?%dG;cJrv(1IGZ?%QpYj!@MohTv*ckD?|(99(|6a|3P1duq4w zPU^#Lo0uloZ%jM*OGc=lYRupL`-8DS2vh>9%>6-REWEwn}H+Q7J*XTc)0CGp|V8uUfPIDJ{_b z$NWqmE7#ci^d(HZcFmo6ThG3jFFd#D!wvN>+N$cREXMdT7T@DWmp!iAo>e;S;vse8 z_A~>BD%7Rk%6~Chxw19W#?y;8xiDga=Uj)wv!5S6y=a%o7nxU^oA0Ggv>ViM*?I>f z2DRbYn*Z(S32Is4lL>_t6O3hN4{!JNd9uBBx!v$O&**~d%t!A>xyH=DsVbsSQ3NeA z!VPf);$EN;CNw%uMbVdinGtU_!3;&F;ZE;}>w^ery8E?FCSzT$bZ z)0dBU8@E`tEjs2_GJ&R7^WyM#mhb;?O0V8L?uz->>TxFHE5lOPJYQAyST!zx7SsFb zj`DEPm9+;QU(RPuEIeej@Yw@i_N~OD*{wUTowrGyr`Df6d{udr{m92%CmhYj)a4h< z@XZPhZZ zJ0g0^p0!c3Wh>VCP|2V>2Kit-2)cbKq?`WnLDx0kiQr5eK>eoRiFnH*qR>N4yhSOm z9C7cyqrDPb1^t7oV9r21EJzIC{|>K5ezNR5#7bLLKB}?kFeX2FI{qJ5ZpLhMmE~Jv zxw5SrIvt|sCEYa|nN}T<#k_u7I!xu(wzKc)%bulLV#-j0Jp5EXxTiuTyRL>bw`KwM`;ogVUlSHD2pS~=P^qgu&_4?uL z+}re0WRT9tlcn>lVlOE6oHL2&*k-JZoO@y0l;lH`_bgj>U+gNpj=tPX+cgsLjSveX z7P#kC1(i~^wHYl*s7uaMj_kTTiT+ZwGy6=EDyD9mZ0?SxwzN8trStqJ){@fU`|g_O zOvsn!TMo5f9P==AljI*C(`-Fd>LcFHwxji5yhV7mtjg?M^0cYuy9j=u>*5Z|BDReXWHq>2D)1Nr@0(FL2@hHTc;(6CbI{kF~)9qJorhYt6PpzxtUO@bQ$TMAa<5 zY+`In$*oSy-D!ub^%~pPNQQWooSFVCjZwXsVjWxVsK;yh`l zm4Cb83fIFfh8xO`Q;vLm$2VsG`SObiSA3FgqNs6e8}-pylbC%; z2Sz=)kV1)KmY*Em8GEnjez<>^rQ<2Fw3>CInp$IU%+nLZqIcixi4QLWv17mPb2F-@ zQTjwv)4p-!4S|#_e#dA^d`VYtG#!XXhEepl@sx3`T~*Ii+dcQ4Qd*bF?P!n;ay#|4 zUNzQo^dL>`GNROV&ehDh==tv#1!k1sZObV!IS;{A!Hl+NF$}8YtdDH~!-05W^2=ya*5GM0xy}v2~o4`>x|#+8ah? z9H{a4vdIbiv>;_$agMsfp~Av!-tt;u1@F$JnsWKX!FeuLPZzPXQrDMfbPhV|U%8M| z?zU@BL}{(>+_O$GpG;k=4C7DPZ?Nd+^INy99G<3ck`gQ&mauyL`d>P;gIbQ@LErws zb6m6h{HisBWwetKN){4LA9Ayl!dV8NKb$KBi(wA;^_ z>%O4Q)Y7V?tE$;FqEN?gW1HA?L;kEvUZJawL&9ByU$KKAWDGNf=830=V literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..3884ab59f5568f08e5c65bd753fe7a24c4bb2ae7 GIT binary patch literal 45056 zcmeI52|SeB|Ho&{3}&}w$u^8M5zUTJmXH!6LRXrxge+wUm#YR*NS2~Yix#0vC`y|a zq@<`T+7zWoCEC<&@tYZ3x9+_&^ZNZ?|JUnxf4?)!neUwMIp6a+@AJ%gp7T5}9@nJ~ zL6QE1fbfV=RwRK2k%2&=5DNkU0)e0>-nAHmtheu<@vCtq2-=A68UkxZu0b zWPBgWq=mGSlvGmEg02u0@Lj_S@(bf|oFjtPvm*VaCdAo0F0k<+2%LNgQw0bl7KKcm zWq}aHST2YW!eaY}Ocjy*CWgTIrx>(Zws1)$RV}E`xa=r)u)lBQR1Cy7F*xJyKSiOC zDYL9$l1eI*y$RxQqWmMK!oa@?Gw%IU6l2P)R2Qg}l9m=UGh8raQvs$diHT6-!#0&K z&cIn(Ik_yGO<<9EZ{E1EsJu6gZwoT`ITU`DG5@PE|Esa!E5C>_ou4rH36q}~@e^Zy zV!}^Y{DjR*Oa!6G2Zo?7Lr|9?sLK#g<;5hEsT6+W6DD81F+Z0qDD3Oc zpwVdzet`*-Utq%Iw?1L=B}|z7-cFeOE>D$oZ4Ght3u6Ofw7ovOzCLpA=8 zj2AGP(qJ^HfjOm@XHM$nnUiIC<{!#VHq6VN)XOs`8|Iml4fD*&hIuA`Q{!vknf&c- z!sKss6QM;~=~z4hMnYo$>Kaezu5obk&Mx?Rh-TX0E0p~oRB%bAwm9Ok%qnzg54llk)lABlZ3g! zVHh;e9qG@BjNHOf$|@aVu%;-Rg+$1xbO9O3-~!5 zPvs_y>^qEB-IEIL+l(z)8U#!U)KP}3-K*dCenE~+ziv!EDcT@p_Fcr`j`QJ#9)WWu zwcLF;ZGD%*XNNU5jzu_DJ&u-cIbed6zLj$Ts}+@a_tK((ip06))L19ypAm8my^6T4 zOTKuzP}r7FlJg8SEq0&F9cm>e*PK{nt&`(^WM52vNlxM`{i^9oKg8D=SJ4K|PgDk( zOe>tL`CA}iTkMv~1Eb-HL0>)nyA(BHiipD=>jCZ{+1}P)k6| z$G8})h9zy;^7eK1(#NOCOS>M?W=B)@Wu?zwP7LZeOq;jjy0+`|8*hA}5GXkjnoJIp zMCzq1Oc}*O5m+*dY&G>2LuSAU>peeo#N{3+Ui`48?r5sv9qeF9%sOA&&=+Z~uMg&B z4N6GNl#zfE$S6ta@h}odvZ^FU<_}yH5Fk?TS{uHx^JBi zQQwgfcIB z@}8G*bK%L(sqZVF%I5RN0VZl3E^!mS%sb~s8(`tK+>c9C^*p(JhTgOXp6tlR{m*9Z z7!o}WgO0u{Jx(Q8#O(=i&m4qvv)Jv{r*dF4Y+1oxJUTuU=t6+l_y&a?QxDMYs=hk-(5qJ~FYf7Sc2&8m`bgc` z?74)B_JY?vqp;N49C0ud&tUb(TCr(PH^U@nY44_PTeSC<=IM(c=~=<`RX3!Li^gDh zHkJCo>&ceDh-EZpI}gKVi{hu5v@Z%aOJZwxCRTHNb4>f^?CN4<4B>}A5f+=^$bY=HtUNCw{|w%`+V^(yfy73o=rDu~VPARBBr3CF?Ea%GCoJ`(KTP zS8-Qr#G}Q*;0jF&X&b%T;@3~nc`u{LZik`L&zQMzhH?(3qRExbqA^Gfb840czm{Lq z?~;5apNApi`JmYvi;9YuClk)!FhHD;GQnbSbHqcMCVW zvc4vG8F!?t%xmSFhKzf+(pN>LWHsh(s2K9vzwoBlRrz1ASJQ)sKB;97h3z-?T9&cs zlQDGQev&ofo<7Qq>s~N0IG=^ZC&KwJ-337w;$j{+a z9)<$HLB&JM8gT_{8;<*4QI{{+9#~=L6{u{e`Ly)K42<@*=oxUMGb^MrX3j@$w|~;* z<%L)~yzA#Ag@gJlkKd&`xNK@4{*csosHfm3qv76nm}BRcMU*SKHs|Si&U){vkG$2a z)v5Y)_B1zJms-c&T2dsK{3W2i83Z83=TXxpk@%JJmS4Sr(} zkC^J}2QSE<;d(Xa9jxO_s(j_4`u2uX^!N+$ORt2>rPp6=&7)tX6xN#SY+zsBUteqa zmejNu(R8oj<*vjNtrs5*P^}uba*Q1}lnwNxDW^WLzi(p5gi(SDTbo^3i7fBa&o@5V zrO478s7Bx2dt}QTs|Ug7`YS#__7fQ2mk_r03ZMe z00MvjAOHve0)W6jnSd(H4Ec9|(m1~UAA;bA{>eQA+5rJT01yBK00BS%5C8-K0YCr{ z00aO5Kwyf1ER2Nw_TL?ium1-i_<^ZXzybsS0YCr{00aO5KmZT`1ONd*01yBK0D*rd z0VNn6`B(qG7{Tif6#t3eDfIZqKeK;8H6Q>800MvjAOHve0)PM@00;mAfB+x>2>cxZ zlnnp+KLKM3!N0}N#jE0v<74o*@cDR891CZK>Ðea6+}HexqpgK%){B^(j^1Y3gf z!kA+6F|k-YW(4yqrWU&xYw&k1fP6pz5C8-K0YCr{00aO5KmZW2xNANn!hp-xZ!p)fVa|YpKKL3u>?NkDaW{`n|G-FfUnMn3t(0%*#*}=A};; z=B23!^BOA)^BO6Ahl3ViZ0twlu@l@J-b7KT+jyEVH=Cg#%*|lS3v;vSa>CpUmaH&0 zlPvSSn{5(6Gyc6}c%g1%oG>?=ffeRvurb2iY&u$)o54Z}b2G`v@7+dhDvkPk$E1b2 zjirRS*$hcxZU!46%+035g}E6lm@qe!EP;lpBiFJxoapcfKP+!5l0oc-;Fsg7acHbR z<{U-^%|Ts5%|vpg?@2SHwn;vdv_|ZPkHVM2et{t*e4r-o{@YbSML+-$ z00jPL2ylrq2+KqT$RCcfzBz7SlF3{y*?a2t>Nv9VpYFDv?y&r;%14AH&kdJ08o^~nz+*Yq4)vsJ4PPj^AF;v3i0yeca6LQ;L zT~wg1ib?Tau57lOW3>5F+WYdf1lUuNDtA_RuSr&~V3fdXQA^JpEt4L$pP%im%Q;#a z=UJYoN#qi-LRGREVyM)CC*2BMqh5D>t#D#S<>yuj2f-NJuzkWEuYB8!c6@oU?)!IvRFNt<5B8$2S`J%z$&4htwJ$P$5t?=Pns!tgM!qE{ z&M0Y&OGFA)Db`G6+>>+#UyQ9pyGBTPFRVXqozP>xTK8qI`YTC^H3PD4B2_9;_UEfT zm{X;{_UXgKq$_8NPbRu6#IyZkSf*`7a(fk`R!4=7%bz*5Fei#s$WRTk$h9@ zV0AD)%;Jhtdk&uD+%?eCRD>3(@<51M6I*^^!>gio&QJD{D=)5>z~XjV%RNLt+3+bD zrOzcw30Eo3Oq6Lu&hWhd@KOJTB2|T*?@#o#U9QorN%mmf)^73tDPmBh%F&gll(1Ds z^5wFwTee;+@(N3}z4OB{^`B1YlW*@>v3CWRC@EB>SToVbl-fN88T9*H39>?VWtpwr zZQBQQZU2e{Rl3T;1x0-#RpziYD?%-CnZxmOHfDNS$%QM`($#D~_Iyp){4V8dZxfe@ z5UNtFnaC_M%_Lqb$81IH56laJKQ>5EN>|>MTrE2?&1>CAu{~X+%IzJvXN?L&Po95> zb6!qwA$n&Szy?)Ke`%`k_AEQReIb_!7phXMndsr7H?=Q@hf<;kjb`t_DgVk){t%1O zt}1D)59pCq_OB7CGTZZY-@HQ^e#ld8cn3S#Kq|Fwjb`;~L^Je?=Pa!O4wncMs#2_( zsD1XOAA4UNJ24s+wEmO*<0bZWRe{Vil`~yFM5R$kXMYx{a*OtM8RELbacb&uZ|!~N zw|T`PGM|!+_EAwct;^4)XLE@XLRE@26FoRXy3$A2D!S%OU#i%5Y=(Ql&nA0}eOygL zoT!>}zm$qpiR`U&T%Vp;wcvK^I+Gq{d0YVJ>}ieLWmdf#x*HG~a$H>~LYvLhkz9(;xL$I#nf+t5Oz1{b6vZ9vqi7Um?@PCu7LQ^dMIH9bBgI&W>p8 z(1Mo8VFcRJ-ZF9W=@K z93Lur`Ks}2n!Dv*?$&1oZls2&aF2bKK@#^1_Z9xUVfx}=t;Y>qZDqv#i4zuobzw)G zBU|n02j#0m-Ru1IQ4?R+UI?9zQQi&YD;n$vFF9v znCkRr0W(Jp5s!4-+r3oXVms?@?taD9RuU@GNQ^}S?$WWXTiD0)R*#UKb{Vc>bjC&g zQl)C)U%mxDL^|&%CsO1xY|Y+zWdY3xkIm__y7)x#NuS+l+wpBlrkppp7@Yz-m#Fyt zcz<*1hhZXy%Aaf+{o^j}z22gm%PDm@68s27J^w`3rtIvgyXzi*on0wXWmeGMo(=vf zCk^_w6Hc_d1}!0mJR+}MY`_kkg|qwgn+umXO}I*N2Ar#`(Hs!Ft+ao(&&XlfB3iWW z3adAxgyskNA-!FjM<0q*>AFbSvQ3k$D;sw%tG}&}`24mq%`mPjqFG{*B-helGnc3! zRHax;ne6m2^%?9{^{kN|<8q~+Rv%S97agULWHP=#=#x9WGH`s7kSxGMUdzq~u&KX9v%M7Mws(^jD;YT(18i zdeA$h^fN{4dXPw!Uu7Izhl@|XKjdnwWV;~afhhyo;Q6Cng3(xI(Y6D1_qaqkp(@2% z$^>Q^jHU*hyl-jQ=iH@!UFA|tcDd~*9~N?PI3m%7s3%foyrW)LUA%_c+z$cL;UxpF z3Z8VDlXG_T>4p0Zcgd-(<`T8PSNZL1NfqPQv(y8@t?!dt&{-k%^Ul}Rs5X4K>%NDF z*S?H`oo6NBHASi%ILF8}yK#6!lS(%9dX?=OGq-t2a~XzFBHGdOteGb~OM5Z9%divyGT&x{##Uc4GqDPPoP zx~;c#QG#u_NRhP}Di1HsE!I!yu4;!i!#{8I`^>S#5use??6!kF`5U;}>Ow_|vv*uG zs}vqr=h0Q7&4hieP@l!PoL86{=ys}Wx%b6}MV-nbMJ~N5EpNWu{rsW#$Yuz!-HTO) zxAjeV8?-(tBs_hWlqFYNO{hqw7#n4WoQVXsPPe>^xs(EtaZx``xdZN4hHO0x37TMT#7BvDz=;I&@>NM3}=}l6o)N z)ru6kd_m{3%2w5fpEm!N{%Mo%D%X@Rj|fj=d_9UGoyg%^DO_z8p(1Hw4EOD#3n8QR zyBc*=f?I9rK@zx`?|M;svC|kjDAVqZ&n-lXoWbzu_9iL^-3~g`mA|L7#%EWF5l*sU OLx$%;!>EIuY5xMt-^L5sokjXpkyIKtVvATo3`3LqrfE9HOX*Aw&#vSdu7MMTsaLtq3lt zMT>wIDp;t9;8mq9)&tjiVAV>+VlAr_6szJ@citpi)~@v<-R)=lMrQJV$N%@<`)1~E z=FLnJ667ye$~f~9lj0>x4j(Z>P!w_Ja1aF1BUW8v?ON!BLF-BouV^p(_e?!xwCi0K z)`>9mS`hvFSe<@_eyqMdk$?*%00}?>kN_kA2|xmn03`4y5^!fQ*lbHQT%HguOO`H> z$fFY!3b86GPA=8)3ikF0_2&2nO!S_?ABM$bR>Jc2ync^MJ znHJz1G|d~d;1w7!$=}y2l;hzU7#!-zk>JG2B~~7>@_|iefE+H!5`m-$Bt>KrR1pcl zMhG@eVB-unBCr_?HWILjA~s`5DO|H96>*@!#Wn2!6)p~BxH!<^;y{Rt10^mFq_{ZH z;^IJzi%Y>)+dWPHNM)YJCY5=lGLKZ|k;*($nMW$~NM#?fFvUz^#!E9fP5c>q_2?l6_UO}k}9Ez<2){CTx){fi$E?;R+h?yd;wnw zDrikmL2H86wI=9-)&!%~nqbIU6A;y!0IS9%`Do1^HkC`rzEv z2dAF?5@uI_3A3v%VfL!q)i9CU)nCHwYM3y)8YaxHh6xkwYM>8<3HCRw33fWI8Qo*b zddzvPGc+Ckk{YS}4Jzqi}pAm%?CsTcU_2w7eTfoY6;0RLVp$9ocJO zDiLa#Al!nJdK7yKOkK?jFyR6TKmw2eBmfCO0+0YC00}?>kN_kA2|xn>KLnTzaFJgJ z`vSo_v3Beh)`(riP7_JEKmw2eBmfCO0+0YC00}?>kN_kA2|xmnz+Z|0lS)Ia@1Cg8 zA&qv?eumblqLW6OX)aA`CpN~ zhw4j9GevPvt~)+n!^fHA^T*Iggt+g&3Tq>t0I0|IV7vaeU}5W! z03-kjKmw2eBmfCO0+0YC00}?>kig%PK-Wxz_LVV+ilgAB3J1+S0g+P4Xlas?t}Uhw zppHQMlu)%LlmS#bUE<__jHVPgY0m#QAXqb2hZSRGSPQlRJN37u3kN_kA3H+A`m{A3&d&#{kUZ3lw_=ll7!jDeXGB%v{*4$$NN*QJTfnFZ= z16#c*U*2YxJb(9nse(@4GyqCN6S>VNQ|bfc$A3Ql37ryjE%@_AntK4)RDtfRlv%{c z7>GAwV5R>K<2?Ng8bKu9bWsmvETNei8X5z~G$YX)`WwDseFQNj7T{zka73($uRQo? zh*t=T5I1AI{lg~|QzItZwlnX`oefj{>^>C7xqaOb5P}jd1ovK%DR%SZ-> zcyV>sQQjT-;27JIk7L`oS;zORm^59;_F5B9UkbS3$opc%v@e)6Bf;y3{pMtPYZ7Ft zh&1toj=!BO!qrp@Tuou@pi)rEtH+G97`pbWC$E0QLQ#D>^7d$P3pR`RITJ3=nad}B zh(s`x%@R1_08sOC9TITi;c?jdoHWY~8># zxpsZ>{$G+8HN`OAWzBBfGQ9{j|2jwR-1)^JVd>L}`_?{cG|yXhKQW);zt~l>O2*jk z+WAaB((RK^o!+nPBq75#2j{rZTVMx z&We+F*ESZO&vRU6EOzI9`pA5cVpJ>r`7ZXuin)IAnS6zLX6ott(^}?!oo3!J$fjai zO~&`lnPF8EOLzL0ri(nRb{$?=n5emJRDXBKza?1Xxh$>_adDXX5XsC=Xvl|P;7{bXx-xc}wV z`yF4*VT~<3U^(yUeSX%>#KT!F+peCoNtvzIpD|=bd6fOIN1ewU*&}N63#R&HhLzQ% zH>KHr|5!Kqx?M;zz7tV3EjDVKLtjB{1V_@_?~%WAXubV2anL8MJ~^pGgHS|@hVD&*2fNw-n4Ud zlx)eeHIt}h&>exiKN!F`4Iu5W>SCm^f6dlCm$4|w7cKJrkdRJM#1(qYrUDx3d zH9P5!(XiC2h)m|SThdV?`v&{)IOUk^i$1q?|Izks3;mq!q#tYBY@_2>uCuDxx9Yq2 z#9tR+qHoL_F68MAEVI@9=zi7AL3@AIi7VXoplY1I|AS9o6i0eaWK+Fpy>k@M=++(XsGJWA%3tfD~v%q8(rV%nbPWs~pdi7M+nhOeC&|RAl3wp-$MFb)`hrB)()~Y)i?h zO3m43hpY7(+Ez&hd6k@=@-&rEwUJ^KTRzF_aqP^ED{FkkXB2V5$g9P9(hN(#Hp6AE z2VD%;l^vxV`uMg_%${@Q7ZNV}NXLoIoCXwxo}aKjcSoXsLvAbe;Te;d-AVhbAD>UA zL@~>c5ATS*TXZknuhYWuq*z+TI#xxkHaOzx31ZRP@Abrom;TtXU-h{eRnsWFqN!=` zIP#i6N*2FmG$p>It0$WF$0Nfi`rCNQxZ0+wW2)_*`AjISP2siIO9r@|JfT;GH6Pwj zQ@ac;b)9)7V;1@z_z-J{tal{hX&(-5e||V6zN3u5NrcnB*DZ<9uJuGX+DAdrmqTek zzQ6hJ{5c&fYwp=$P=;S1*zRDw-EFPZf>TWj16N zv4*MCSC9M6+oN_VZsb^5+)KQEi? zuult;Hy3BC+Z`&**|V3{h${HE$5ofh#}3SMv3xS0lbN!%JiTMUVZXiexaDr!cSe-f z_{=)v6!Xc%)ygozggplHe?FJHY59;;eUs#1(K`t%*RK7gBP*!+5FYgH4}8bP+=7kk zCrr1NU);?fKkJ`XA?D}qOUVHF(i=v8+8n}(jcXa)>NA*i>y%_=!MbX^y*SGB#GL~L zO*+c#3pcaE(+exp@lJc|^2e%5#68{)`)$*M{T&v4{_Xfrr;6Si9%e)7SiTzz z+%qsgk1j8h1+Y^0FY;$PZo^Dma?U;}T-sE;tbbMcyQrq8TA${dwl`;6ZvbY9ePEIf@B{7_~ReaJ$|ND5jr z{K&Hsaq;du*=p&LljD9FEw3nEcJrr4<<8%--0MRXD+=b0_%QCq=Aa$E&OGNq6aG58hR4?;$NL^5zZ{Laq#s?&cIod2VSQxM`0 zE|35u00}?>kN_kA2|xmn03-kjKmw4!A0e=kr_(cE*4x3CklBL7qzo=9HIm3ul$Kj*QI{4%C0axa zD%!M2#^GQvnE2$I{lR^p*(q|;=6t~aVE>&d4l^`=Er}h6iHKRi z#D}q$#1D(p#5KeoiCKsp`MXLW9}oZp00BS%5C8-K0YKpYCV?1XVFficI7>f)Mvq~{ zG7@NZv;^AJr--eGJ=Mz|=S8(yXpfu9#pyjk zo2$b@XIn3vhrRnks;&JT9Q(*LmN4-_)SD}UR%1cvaWIA>Qodp{i4$&oN!0H;eMKtw%j z6gP%1H%1JN&WM>Vg8m@}*ZHRyBs~WtT0un<9y}pCk-n4>nlK#$^+OEig!@lX2oOQf z7J*h!n(9pylbOhfpALikA^FPdXhim##Id;pox?l5#q!kKojk7q7WcX7y`tJLx4De2oNU{0pf%rK%7_vh!czeg>uqK zc@z4$k%<#FH!_hMnaGVy)+KT48gacwT(1$= zYsB>$O?bJHjkuAGxh1)j2wY4=Zhwgor!JA(Um{mCiJMR2=99SjWNr?bn?s(=;j}`A zIIWPmWXN1HWNv&iH$Is=4is)(3b!tWTbIJ6%8m&^L;|PrNt2`Agp&(#3x_f&Br=J@ zDKKer3QU@u)+bGlgh`Xr+ewqtnMr69tT? zH5gB6Fq+oOHmCHm&8f0%^ABaG8fNEC>1CT!4YSRuhS}y+!)%kYsc|&0P0scvBY zNi%HPWK5gk|1r56%|u!Hv>ZA|P8fv-h0!5Mk0gXvaMb*}iE;WD988$D5$rvR2xqS% z$$rDpsWA2nJOBYe01yBK0D=Dn0$UJpmJm`7gVFuDF*yq|2F8A3FfbTKMkYf7CX=b0 zp*Z!ND$e$Eiv2ep84_BrTaL2>AmDH&GiGjROcY~Tf?;TU0w*XmgCGaVpb_3kgoHTT zoxorwBr+NC)@5%V+SZGuEcAg3Q;M%OqVuoY!#NMwAy@$Wbuwq4;r`JEYvcuOf5j`- z1rI5$GwbAhHknXq>Ntr~xT_Qk->u*G-mcL8+05kay1y92%;`iOx!Vx8%P-Olt?3iY zyxG?jH)q-9%irT&D|>$txmIE-Dsr!|L{c*`y|Zb4czL?nF=C3F`%aY1rS2J+JeRNj z9t1kIKVzGLhV`BcTZUV;GESbJZ>wGCQ?WmJdud_%h<>HALg1=elSEHL7XivdJDM zD$CYoXTKXQSk!wKTJ)fYH0Kw>{>?d7zFJXtkB}@E-@tn+-+mhkhrywA_&O*SEjl~X zDf5FQ93=^bK-B545)c`QYpwWrS0&RS>-C*uF9!AW6rLzz8r_a18C^MI5imnMTSo{E z7lPv;F|^1;6d_Sa1uYtq=>%sWknq_^jN+0W|G2N9A2g0Zry`kp; z8$X!aZ0Qg_t{rnBNV?c=cNa4@Jk=8QXKA)78VjL=_v)6+Fd zalSNIGW+3ms%Cr7$gzTU)UZ@!zN6zsmSf+To^Id!QLo}}D9e{asaWcXt6nWGuHROZ z-t}h(v_>0e*7Vw*Qd@8mZG82tXUv5?jlagW&Dd!8ZU|5Pw#&mglBj&}d0DxGnbh!? z=PH6wIH!By9O~=&e#N9Xz0D2pdz8-AZi+Z`dgWo%cKD;=G;Ro zKIpS4P)&wHeyR6yA(p&mq#)FP+o4gCooS;HOkCS7(MI#n>C9c!1cAHbuJlnK6 zx$}FA^vWws?`FU3JDPOA=bX)=e)VoYJGqbhtqbzo0>7zaL+ zul4#;7j#x+B&8O|T})kLwtVlIdtTCcFKott)%MGOd;giV+i;Y%+R&ie;(Lije$$3MA#?4yX)Hre|HrzuJUL`@t>ITmX;kv?Af}`id^k{2 zV?Lsaiv6wTfJr_13CYRTxfGfDS=~(Z{N-xC+d@!nS6g<|wbMJkpx>Lvu_=tt$jdE` zE?%m;$2w3?#609lrQ?kGZRirGS0*hoJ-E?@EgI3E^opA*%CUEL)s=-;Tn)Uhd?XcR z;pKU!hy+QJeR8STMc9arh{64dOq+Ex4zKALNSNiJlli@HXM_1+g-#V_d{j)S*Zu6b zxDO9@4KW zfd?P}2mk_r03ZMe00MvjAOHve0)PM@00{ic2nZvPqMVB#6YKvkFzlCqSqDLP00BS% z5C8-K0YCr{00aO5KmZT`1ONd*fJ*>@fQe45|NCIrJ^%#}00aO5KmZT`1ONd*01yBK z00BS%5C8=J$plmo7NURm$BYx}|6v$*_@CTEpdAnZ1ONd*01yBK00BS%5C8-K0YCr{ z00gE9NF#JbfBZ*B6YKxyFzoZ`QosTP00BS%5C8-K0YCr{00aO5KmZT`1OS15CIJNm zS@f^|aWRVB9XR$gr&Hn+AOFn$0o8y2AOHve0)PM@00;mAfB+x>2mk_r03h&p1jM8` z*Z*-6<}mC#tQl4XTZ2u;-otLk`eSGq8_W~TUd$IvJ!Y+BmShwLDcOY4lI)i(l?ae9 zm)I_mB8ioFBhfB#N^*gu!QZt2@&N%r01yBK00BS%5C8-K0YKniK|mcrg)^fffmzzRI@p9A2NM3FV4Z+K81PO^F)I^uln9N_|;=?4_Q;`&^9ESD7oWNitqa-d% zXo#nZ-4laEb3_J2sKUF^AJ87Ca+C-%6j6^*5=wyIgzLjL{EyFIsG0xcAwfVu01yBK z{xt+xcqtS$T?Y1tqply0Ba9%3wH6ATzR@}ca{JSL*Tb*q*PZT_dDWC9&Xi4Cv9BXX zxKH82thXx8Znep$b|L@b#=d{J2RjniC_MJ*L`jv{qgl-@Il5i}j+=kM7&w#qn7OTq zPc6rGv+&qIiTv@HKmd`Nbt7udpCYTfT;@l_=zMR z(Y_MVs5jIr3+c|m2C3|PN>&7;|-EdV$-{;D_xrFDN_=yY|*_QWG_23?hos1#)yx}v-8OM%LrD`qJB(+Ex zBU0lmyd+PNbcz5X4N-Pgjwz{LW?of^qIcqR;w9SK>q82I<|bp3k|aK_a?eShWlbksV z?37NlTbJ0xmLMGzm%i0X;wLg`%?!(1h3U2G&!euDS|=>24h>ZJb@8?6y3YHnn_O*T zSa@-sBI#rSMB?u~L_dr?bJuBWoUOf+);V0ru*%yexOIcw!GW>TQE7f6ja@4;XRcfu zIEx&8qQYv+`LgVx1+G~2tTe5IcjiRYWU}yLJVjDy0*J(2@SJI=D+)V%|4r_mWA0RZ z1}s(f-jW(G|NC9i&(;R;6REEtKdbgtwA-3z9$B+Z`kUjea^5fgAP+M?k_j0fPCCHC zi}DmH&=hpAy1-TQRQaaLoYC<958J{r2E@8)%ClU}V(VJQWe0QliA=l}nZD_1t+T9S zqL#G&v zg(q@b!n`hCy*K*8s=0-q$n?Rz#MSOYMNH+v`eznhvN~U}RQb-WV}mj4YX&;gQ0X=okD%W|@y~FjMt%GS;>)c&dd_yu~nd{e7E}<@Yn*LFSN|s2GlGRj@)Rl16!dMTkrsAUhS4^;qeZJ74Q=1IE_wgqgdx4< zDLE`%wdgB9kp`bjr9DZ$RVd18(^9vS67nuib>$BeiHe9Et*u|wt5|phPmuymLC4lt zdu{se^a8&2u7-N$p(-6}{R-<9yF!hx$Agr&-3Wc)i=dAhZ@nd7G7Us zk+D}Q%o;Ycr>UY?rHF+W;we&~DX1_Q|oNInm6w7 zS;?&WeR^?1$>vLQYi7woEEW_yeXu48h5YGYZ9(4WvK70TTit2nid#F8;yW)SuvE7@ zZ(~a7%-z4aYvy0bR6&b|WIDka2qb(q5~EhO>U(%c4DF7=%wn}Hq}2LRnH%>e&w~CC2%ojc+3`YlH12MH2ImzV`trEJZTCuKw%`r6S2p|9m z00RGT0xZ1d&pW{%FTeY5=@Fq$w&jZiM(G~iDW@#$$)MzZgQlSENFlWQV=W|YP=$b)(cBwU=$SB>v;m|Wr zU#CUoRe^k$ua4xP#J)FQ&3kd1P6T1sy(_3PTO)KQO;NqbD}8b7-TN&3jGqVlhx0xZ zQvpPV(PR}CzS@bb^NzmyTC!Z@%SG!ehRjP7DvZ~BYByneJ>%EqPhV_n8T zFZ7V8ua4ZyPo$p~wum7;y00<%mPdS}^5@+JL8(Vy3w_xoVt>6_$C}B)%kdN`(0V2c z(VYy}oQD{wE>{nDmUYiAHTiMs}r_aTXB=>A1?&&!KJ5{+k5=|6l;bnM=6lgsYhMIrb zI`6#N+t4#F=-uaKujE9QY@Dlax#|QSv`$4+bh5C z*c$U#&R}5sVfioXSa|%;B7dAEi30p^jHTZB$i4YkG~7zDc0|9H?C?IKCf9TP=7(>a z=H>0vQsgJnpm8IszQj?};>J3yw&FE=RJ((hIPX~K@a(L3?0(Cf8WvvqXOTbtx&=A! zqxXhxTufbnnb*3{{}BdvaMSx$HD~D&{c_}@e7~?f1V53&XJy6`KjsMCgsovIQ`ZP} zZb#!4*JrJZk=+G33740!G}U=dlY)S(YAWj$v83L|o5A%B(SyHrb)*cwef{9}%dpmu z?xq`t`Dsjfr>bRc>-H%1ct?b}ASt-i2Y<>``Su$H|&13hNY>>Q=^dp8|30o&m0P%lLIOrg8~f98nS&2^@p|;+I~A-lpJ_E z{#6M-jU}CxW5w`?%KjvRRMX2aPm2z{5{bFnY>Z9!9u#?5_JyUX!c(Ilr=9WjFT7c! ziY`c)OI9D8v0Qg7|C?b2>t#LB*yP%s%Y1({Uq)BEUy2{;|B6amQ?qPr)FMvP`ab+@ z{fz6+Hg*N9m1k)x^VBHF3Ek*hbAmk4mvdu7(<(osP`Bv~ucD4W>%D5=HWaWk^@A`! zj_srn$qg)*#UTrttmGE@UoJRJgJ0mk})hAQ(y{rN?C zyAH43KJb-^9K6?d>#%r{^{4Y1&b6Ld{51MWzc*Ftttq-uG24M|o~8QLJ+JLz!k%3& MpZrikc6yKh3rY97u>b%7 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt new file mode 100644 index 0000000000..3f0a9ff5b5 --- /dev/null +++ b/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client.crt__client.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/client.pfx b/src/test/ssl/ssl/nss/client.pfx new file mode 100644 index 0000000000000000000000000000000000000000..ba13f0cafff3a3d64ab5c1b26e98033614e71fcb GIT binary patch literal 3149 zcmY+Fc{me}1IF3r%2_61jv~3YDaSXHIdUXdn45A&jS%}eW6pBrE_b#jj7`FvVGWa` zZ-m17k~wpP99jDHeV*U>$NRj`^S;mX{`r1jSUxiVI}nED6XfJkN;Xa2=V#|)ufX!L zfv~(R7?$?{hUFyvx8kh8a#s9~N&xI^zb*g24Lc0NdE#FSeC(Vs0T6euM@isY_mNNl zfSWB2%X#~gDenqnOnFN+yV*NCB<;|`NT8EAz&?E8lwFxhmmY3x=BY&;)HuOWw(+3- z1FAb80g$~ER!s?3F%g^aWK(TfMIEjS&~sil?KK?(7W0eG?kxDq@=2W*Q%f|F^ZcM? z9!I6L>gz@_`85U;&gTZ4+m5T3VK>p~)UOLJ#6Q%)1R>Xkdn}1#G7r#R>mz>#BeFS+ z=thr5`$frQ^A)<;3D+=+vYhuje3D;1Za#gTa{5er^b7Il^A)F#Q%RwVTtgzH9lvTK zi1wiEov5Nq;dK(#)$AV%eM0FMJ7k0Kr+JLK5^c>3)3v^I?>30$iZ36<8U``TCktV_ zn)JEh+AEc-#4UvNQ}R>G3*rM`B)P>p#IAK`jx9da&(EqTfsdr9{>6%IXC6ttZ(QR& z-rr7I+Nn{4-G48aTlRGscygPGpTOqQc<=cN7$2+VsP`0E;HPt?iytp4{IJe&;D$rw zbIpdvxg!rJsO;c37i3ZtH@{@&9ob{yUxFoBa?UEVorgi52x?Af=lAj|=Qds$la5oz ztnYDVhdYNpY88)#o~WvouI5*=5J&1>_c>IIIyAx$M?y>8-pLKzfi@;f=`2HRWNspK z84lkD>a@7DRPpi&ao@^pp%dOepz%S=>*Gc4<>Iy^ca2CpA$!hZ6X79JTR{MZjzT8H zs7`%U3JrlCPs>*gpY*%_eDC67h~~S?0MD!tqi5WQeH*Ly)qjlp5SUJ?47xw7B;!Q# zOYW;6(63U%W1EcnZgM1a8!EmV4TCvpp6i5^29|4urf5t%*W*S(JB&R`0b4uWmXmzb z1mEe5DC5E(-}emx9+!%C^5rP;Z|dnZ+jQV|WB>eA@*T6W!8(EjpP_-9U&!(s&zSN` ziVevvIK)3(xmot-+I-Vb;bP!QOe+D#iVI9zP}&bkvyu*$sqxM}32YPE@WkEXZXmQ? z)eGY%r5Mp9Gb<6J<~}?d zQ$v9(p!;LVyKIFKm?v`^G1Xx&s_h1q0giU;PHh0pIR!sM2v2yJRg}(_kN2Jpq`AWb zaZRi<7vJ3gH|H)V&1Lh-+aJl6cGAcQ06OLiY4hrNgBz#tfPDg zT+D&8)tTw6sD_<}&wV_1MiKnwraguufD{}qaMI;#f?AlpFfBD1I3bOF-FsYDc<>-+ zV_tB%*v5Qem5q9M>{^cts;q-(EXTT!X2Dh!7&WfoLUHK;W747#=R)Cy)D6OXmXYlgyfdp?TPNMgD28dJzk(Z>v~)-=?{KE8kIp@k;9cNZ9_n zC$fdQ@1sMtqK+#2f|%%US6-)~m3}!D%0!35*OOZ@zPrh5iQ3MJ0>_fNOD&Lw@xh^z z`Z=eZO=;V5YBYoGViAs5b>4m@aoX{A7Jzn7BIaqoXkEwbz9_}E^^ppM|7tP#EuVeQ zx)x7HL}d!{6S1Kd-@rbhGHa*i|20AoY>aM-fnhoH{|8JJSPpd%mP74#tn^#*oV@?W z)CqP#1s1dc!-7`-k6ysP>2=Z3H+Ws^WXRw20%1V|by&f~*sV+Ki8(S!M_f}FK8dui z*FKM;j7Cd?E?)P^zG=7_fLZNua+4XZv4oyAv}F8&nIYH=55qMrmmge#k`rk)1z`j7 zS>@swh8On4t(WDdUhBP-RIv^T$r2Jun^*S?b?@+qm|i^q=5DsKf33l@`bv=r(PT>c zzS&u=Wsa4x!>{PvR`%}LoB@}-Vr`>CcOD(A9AC@ipdHk_jpa&=S*abb4jkO~tSVcJ zeNlP)!6i*}3;&%~Ef1H|;Qz%E`3m-%98| z8<%!}FFRB>x+l0(X0J6VbG-E%c-N`CB{D9wba}z;?x<6ia1lLci8Z5C1 zf9_f_$G(@g9JeHHg{M7sdQdhr5*e(dw5~d9;}ExB(6htHEGl{u0R;R)wQqUq==zGk zMe_6ul!b+igW+foNW{+}Z4o!sh|BX=Yoapn62o9%rs+Yre{eraOi32E=h+a3Gia-s z*5T5+2#Y_b*X})$H1O3x&)__^dwzzal_Yn~%xh-lg}9sHa&4BS@;!4`XjN^NC5=tOkOU} z9PiDV5#9S7eR*a$zg4%kvbeeoCYGni}Vn%@GO zYJAo`w%s(Cj8+fZ&p`fs6bBp@`7YV!!f$rRQdY3(Dt!9_(%`^?)dzC}1ev|N-AV`~ z8Eb`=2%HB;Vj%-{$CIDym_3t$)g9PYNwlKo?R*L5(GZ#W@(BDkMY}s8R0%_!vPsf+ z8--P;j-0)leZ=MRr?|Sf&%I9R%`D2!h=>CG*~&z+_Tl`C>i5irNhed{_onPJk7VNaDCAH+Z$mTK4Q(Ls=Q#bn2bg7N_UgI2V>LLe0Q!UcF zpp|o=fY8JiiXsP92}(r!>LXBPcqgjl@q+`sTrY~m|Y#4U63qpRBh#k{xk0YsQ z_oC$L#LPCmMcP&*b7QB)P*$chCx}Ql#(emmYDDo8f>>m$SnHquNU+D{7tb}MXFctA z4k6qM^Q3hxI^2tY++Wu!857p;l%q3)jXxe+y5pEg;0tL)t0kEE-%dQxx*olgq3cX5 z(9ygNz%tRR?TJv|9J+N90fWQN!gx42lm&nQaSk>R l7^TA393`)xPqkJviOZsMFs#r_5Vxr0S@1jlKvyz(pH0iXqTdvRu0~7Hff*-_77<-#5VoIj0I~iN!OZ^Hj<=_ zcFrng01xi~^?-A#2Pc1za)Q+kAamz+=B_s?oLa4-qNAe12o}Mq2YOoHd%H43Ez^d`1r=7KUgB zKeD6r|B^g2E&nsKaF#J89%qt17yg;FC#fkZ7iZuA0zd!=00AHX1b_e#00KWEfdZ4s zV##D{{VfgZ-M&R0e?v<+>~8f2{Jyy2DraGhQ!Fc=YcmaC%k z@Q1^#YA9x67-OPUp6}t1a#mKbahA+Xc6D>a;|-{>?lHmXJ~f3!F6U?t{sz%qRd!2Z zRjoMBSu4&jFRPsIBqJ18l$W^5ifhEeqKc}TsiFtrQ^Kc=Pb<;1fRsq2$U(9Wl6BB5 zY2r{wVk3#2BzYupkYol)JS6erWCpcDT1p)e@sN-<4snqXv5^q*kq|MG5OI&Q{vjO8Z)AUn}ivrG4$R)=q2f zwAM~*?OH8$wo~Uk+LBU|C?=WCS4O0-Oy?`pn60$jO3SUZT%jcjEm8CmGKzx8C<-N` zP%;YjSE#>2*TF{n+Gt-J?Q5e{u_r>ZLKZC1rjTg)4z*t5H#xgoEmgG_+Ff&ma z*~%l-lsNskh3I-!$aUuCSO>_stk;af(UFj05t6gG9#hGx}A8ZjL zq-nSnzf0#>j>UFWqfh2*OP!E=d%@1(q1F6U$ISm8UDG}*OWw0%;=!hg4UcSD;Z@u2 zeV~N>HGyyg^V?}m`dA7})0OX^R^X9 z@pxkR51CB~xhrm7@gFnGCK;KF=Y=vXX1pPm>FzZJ`q>liGXg*2EwA*!K%Z?m%vBATs^o*GfN0`2FA;$BnOK zmwePanBCC4Y*p5tXO_R+9Q$c3M{_vKU(&|oaNR8Al?B8(HlKr!{w6&df=R1zD z!)pzXPhv{z+>W|m6?8sb*~M)*nQ~W4?~=~Qq_eNjG7h^Qd+5bbYh&*Qb>XA$oNVuP zW#rv{F3Zz(?amVu9-h9@w=v_Y+(nH;HLE>OZ8KySwsstF=4D@>^fkw`47)i6C8Kee z^u#oS5%DZLJenC^Y|M;hGM-*}=B_W_+52{#Qjx#t6nE#8`}pa%HqLE+cknlluW@e8 z`RdW$nalPa>^;(+G$W^f$bw&3akIUJV=E-M#j_aH&J6gIQdUHqXd+yiMQnR^rJ?-lr zn}RwL2L_jWt}Nd1;=HfgO+9P5tft*1#pjw9tX;OR%zY>vu+_h{z0f00e*l5C8%|00;nq%Ys0uVQC6` z34Rk$f_)M$-bdU2cQZn_u=ldy13>@*AOHk_01yBIKmZ5;0U!VbfB+Bx0+@h-XISoL z!_xGGOYu(u+W!9-Bb*YB0bU>g1b_e#00KY&2mk>f00e*l5C8%|;3rKWj!$Lr9ZR?r z{)U7xx9rgN|3?|&r~vom|4A<~1P=s&01yBIKmZ5;0U!VbfB+Bx0{`a(=nn=gypr%; HHvs$=4>)Rp literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/client_ca.crt.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..5793b879513b18bb5467717532e575556422341a GIT binary patch literal 36864 zcmeI5drVVT9LIb6raVfft|}szDo&K)xwp5aAahheAuv>g0fP*0p$f`F+lt_ZQjBP_ zsdFkujjxQkOvR}9*rp6{n3*_rb0NB^G1D-!5uY(SlcBrkwB5xx3(5Z3$gfFHfA{x0 z=X<{Ab8au(lF-?+(o3B-dTyn?oOjX&Nw9>XBndPvkw|31(@%JMA4(yRdk=(Hs!#l~ zP$r36XOgC|dZB6ae(xGSpUs_z@aLlxqR`E`o%404yBPltTCPi#P>_Cs_ z8N@~=D2PT5(J14swlcAc@;MDsd_ltyIZdwAg@jXuZrh8k^KC^=QA6>ZhQnQcL4`p~ zWTH%|8{u6|sl&0@W*24T&&jx}FQ}NA$W@t?N*5kZt*ss0gzLF0~u=|V+~}ifs8egs)CAOHk_01yBIKmZ5;0U!VbfB+B}tOPW8VQ~LHShp9}1q6Tq5C8%| z00;m9AOHk_01yBIK!6Z{`+qnQfB+Bx0zd!=00AHX1b_e#00KY&2n>D#aQ{E}_ZU_P z1b_e#00KY&2mk>f00e*l5C8%|0Pg?c8~_4900;m9AOHk_01yBIKmZ5;0U$8=3BdjT z;NN3dArJrpKmZ5;0U!VbfB+Bx0zd!=00I2}|J9lD3BL{VNhj>Ab=so84K+8f>i9%&@`{`7*9p_Hga#0am>12uI2Hvoc!MUht2b9g z0hp}2(mG_=7~7-pqq~opJnUR}gcm14uGs&e_`ZQ@Z4#4EqP2q* zPj2s=wH7I^AFS+A_h)j!(avj^Gq0{hKjn6p?T>yIdOJQ$yJf-pB5O-esKm6>rC0bg zX|xW&b>-pg@Y_SJT``2}|6Hr9>o zuACSmtGge!>S@`A{!IR`nhAO{^pt(_q#EM;__kRmJi$bB+8bvf@Zg*xb!lg zCWWt@>;H{&JYhss^qH2nO;g6rkJwO?{>8EM-&+ryWlmpc>}Xn8^q@bJ2kk}rZ9yAX z*3MoSUyx@^YkIeR>ZNo1#;Ww#hFjZCl(_U#pC(Oc04Cqw&N!F-mQ~gDbpPR!A+0rs zPER@T^`YbMkN72FX__W`dVeP4e%(5M$L#{uPVHn#{fUYv9rk;{?Mu!EU(v?b#3bJ6 zc12K%P_BOHLf+w6QfV(jXwC~4A#1OR zzVPRv#?D0vuBzbLlwR({`1WolqBF!_xBi3nYyV&~MCmuDA%(KZ=1wN4FlD zKU^r^yJvWlJh*&XLDS8z;%@9R-3?RKPK?HX|5s~6B-)4CIBkgbn6_HmrQNK}`@dZ3 z!6y&^0zd!=00AHX1b_e#00KY&2mpb9Nno_hLcRPGM77VdS>>y2H7b3TjaG%PvXztj UDjRv3ud)eA{biwk-p?ie0)~o{+yDRo literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt new file mode 100644 index 0000000000..212e72edeb --- /dev/null +++ b/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/client_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/root+client.crl b/src/test/ssl/ssl/nss/root+client.crl new file mode 100644 index 0000000000000000000000000000000000000000..1d345a098f4488bc747deaa0ef788d7168beb7c7 GIT binary patch literal 393 zcmXqLVr(_YH{fOC)N1o+`_9YA$j!=N;9zKHV8g~7%EHWJ8j@OEqEM8dU!vgbsF0Rl zq!5r_T#{at8XV}O5FG5IP?QSf6c=aa=P8tclopp}mZXaF8d?|{8krj!n;4jyMv3#9 zm>HNDnn1Z|)-g9RGBVUyDtwyVe{1D7zqPZ^SxI)Sy>~!W*6S@zp;+c5W9+ z^Lod^S|Z)bS@}Ni`Tpa})~8e$KbpomWoGwBllh2*f__60v-OkD9uJ?Uw)g*jb;m5?;Xo@d|q+aiUfUo7iT?{_rZm4@7YV92Ulqo$lkcVF*#r2 zXz>Ca$%>3A*Vis^H2dH0V&i6PQTN~OPHL)m2G=s5-}_AU9$7i>`SIuP^gnIp_kxXH dbZjc_b^6{}Z@>M}ghR)eg7;aw?eLl=1OPoRrTqW^ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..54a75ba497fed1145ef8b0987417e5de6449496a GIT binary patch literal 28672 zcmeI53vg3a8prP=O&_66*l-YD!CJlSon2 zHUeFQr7}LIhzx6i6^E)FV0m=eQN)UmQAc-Sd=)CVJKb&vn8l$5>F7BpH)%l~hXH5Q z`R>d;`Jc!4Ki~P?do#UB=C*X6)#Y^xOWX~0Hm@Kvu?)*HS%SbY43GD4ya%^1EHuFi zeq~4LpOQS2mT^8>Kg4LG`WW2>eYdVtSEEb871)3P5C8%|00;m9AOHk_z%NK3ORF^) z64*tqWmV2b$5NZCYMIAV?6cRp9O1bomh3W%P*9j>St!sxp{P&@^$STh5lP82!l*+z zb*Q!3owcD6+N&IB-?a{Ma-K$O_(KAFKaKbJ>@`k@H{=j@m4n)Qt%r!jhnw+|^$(=EKt5QkL1t z+=sHn87NcBmuvVj#xkeJD>S&>ULiM|d?_XryFK3O250F!t58~M6&jql;_ha;fwYl-J5r)Y_TaNBHK6iG~^ToB9$Bq}4vUrA)(K|CIX^HFP69?Q|^Lt8G9N6@_ z^gq{a)suJqwdSn2>FrmV@)sBlxqqr-R}n6V*-*@kzZy()tn%~AzJ4;JJuw*_uH)|j z34|$*T9cW^CM~fyJqVXND zD5Z-szIRpbGej#Uq=<@Iy$Lh;*-4|*X2TfX&*~ZEXQMbj2C;wDiT^*T*Of&hr z1~x{F`|{MR{ogb`)LX5sk6zrPnxd?K zZ)?d<$f)UVULJuCuIXR=+y}!I=8rc1`N{6#fxSoe#@|z*U3y-s>KHuI*1CJvKM(nj zw>>sy%3k)~?u6M(**%Z5 z+N`Z+6XnTq&m4Y(?`Xd?t-W*FSmy^_Z8P&PwH;iQbo-Hm;17X8E4Hr8fm|fQ@d*WLkd;dat z-vh^*Z;x`G3pXy~DbDwK;pz&cn;M&wjsq=$!ARi|g-wVf7YW{E5Eh zYb!tQyz-Fgt&8&drzZ|P_>at8(=<^BhP%F)_{iyZqq^g2KaG3GKXqK%p7|@+Txr@n z=$pE2L4@V<=GPWkKV7>&^}CAb>FtLSmVA3b-t@Km@TR^OKL0pzfYwbCoe@do=PfhL^~K??~2&76=6+$54nf00e*l5C8%|00;m9 zAOHk@4+J834NE@#Au}aQ|P==nv`Ze-8_UH2?u100e*l5C8%|00;m9AOHk_ z01)_95SXcHj%9Dcj|B3uPvnjJ1n&R$G5US_L%#|>kOU9_0zd!=00AHX1b_e#00KY& z2mk>fKnZAghUISR{r_o3->*Lnc!2;A00KY&2mk>f00e*l5C8%|00;nq-ztG{ek_Y0 zbHYvFQRELF>Jj+<{|uu)qlahm|5gt%<%aKz^mJ ziEkFFRddq* zc%q_=NlBD{v`-K{QkCQrCJH_w^s37#cG#yo=;`+Cd7o@{|pCRSU~3#7EH>|%b89WJBsq{IgWH%{>`+C3B0i8yLDP)P702GMW^z1*HQ$ zN?;IczBiI+loAb(AW9yki}pGVQoKRKVxFYY8WU3~XTWxy_>ffLQ#2y4)9?n$H>fa( zG3ThY#$ln=xV_#wsaBEETqhH#-k@S*%nij4AGE0-5U(~E;w1+|Of(o`tbvg535LorLMoV5 zhFPx}hPNcpAw%(y5%OSF{K{d-uN;Q@%HcJALleu{kY70rO)Q6@iRCafu^i%44SSG7 ze7*%ke9{F&ml8@!SowEIPMSbpQL!UpJ1$;8E)gNKB|>YQoO-hhqw)@RGD?i^?REI4 zN-S>TaRUz^00e*l5C8%|00;m9AOHk_01yBIKwz*E(Bp-{{r_OyURW0p00KY&2mk>f z00e*l5C8%|00;m9LICdn;Y0ueKmZ5;0U!VbfB+Bx0zd!=00AH{_zA%M|KQ(aSRoJq z0zd!=00AHX1b_e#00KY&2mk@N|A%t`2mk>f00e*l5C8%|00;m9AOHk_z~CnU_y2=` zk70#C00;m9AOHk_01yBIKmZ5;0U!Vb@c;kU>3dX$vbff`xLEg)14B|`7RU*B00AHX z1b_e#00KY&2mpcq3jx1L7inKMRONNgbyi5VJ|}CD1YSZF@)7wmuCd7f1S;1?r`6}y z{}xL{#-T!FR}P0DPD3YjrCeU{YwFQMOH9p&PM_JK*_D20zHj97uQqP4jnAnzM^ID* zMI*gd7f^|azBbm-i$-+)e(@vo<41qtGIKlHzi|HXN?US%)yTO$OVhsD+}-0hMTIwM z8-U5OMr0~(-Q3zt&1lkb3+tA&X8eSnToe7m*~@#QJtt=MXL41eW#w}VQ%=~|r}>tC zG*ajuI<=vGm-No*&P9j)PoC)Xo3vp~iu?df9($-W`~6jYzGKNLkBQxjH+^vXcW?9_ zSFc-M^vvh`J+Dsf&t#15(RJtAo;h2V-e&XPwqS)_xKn4{HDmT zCV6oHCR^U?J|cQ&t@yHVru*muGYYEkBR-~QUJ-?*)t;x&#GdZ01HecO&B~2VZ zdCqTtK7Hl3c71+xb%~H+U955*7=6`m(u6fBasx0q=40>b#I;>1Ld(YWl`#z$K1i@P zY}t_9dEeQ&s}Jp2oYbGmjt@)TjbF%K9n#6yPaEc#-0)dP`NcC)`rTPC?RaHT!Own^ zI;=_gE9d%us#*0Vbgcy&R)HXnYVw$1C5L5i7gQcqZUjt`%MvHOBZ-ygALoY8Rin~B=!IrX`eq}EVrnz$v} zf{{;^t3GM3ElMdlsfnL}3SQ=CC4OIeByVfpM%U~3@BcbOqRP-~xW|xaXfw<=^cb29 zGygA_dhiJZfB+Bx0zd!=00AHX1b_e#00KbZUlK@G+o_v>f~X5ywnc?2i@Y{mnHM9& Yl|@byuFMPSaAhlsh*2j+hd!713q1s>zyJUM literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt new file mode 100644 index 0000000000..bdbedc732b --- /dev/null +++ b/src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/root+client_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..faf4480a51f08ed862464fc42753d1002c886912 GIT binary patch literal 28672 zcmeI52~bpZ9LL|WEXN8<9xYMH%P0X6|L@pk4aVVG6kP#1Jj$e9SZNVlVRseF3O1GO zkerUe%&}0*Mk+?lgKWx-?3ijgbh=Q|4l+iaYy?fF{{R2JUC?S8N1LhU_h#OIzyIU+ z{r~=-_udX~cjr+&!|L=ng!!(z8k37tDBc5G2o{<^1;4UG^j}Gy zNl7~usqbgB5j~9Vw7yfeL_LL5bPHcY$B2pCxuXlQtD7`vpcGT zBeWMd(7uZu!=Hw zXf81EcV6sa789Ea*ib`U9J{*4W3yK~g5g2IsXir{SyszX4$capuqbbOX3-pBnq`hq znx8kL)Iw&+F38Wd=4F=%nOOxzCCP#f;a$YLgm;-}+CW-F(qtx8GpU+sl?*W}q%e}g zM2b{Wm`O2_6gE=WaWRovA%9675%Ca_e;(o@B4Q&V;v*trBqHJ@B4Q;X;w2(tCZcju zs_FUjqt23FQ)h`fOVnAS&JuN&sIx?!CF(5GSeeGkG*+guGL1FSUK8y#(OwhnHTip~ zvxz#V(vg&sNHIxty%Hj^5?!xEbCzklOxtDJuFw{RwkT=~nMFZl7KM^gC>e$NE7V`1 z$H7QrjWpIsV~vz5_C!b$$>gde*_%l#qJzsFMp==KWPmEk09BINRY_7%C0VU1$&yt` zh^mrc^-Ib}m4jiFl-fENW*QPk4vBw2>R=A3fgDVO`C=K!7t6p{EQgE@OpIFt`C=KE z7|X!KSOzA>lALNJ2Q10?rb=?ssj^~FItJzZprj{_f2@5l9Xm;5jny5=0&oCqLMuMW0Wah>nK7Ibf;_PCU+05LEGQ>$J zUCWnh_+iEphub66xm+G0JCl4VCKS5dp2|8$@eHd_Tx=EU9Ju0kJ6#I}4;kwA;=i@I zkvHk1zZ#p=AYQj^6)#(Qg<`=VghN7W6Gc94h^YHzrA+CA*#fIEjMnm=kHS99N1u+j7G9xbp(-^J%{jx8e%ur8E<~dx)-vJT`2N9X8_Y zBU5(%Qop#nQd=82x2t8=MmF}q6VBBBH(xbw{WWLDs=lt+b@!ZhZQ!g+(rhan+VyGu z=XGW2FTCKq!FDeGv+rY?6W(kq?A?|ceq;TN@W*mK>Wyi4z35%B>YSz^r=bD($ozU{F$=V=$5k}BHz_O&!`o$~1(-@%r9hmG6L z-qIO2bpgBWzMiJ|tZaEw>+KV=ZX4Gz`+UcHcdj3?zv+wa?o&%ACR}y$(3rK_N;X~| z8}s##F-+tVuNedFE8@hrn`j7Cvt z7`{lZAE60BJj?zzlo>wMm>J7VLuuTTCz9^F>Cu#5j%%hJ*}3aT{1=t)9jk1r+&iwS z=f|2S8s0s%s;l*rb;WjVFJ-#<&V6)*&`yEqjnq_xv^S$q%F73JFKx6E| ztK-{CcQ+kA);#l-oUNOzTbG+N$86raXyerPJNr+1pFi`^El)3Br;9z*vuI`6$L;4A zo8CGjKlIq>-aB7Q-!efHv1_2?tI>BKeK(>rruy@kcYNbVq->kHbjA6G?S0h1-8TY|B9H!{u%^0;kOBPcr&`T)+kdfB+Bx0zd!=00AHX1b_e#00KY&2>c%i zgz*}deEP|S@|tk+VW0p0zn0PO(bxVT76@wq0zd!=00AHX1b_e#00KY&2mk>f@UI{+ zS<@KJUV$G8f00jQ41VZ`YEPl)hH;PB$ ze|)Hi|NH-AjQ*G&p2`1TJ;abV5C8%|00;m9AOHk_01yBIKmZ5;0sKGv$j=1~yb}Ir H4*>if6nm11 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..391fefa234b49726959a94205089a04167c44fb7 GIT binary patch literal 36864 zcmeI5d2ka|9LKY{nx@AVMPn%~+fdY2)VD{DLSY)xv~*|#Ep2V^h?^#AN)MZ)QgFZq zgpQ5};z5CNxKzLc6-7~09AI>Gssjj)_XSwW)B^;I9kA|uNn99g+8O`R&Mz~0`R(ub z-uHdq=WVv#bf%eIQRWZ%nA@5Ijbe!56=@2JQWP?bLZMJe&qV1NduXLV9XpU-sq^B& zLY3mW$-k!1XB0YpfgK^_PI0U!VbfB+Bx0zlxuNuVJi z!H}6rg|7*To(5l|FC-R;Au;x0)L$TuimI zw4&O<%ycsLna<*}QhOCs>6le!vpXg-(r>1XY~+Q@y!MYq@* zY9`0-n7*5hMTyh2T7w~*x{-9Kn=AUgO~K%-fd4Kro!RHpMwT6sr${n%Y>Z$kDg=7uQ1scIf`63k-vAK4Y z){q`sjXxM{^#x=Z^#wAK>P0G6Hn*daN-$(+Qx7$hEt3W0NEwxiY@3`P&c@lM&8)1N z$cRXKO8X{q(v!zAN#G2NQ&xOv#fMgMh`U$?+?a4<#*GCxR@~&{M#POrYVwH`inK%# zVGR~V=D{i~!ZIwvIxNCMEW%1G!cr{4S}ek1EULq8)Lz6NQRX5sQRav;N0d3D%n@ad zD04)aBg#A(%agG@8OxKgJQ-^yRWqrYN!3iM=17$&n~Ac8^dyv6f{7#RbwLNtSC5fGk5AY=qWMj-kE(HF=*n8;WY8EYbAO@ykXi4e!)$)h25 zZ^cO-P z3~x!KgGKgWiFq)~ex)$xR|;c&rSQDIv5BQ@%&!#2CYHk3#8McWSPJo}hCN6jKHs7t zKIx*NR}Ou0c-!A0IcXw&J+d7Sw&OL4$m>BUmse^HCE0^r80B}co0VgHZ?D5YRZ?)1 zh8uVQ0U!VbfB+Bx0zd!=00AHX1b_e#00JYGfF3Ul?*B*X_QJY=01yBIKmZ5;0U!Vb zfB+Bx0zd!=5CU-j4<`Z;00KY&2mk>f00e*l5C8%|00;nqkxu~b|405F!wP`_5C8%| z00;m9AOHk_01yBIKmZ89{Xd)oKmZ5;0U!VbfB+Bx0zd!=00AHX1V%mqxc?vddkiZC z0zd!=00AHX1b_e#00KY&2mk>ffdBu$PJc*2*QUObnwsKI-kUrwX@Qi02M_=PKmZ5; z0U!VbfB+EqzYqu;bsF2^OB6x>?e02XAmrwFpT*0I7U_t58CO0Ex1*c1iFwPWFY8O8 zG^uDNvdM?ZNKi9J6Y~E|cWytk&A)SP?TV=-OgTZ;t0dJ?Psk`mOBcJ^|dO@4|$ew=9>a%$$97c`uRVM}AdeKE_ z>imMYYaUydbIsZ`g>cmS)86~WbT#hSy0$2&TPo<{v)Ttjo zH+_Bk*X=o$Z@%qWv0RKq3X0j0$DLXDvc6Y%5VH1dufN`lBl*Oe|p3Box zS6q*%h!)Ud>xNc+;_{xjved0$d1|W#R5-r5H(|>`Pha)**>mokGdJJ;?!Eu}&2PTB z$qXT3A(BL;j2kCUPmwCQe9Q#Ham^)M&*r^f6y zjA_`289ifH8I>3%897iDv>^hB03v`0AOeU0B7g`W0{=q-UQ8y3V~tNqOpTSPVrEGb zV^bB1;Ed?x#29_wP=D`mf9{wGe*TlWu#Fouf!o#2wUd$r&)!oHDnvkqWNEZ4xvK}W zmjZ0lRp8tEF_@e|*7yuKUXc-cZo21 ziD(*iHN>QSZV;}|v9`unr6{G*$+E8DT?S376YlLJ@$bnYF_s$~I%d3g=oIca|0&#v z31dPc{J{*qK@$QbV|>H8-abL0;f`D>LG2{9^QfHmDh5?Ctb#6L0Vsr^ z5P`x46k<@gfE94mxlg^((xNf0~|Os+LS^kU#8VCNW_kT2j1K?kh~I%rKWyVe9D zXiadmS`!?y)&xYgCcvsOAs?;TJq(i4db@{-dJF@nMAN~gI|i4|7)0IiQf6nol-b#r zGJEvxoS5=<#!H!<6H{jA#FW`NF=c{O12Ir0$TzJCl1^*JcAK(pGp@^oNu%i--5pLe z2q#u3C1Rrq!k(ltIsVo-rde9jlBqlTC~1aL4(m}}*L4)xWzwmo)&MNG#?;QxE5eLc z8Y&GeCfu#z@e1=*7{-#(?uue>BGaW}?)&6}sH9k|#%UgP2wll0$ z)nUFNIJN_uN@U@i2z4%D%w##_jLvB_#&IJ(jPN172u~(Gf zu29CO%fdn=+^{eSH(f?m6pBQ7Dpv`5DP-xHvUF~YEM2MK7*ii~NS+JHr#_+xr*e!1 zB0@k4v{k~4Fs0#4olZJo(6gvV*D2GM&1gEv-+Ez<`pndD=ZUk14ay1gPFS*Wef?L5 zd{0|(N?XQ{np^cZ7jKixSKP`@1+tD_vGJXD?0B-Mes3s;F4$8c*&pcn&8Nc*izE)4 zVhV>{n_=_s+Y=-5)(CHXRxoV!ocY@tiXOZ+Jom6YE7jgvF>iig-p?wZ#E~621Kj)$ zZhf9HDyKHqzHM+2Oa0(juB4@nU;G;_HZP$nNhbcGw9stvmCUx8akbBOx$fRD+P|jE z;2-{~ydmF)Uu`LOGRwVxf8EuDh0eE_A=r)0Blc%zacxaMN2$L>dF8|$`mqC3*(#a;>lW&Y!ZNPV>DEHB#=D+x5S-EN4*vAY#<)CcV+$X6&eSdc6fmjv) z?mE3S8&+J-Tk@mP>gw}$ZIyQy9$8&|eN~H^B`D8KbveDMz;#MZNz;nbo0%`>-Z`?? zV7%NloEagp5;@u+bXI~^sD zj6OFDZFwB&zSg+ma?2Baas6P7+`LM$#nD2Qu;%){E#9Kn`FMwA_Y^SkzQ<)W}SY zXjbT`7^zcCx{}DETM=0_<`y~)r}cf@@BJDjta@Fgg5GZof~oJGk_NL&!5RR(6o>ZltZ9r6HKbpSoVn?L-(yA|(S9LTWI&sKy z*cj%lr@YwW))VXV_m2MOk*sU$7xo)*2zRTp9y<#!UDTLs>*LG!+&076XWEFPliQD; zPuMu{RPN1&hNp8~?FKxlvDv_k$8Gt;&DT^Orx$N~;k>QH*;ID%==#8b7wan)*bP46 z6T9_}LCgGT_xQ*kGm2<*9K(xDi2g)BYPB6QkfBG=ar|{pX4Gc@xIT^}+-d6`J1iRd zrPK3AjB)j4<@L5VXv0`MiUdIkj zOUcZ!DfxVbW&Xko&mtOUo>g03``ET5q9V8MUjD>y{Pu2_>|HAMw%JiRyJ+l%swVLmsb`vetqkT?cC{E zMw16GJ`nBjNo(72N6xSlo41Y+%%50Xv9v)wyzT`{Rc{xjBDP~04RcH$N9rx6*Mh6* z-81qHm)1KkRm@^ZkgvDHN6r4UQ;!UGcciV1QQ(GD$P9KZ#%^OjVLzk{v>^hB03v`0 zAOeU0B7g`W0*C-2fCwN0h`?WqfB~I>gTLP}pg}!Sr$d8!0!q`TGg#n(pXUBQ9%Co7 zw>X zrNer69nJl}4aPo9-Tf!CZ9XV!C>TTl5kLeG0Ym^1Km-s0L;w*$1P}p4;7=nkhM_jY z-^ahzG2YXyKOHjKm-8?*ZQ0l@zN-h5Kt literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..633f26005c9734b998e0ec8ec699cc1c0164be48 GIT binary patch literal 36864 zcmeI5c~BEq9LKXs$N@s|A|O(ij9L+ox0}r&QZf00e*l5cq!*C{`-9 zNlBDH)yF%EUDI4XK9l$Hp?8%v-)0$UqeogYa%^-cOLucS>0$Xy;TaWHHnhAr#oF`-kHTh(ax9p zJmlOS(zi3ANS&cjXtl}ISkj?zD(`kq_j-qwxM%S`mojKBD>u_NiY7&DLF_41dVp6O! zg*G9y8n@S5>M9Xs}!!{f#wG<}E^3baHK zVGRZa=D{iq!ZHlPIt;=>48lqb!cq*vS`5Ns3@XHJ&|bhFQDy@%QD%uUOO#on%o1gm zD6>SFCCYj-R!_$2$yhxZt0!ZPq-rEpBdHom)flJ}Wg}5Gk)DJSLol&qy)43GS+ZW1 zc-E7=p5*l;&yfsAGF&i&XWC`40=v)z#W1i?hp*|?7}DEbw`kY6DT^%cU$`i3SJvLU}h7@AlJLlX;OXksD6mm2mUg!p<3 zhWMfjhE6ebiDA({A-QM*eI2452e#uh@W|;vC`B(-Xa^-f>&7U41=|@h#?SUD{9Pp) zH?g>Z7Z3mfKmZ5;0U!VbfB+Bx0zd!=00AJ-QVB%jg~9WGOWj^r7Z3mfKmZ5;0U!Vb zfB+Bx0zd!=00BY(p8w%O00KY&2mk>f00e*l5C8%|00;m9Akgv&!1I60-(y%I5C8%| z00;m9AOHk_01yBIKmZ5;0eJq0YXArU0U!VbfB+Bx0zd!=00AHX1b{%xCjig?Eq{+; zg+KrZ00AHX1b_e#00KY&2mk>f00i*g|5ruUNi?Hkw#CFmyIXzTs#DZ#AptKS00e*l z5C8%|00;m9An?2p@at3&mhv_duX~cc&{g8Ivz)edM*bOBALL(%#wpa@D+X8G ziKZfAP#&^~r>zhtr#(NN?8&xmcsVLfb96+!xl&noI(v#qeXz?J@5X+etA3SIl$4@T zq(T)?k*Xh$<+OI?x~q$-5B2zVTih=y&)lDvG~AeXctxLt?voSVuc<8E?AIy7n>07W zr1IlKHJ5uW`l4EX`sPzOQ%gunS9rNqnk!8S&~|P(XC5; zWX`(2BDURLf8PWBkDiNJa=Eo%rwD7(VQ7ZQS)K(CW|)j;rz~Av-P$?lwshyCo8P^3 z;no=II_awV#>%EljyU&eXTz{l*T$!{Z9BepNBq7ImW@uY=(&8#>clZqJ^l0ix`?nQ zg}rZjyKn7Ih;B5+k3H34;gB0!(l@=ZA&$#ATr>H%H_qoxzts1&rcCCY?U^}yM|=6o zn*HT#GiTf`NY$myy=mU%TzqQ9XMN9{_Uq(fO**({n9Qy^qFwXNn8K+a9h08-p1MD$ z)0+52wKnyhvJD+Oepy=5l*wM#x7`1Vj(%|Y`wqwF?BNUz_Bhr4c{^A2zF&BGhi=f1 zew{3=N#S44HBHh|wq6>yW)j`=aM6OvdrFV(ZWs07t@=c7L@ZmqZFbJ@O_^+{%{|fe zQ5)UZt^F>!uU#zNw{+R(gWsOm^&JlyzENBIqF*NsYto3CVX|Llzt^MJIuEGI>*rsP zX=OT-EO}kq)9+=kj=Yej9JsqllS_;4Hr#2LFt#YJt|p_d;LP^Bw;pCryka`Ke_!_e zxb^-nR74V2-fjl(^}gyUalU!aapc~>2?PF|*}L_(^P3j zKQFg>@CgKf01yBIKmZ5;0U!VbfB+Bx0zlwD5_myop`QH-qAG0JtPEFn7!={k21i7= YvV)U{D;s!OxUvyRqhv|y(B~3=1DlPWL;wH) literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt new file mode 100644 index 0000000000..9e34f7d8ea --- /dev/null +++ b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/root+server_ca.crt__root+server.crl.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..6dcb06f709163abaa8ff8779475330009cb10925 GIT binary patch literal 28672 zcmeI43se(V8pmfcArKHlkv2-Lq?ScMg_*pFVlA(LXq2~a#Q+h5QG_Il)moA&sI^ko z$H7wT3fk(CS}GQl>RGL&*1B$2cV(?Dk6j-JEvxS80xGO~?@hw%P|xnsJ*RHJIcM&C z_q+H0?{|N5@0`penWO}b-lUT(%+6h+HA!TY2Sw9Vm_$NR6d&!*Xm@N*$iP0wMmvnh z9QjmG=pA=a2PJTAq1^6@>f9>bvfKhu1~wo71b_e#00KY&2mk>f@INFFCJ>0lKJ+a8 z(hOZ*`eLmu%m{@a#It;Sm~jZw~qlNql1L)bPYv zk}2w0l9Xw&2`OsaLuA~vXiaQnvLrkrE-`tGM9ZR`L%S61GHeqE_Hfvx!dVs0sz?@B zQOR+lz=;wkAvjUtWE@VkI7vgvI3mT`QliLW4UV<-gH<>d%Wy2#;aDuhu~>;?u@uK* zEsn)v9Gi|)dw90^h_cjX6J;q;mJ($tQI-;ADN&XZWhqgXk+w3@Rz}*&NLv|ct0bjL zQmQ1SN>Zw{l@etoQ4S$B2_=qTl9KUCS=?4i#w#T;%ZOh_{4(N~6OWvD}f_w*}Xl@l)akaQ(~(S(i207BL-zpyvTIK zi%dsdWcI4-=oon&@gmdFF)|$;Bh%3_GVxTyF(4DqH@k@^o!!jnF?BuW!fumH8e848 zo^aA|I2j5pn~}z{0US>tR{PMD?b4ECKzH=1TC*ve0wGU!t4f-kr3XlI=N zMY(NqHK7A+KmZ5;0U!VbfWZGffwe|v72j*{U{9(bzTaRiUi};cWd{%BwD~-3hsV^Q zd}rQn{C!en0!{6uX0ulM1J+W=x(kGX1(OQe-D%p*iDDzTFm|GVN#QetLXvexlO!@6 ze_0`k&o-Jeb9G4x8c9-;Mv|*T8KY63y;NetwT!yl<+@x+x-Qpb6uYC((3~`clc7() zirHd!xssK0a(kBbVm*1ZpkJkaVK7$ot;mu&8|K~kRJQx40tBU+`g!oX~)K^#5{W>Jv;}7S@SD%Uz)}9|3Ip_EZgR<#BqL`8IKcYDpGx4)m z{9Ma5fghxo`dyqi@^9ZyPg%cJarw1kzbz|Pl{J@Nd*piNdZ%@1K(O)kRWa*-%!|;E z?J9U~eAK7A@0njMXvhfY7#=6ITsvNmy)eEzIhu4~7|6aUd!s(0Cl4#UJV(*=r;=fSe_*PB!&gh236*a}bmHwz7 zmN{zQhgr9{;;%l=kDj3rN3PGIS7RdVBwSGQC?PGA5KqGu>!3 z1Y;1RZObS%T^p31Yhta;2-eCI{D$Gtyn)BvZ`rUD`?AorvXrIumI?FN__Q<-MbGM)Cny>nH^E(^s zx>~DFR(boy3KrjyW>mDFEGarL>5oUP7faR*8eK(?uk)F_m_GDoOQCN>q-dw`c#6;gO zIkMV+_{oTj-9Nartx5~coc|YdIgg?%m{1X{xSi^8GIJn=6@xna4(FwcJ>;E&t4&4Gm=%O2@q686U3*!MKYsz(VDY&Q(6|Bws>EB!M8HyNMYlZqUoPS9oVBeuvQg5a__Na z<&)3Wb=)?8)b{rH_t%!XdDpirD@Z+G*|}W#Wt;5nEhAbN9iOl-nD1KCRr~#jRewF> zS~t{iY3SG1u|t9mO<%dLGry|cJa*R%7xjZ3pUl!+DySawXukWnvZFo=AKsM}U(G&N z-17eA^S&$RTHR(2&;KMX@a6W76Jx}FCwJ|h8dEgA;>g-&%c#ct!n`K`q&#*HWo};K zacjO)KGT3#)05B0pIBN?yp{wNnz+dDz~@`lyi+$__I2fKN;lH3C}c)-of373ZleQi zKmZ5;0U!VbfB+Bx0zd!=00AHX1c1OZOTdNU)A(sSLk#o;l;_Owh4_J=?f&0Di43Bn zqMT=TfDkwk00KY&2mk>f00e*l5C8%|00;nqpA7*%L(xnO-{L_(g&zq-BOT$B>)7u9 zvnbJFbpN0Avq1%c00AHX1b_e#00KY&2mk>f00e*l5O_uj#PTg(^wanc6@#B6@Sf`Z ze?29-E@~9jKci?NY#;yxfB+Bx0zd!=00AHX1b_e#00O^A0?v#le$xtLKk|k#D&fE{ z^{{>a-$;qBp!&y8r+H literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..572042e848fb394849dfc9a4aae5f811603ca074 GIT binary patch literal 36864 zcmeI5du&rx9LIatuIpo62M!9(y1Pyu#mUZnwH-pFj1CH;doW}J+;+QlP}!JU%OgYx zg^5IsOaqRoXh2ax!c!g+U?egEA|eQziaa#n3lxL+Kt;XhwDm%eZi)Zs@@vx5-~Ij0 z`JV6joZGwIE?LJH=J|s@y1K5RRt(adB3VIEis3Y^P$-nrQ!72A549Aiq6g9|bwhl+ zP^lPv|Mv#tFA9xrs6zjp@g4nIy{J#qoze}}t-IYI$O8c&00e*l5C8%|00{gy3DhJc zn9OD>bZ=1f*7$0DL2;xQ6r-=2oFbRA*hLpRN94KaXqF!6uc8Zz+~b@@rSw==DLujC zE}Y<^^F4GC z){*1#sD3#UjkF`wYLh9QnoK%WP8a=EGXjBv2LCKE=u3#0b9+X*N@!BV7UT}}K#@VL zb$C3{m`F5gM6a(#?xMa)gA{Mk;H3!H&8I(2RZ_)^a%eSa7h_U7< z)uz7D)%XK}nZ5>DMs<@+xO$6PW{EOOlv$$8 z5@nVsvqYIAV>vRGBV#!-mLp?rq-rBo8>!kz)fTQ2WgAhplb(bULol&qy)43GS+ZW1 zc;-l+BYBSGd6MBthL2?MEIh)q@PrIc$nZp;C;B|u2Z4+g$XJ1l6$n*H6CswtlSe}A z-hs1-bguLX9M1{3LnOoQ@S*6H8%qVkwMHEQR<~!ycp%pKp;6 zpLCJ1N)CN;Sp9cMPMUCEuWZMQ?NkXOs`4Ua<>J()QR%n4Fv{=Xaz>8vy}btiR59Qt z88`3%0zd!=00AHX1b_e#00KY&2mk>f00g=#0Ucf#-2Zpi?S*v#0U!VbfB+Bx0zd!= z00AHX1b_e#AOzt4A5H`y00e*l5C8%|00;m9AOHk_01yBI-Jby5|9AgAh7|$f00e*l5C8%|0RR7gjqaqvSdz3gDaqhZ+@F}HpDQKc0R(^m5C8%| z00;m9AOHmZF9bpsO}ukqPes5#wY<{T5G-eT!Jf_A1?h-<8CNz6EkIM$+Chs)FaFs; z#V4VB90plK%4z>?PMy?Z|Y#-HsU>I1DG@9f{_ z#1yVKTix&6ot>F%PIQ;f&v+EemG!1!5Tj*(> z{-nJgZGKq!`V*a*d`nz7YQ@m@-r4p|UvE2RDKWS0oi_jX=AL`r&1@XzF$@b?lrc?8 zUpd$L8>j8!X?x|R;H5c-#|$ysPc3QesC&}SuUVz{Y??mntELGlyS5D9R2b-yCZN=izluxOm2C0&AHy-*r zLwjXg!h)2Rf)-V>D)+7nKOQ^r{i%6dnhw@{bO8VTUt>&F7_S1nyQksoQ^osEJv2B*ZFv1$C^l;Ej(} X_VTJ&WkFQND%((;UTM}wKbQCmpCXce literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt new file mode 100644 index 0000000000..b54121fc4e --- /dev/null +++ b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/root+server_ca.crt__server.crl.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/root.crl b/src/test/ssl/ssl/nss/root.crl new file mode 100644 index 0000000000000000000000000000000000000000..1d345a098f4488bc747deaa0ef788d7168beb7c7 GIT binary patch literal 393 zcmXqLVr(_YH{fOC)N1o+`_9YA$j!=N;9zKHV8g~7%EHWJ8j@OEqEM8dU!vgbsF0Rl zq!5r_T#{at8XV}O5FG5IP?QSf6c=aa=P8tclopp}mZXaF8d?|{8krj!n;4jyMv3#9 zm>HNDnn1Z|)-g9RGBVUyDtwyVe{1D7zqPZ^SxI)Sy>~!W*6S@zp;+c5W9+ z^Lod^S|Z)bS@}Ni`Tpa})~8e$KbpomWoGwBllh2*f__60v-OkD9uJ?Uw)g*jb;m5?;Xo@d|q+aiUfUo7iT?{_rZm4@7YV92Ulqo$lkcVF*#r2 zXz>Ca$%>3A*Vis^H2dH0V&i6PQTN~OPHL)m2G=s5-}_AU9$7i>`SIuP^gnIp_kxXH dbZjc_b^6{}Z@>M}ghR)eg7;aw?eLl=1OPoRrTqW^ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..1ea3e8b64630be9ffe7463c1713556679c180e77 GIT binary patch literal 36864 zcmeI52V4|ayN74C!O{k?EFxt^lp(Wsq$3N84Phff{<9eZ^zRLr1sZ(#3mFZ)ZT3S@58s*1EjG^GYe z`8iUioUa_BY=Uio1rPuP00BS%5C8-K0YCr{_zMYG(`XEa9_$+&5h#umg$jcMBP0^f z*nqHLk%HY6dmA5nrnAQ+`x#6kk2%?c`5~WaBxIp%;|WwkVJe{zCJYdVeJDZuNP)=v zRDokWi9%xx(}Vqp`jXgy5V0ucg97y<1$pkL8Z4A$Y(u6ohIa2qutX9oj{YD*`A9^T z`KgA0Wt==2R$%Dq!5hP4gaKjV57j>yB)N`{jjfw~Zw|qMOwTFK?lx0=nXdM}%&8vE zUQ_My7VIW_IJi06`7mv4Cr|M)WeQR3#ll`}?8U)tA^}ff;Yk8~Q-E&@h)ukRfQzqq z_==COEb)~9UyZ?6LVOi~t;P^isBBFrqPPYNm9>Mbuuxovh2lCa6c=KlxDpG+rC2Dg z#X@m07AnHm^6ts{M<}ypHlfTWl-Yzbn^0yG%4|ZJO(?SoWe!o7L)7IEbvZ;`4pEm+ z?cq?3j43{9oCG@$3K9@KSJfbd-sLLbj@(8M!CW^9Ic;j*t@4Wy|MTx>9F^|LL z@bCh16E7e)@z&)g-UYdd@2%X#cUf-YMCB%qRb~==S5$9Zqj9MxCs_O01yBK00BS%5C8-K0YCr{00aO5KmZW<_YhE| zDq%ZANAe-09ce)xBQ?km$aSO?Ig2HM1rPuP00BS%5C8-K0YCr{00aO5KmZT`1pX!h ziew6Gpi{AxP8ixtM<~h-eFef8X8o8ZH|nW`p*4ISMQ(`6grWJ0M^YeD=mwgvxWxEh zwFpuzLPo09sHLm9t5H=iAZL*9zi9_Svw#2~00;mAfB+x>2mk_r03ZMe00JKoppYS$ z?np^ghf!5!c%iGyI&mSv4jkR2~e;&}bRLnV%0 zD2`@|#L+Plk`tyx?++zn{I7NnLh=xQL__To!ce<{1R@1k5?BBMKmZT`1ONd*01yBK z00BS%5C8-Kfqw!41+oTw5SmHHLm`TN8d{6Og2fRrvZ1vCF4u1n2waTPr@l#g4g1Ns z9LbH6s7*&5Sh}b-9z{@A8Qd$#(-YNU8KC;ID8n#OWO#UFgjs|zTx=c{WG0b>;l<4H zm2CchB7~$OxyU7K{(mKM4#`5+Ac_BkLk#)=2mk_r03ZMe00MvjAOHve0)PM@00{g` z2y{m=zl1N?4L|@800aO5 zKmZT`1ONd*01yBK00BVYZy=ya=E9G>O6jTUtKlPs8_j(q8pb!Y-ma9*V!(5KB3X4; z7vJy*F8{UsFqPz0J>~0#vPlVeF72q>WIG#^!Aa{8iD^sDqe?|w@WvF651;S!mvN+g}cyMPj zRJnYV%i_v6`=JFXtlzuaFcl(8VFW^@uo6j%5jef!(?-RC)eoFb zzld8{8$?^6I=g23^ekBGa(b|3d+9k|?%PSH*1WFK%2@t9au3OEk(Dq>Ov|)tf2Zs} z?(pH@;ld7sA0BI_7?mFNY&vO49}(w8Pn&eBNi#q4SZvao4$5Tf`aQ`GdR8H2iBXDZ zQBvdVt>1Re5!~9iVQpDwQ$b0A)+lFMXe&GL=K^1NT)czFHb!6*TAP*entmhTtr9R1Hl=$n-9r91uQ=<{bera17?)!~ zQ99FET&278;Z>zF&9J+gSEObG%}-8Sob)cC;B~Cop6QDA9XpQuy4_uM+O%tq>X`j! z_2#{O&Pja~c|Nsa*H5<%7SEO{&(Kad9$+&3b^AqA#;B4#``jHS(|8h{|!Cv zfsuC{dH{;8U8LSThnhgH!7r}9pOIgL^aru2S6W%H#Aszz|keX1I7gg)JV*Q9!l+&vn$b`2Y1+6#7y=`v_iG%)nZ>u$2j1j>uppW9&n7>uU zywFRTzlGsXuDHJQ`d#PR4%&*`(YbrAO#^6*0#Be9M6Oy^qafdwiu1b(}~|%ne)ct zW^&;SEnnW#K(8_Uiq3KCe@qQ6tg%1k^;Ds-pwi*}&L^!)`8$P;1KOHL+>3M{Prg;} zw&R&o>zP+A*WO=h+*s&4pJe|QYRWOS74ytso5&fyw>vGjnFZV57lQKmt5ktjTw6AYghGyq)Sap%(6_6 z%ym3KRbFQJpnQ35MIAg#+CFvP-kOM{NT{`otNB}ac5Fj-r;ewnTeI5V0B=OGNr&6V1$)S^_MYNjy;o|bLt$jnmp>*qV?jyVfWkEI&j^upan-_Lpyb|v-0 ziT$~IPFPAI_41~JdixQ)^S`(B(VJplaMj~Y`(YO`Qor@5_3q(b6MykF)@s|CS@pIa zshv}uxEnH5O}3wMLXhgQGYhKPw?+>p{HY7H0mc03M;sEh|9XFleZd!o8uzFF{V5>k zVLh-rTK<;y1x;LEx3j6-|B@w*;MD zCkSTftU9)4Qnmi64P46EE2FD&TPG@eM<8m;cNg+KM$b0YUJR|4v?LCGJFM&6vpjz% z3q$ly^81x>H!ck?b=A*%s6jrz{JnpXN^@!5+_O6vzf2L)MpplH&Of2eQn8G;b#F#w z=$)5oaT6k19dc_HJzJ4suzyHES-!4l(0 zxw#~j`(ft01EbLbg2&ZbC@ji?kB^a zP7)`w*w;d}rXvkSv@ZAkP&mSE;uHO z{RnMXTF2NEadBPzh{5;L>G?X-M=BIN$lBDhw|rCpH@U0?TB^TvN%gFQez8}aRW^UStI2mk_r03h)1An+BN-ZL8Oy-R~MxR4t54~s%!kuQyvD$u7RH6pKfl|OCc-&TxO zA`!7Iyfzl%`s}R;Hps&Bu>b$xZ_%+hGlT^s6?+ca$Dz1Cat!)7gvP#Ex@QR8=ZGuz zoaDCy=uUS-#pq;cpE{YA?m_ z?{q%|AFc(zi7K z*g(B)=ultMY#12+)mr`hQ%P0fk?%th!FO7f-)ATdK59tc{k(AIkdyBf!uB70SvcO! z?PXq9w!iHp2HEc6x3eBobD;qW!^?AL>xEQE4%`~(*Ro9`#(!4DwuuYRPB^e+$umzY zK{ed9iIO=Sa`f{Q_|3J>DDcW9ZEI4GiYQr_5i`8~&Uk8<+pg5>(Xl}#+r+bW)HKDH zxanHXd804P)jsl6bF;-B(H`BQCZRzueKrbD9HJQ7#7fWETN;j3?)(!0N!^0vwy2Jp zGgW@v$yT8)r1?fG$QCn#T*B`+ugOfYKWO}RN6FZ)if)ut$19I9t{}TJvPVFgB-^J3 zBG+r-9oz3d%2=}h(UBELRdbz_Dg>)l8+d8YHfRX;Uj9|l7SjQ0){T0tU# zfqk+x;$-T*oY-2=I|DTgN$G|0>AQ?jsZwQgl5mJ!&UM$f@wCECB>j-%4t8%sW^Veb z$l3E-Nf^)nr|b+-vYtz`+H$Mnv1)6N{)cq#P@`kevD?SLkGSh78tFVqeLFDdNc5=@Zz|$Q0gA`VN4ABuWM1Hzy;w*-qjJI47I#Q} zKkG3s(H|%F=N_QL(!sRe-n92)!<<7Q&8*b&V+jt^c?`S%0ah%9TL1t6 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..c834a04c75e060c037de9d211fe5588aa18d7198 GIT binary patch literal 45056 zcmeI5c|25Y|Ho&{7&B%J$-ZO^D*MbZgDhDhvJ@#vVTQ?)rHo`PMYo?e6Y=X6E($oTSzX~xBEyE!p;qMTn zpb-Q;AY6^kM^n)Xf*pcJf(8Go5m*iq011EuKms5EkN`*kB=FB95Fj8RDK8HN)I+JX z0D2%jl)8)>N}YX2S~yvnIa}hK&CKmAakHhk#eUwnRZcecW=^g+TT55m8V4K4HI}%Q z4mgXI4pw$H7S1>)%T;z}7M2<~<}cGg;`AFyRU3(rw2+5F{DQpc;f$>TOwoh7Ei{@l0)gE$+Z%n=AlNkym|yMotds-JfdgRv^aFN_*W7nm_;b`BSIjsPl+9xzu0@ly`A_)88QRVz3`QdSY_F>QMr&7bZSI+uh0ryPuF`Ijt2 z0#VfhhLDt=-5NgzV;enWE)D#rG}G!YS@emjiB3=fNkv8Ifnau*%_W$N_-0Z~ciUV! zFCAxQzS7BA14kt=U(9}^l9(?YR?IG7l@M7)`m9BL)}lUpkyS-smo+1^W)#*;k2TY0 z%?wyGDr-h#&J5V82-9CcDXLQM3-Hn zJ5$11i!On+7F{+OT{anAc79!UeqDAyklAg??6zcfTQZv}Gbe#SBC=LK6SCavvq}l< z%3gG`j;;=wRbeJ%RhS7`Yo7^O7G^@$*3N{iO`Zu^L}x-4*6EPVXC|C$#wImWI@gTy zr)I1!nXaHW=Rt4Q17*%HGo1Cy3}@>y!#~xXT`{wC)-N-hT`@D9T`@D9T`@Cc?P@F! z%#gLe&4jF-ZYK1e3+Z#=rawaVPBUGXHfM*%vg1vr61-^yf~pQ5LUOs{zZw|lKEWQu zxfsU$MnST^RfL!?C_*2?e1a2503-ks011EuxDrUSgaR%_^Mz=s80xewWA#_l+FmnF}5*}Cy2@fJWGdR zWW9m|1A~Lu3ADEOXfo5Ys%f!iy^d9=RFOT@gwPb*ER3_u(9%xPuV_wKS}w7!lY%L_$$e}@QOP1j`KrH(W`@m zu`yYt6bJPU8gdbkJ&Zv>d`x!g`llifYwbmZmc+^U@Q2lkRkrw|m!hy6F_RuwF#}bv zJS&b#_B(kYR65(Qd&GX$L*6B)pE?n|xn(#l+$3no>U`JsPdiU2=Sa}*URofaC6eI% z!uZC3T+n^{SFhEjvgPFaYF#CYZ|8|_ytWLmQjHk@G75=;zH{z7n_Cvx`rUp@REmHm zJ|m4^9??5mv1cK@7BXoX_iD<~*8a4E+toEcx@_JiR=uM*VjVCU3_kJmq8sn_Kp{{< z9CQ~U5P?!luuk|U1mzbZcoNL!7BK`}IIdgZP>%I*vvTd;-`wviyHA|DbNWn=YW^+@ zgGJI056F!0L7{w596=C)oX*0BBFG|8o(a}aIt&g~gJZwxt~&7C*e`Sos%~lTEqEMM z?K95$0LFp}Po9`}18l1ytOY{L5vsb*}Rz(H#6RVMnvsLWp14xwkNp{Nu6bxBZrVmha$os_BG@PjbG}Gj~@8+V%Um0(0j@D5AT70g-pusPrh=uV3i*q-0!%(rZlI>p&}9VpjIa#X<);+IV@v@_F@}87VbY{H^z0 zR$NIRKD=$yyTC8$`OVjK35sya?#Lx{&CcJ7y-AX=r+`}RU{BM0My2yv6luy8Riqk9 z*V=PrpX{?WuU3uoLSgu-n%Z_ey(8ks;OdADm3^ocDZu+U8de#8O&IRWQ3gad*inFYQyr00mDq(n}e?J;|+$AZdw*St>T4( zjKO02HY7&5P{Y94Xk&t)gNfoMBbPR4Zp!s1E_CWDt`zDC;j3DeZTmG#yQEL2F)6rg zdq1)j*x50 z`F>dE>zR?}Be9zVbojS3#`Y|FxY5@*M)O;Cpsi{44V{~pM-$p9&c$06KPK7cAihTp z47{g}F@D@PL!0l}rOy~la&#M8a$ggu*|j;${H23+Y~REr(rh;RuA1tb6x011Eu zKms5EkN`*kBmfcs34jDZ0w95Z5CJw$E66zDm#azUs2&rQ}3at>rU>>6ZG!1`=YQ7^ z*bXEB5&#K+1V92H0gwPl03`5#oxlQ^8IMC+lb#Rti{|G_nvUnM}iQl4-hVPBNJ)$VsLU zP=A&6H&JxRfAkoVqpUB$Nv4qzoMbYMpOZ|}g>#b0R2V0jLf}Kge4)@MP&Haq(`_gYq4Djqif@|Wd6AHUT-$>Ho0HTB}U4+k5YxtYv5>MnMv zq~^D`!Accdk;6e@@BQ5ev$`4=)}IcmzGE#4;3a-B`SVD_gGr;2o8xNVwcb7}6@Qr7 zLr*>$EB0@71|9C9J;)^R(t!Rd2)J<;W0P`KdCcvM$%dVkVC*JVV`IzE&Lu9G(HTUT2)UuE>m~yTpr6|cYcccfU zFMs+V61S?M_gI|wM#(#x&=>cp1~(Sg=>vE%jwWej9!v(6pWCzQ-pZKf%}d?FWrk96 z4D*|u?!P2uw?5i5k+3U;8_B7P@E`IzGLT7QVp$*Q_`#fyeLPL%>9%5r#lzs8B490y4(`{qdTW%@5Au; zh`TVuOSiGnZEufNn+$L>DcR>e^)*`|t zN0Ve;hM)_K;DSPfM70-h5Bo!-{Z9&oEr@^Tlj?s9wqU3`=fo~M;9&G^EHAQwNZJ^I@IM~G#N;q)(c zp$E6NN=I94=wHIkoU;{vo0~~;6!n~Y8T5j@=U{-wSW3~CwOVCI7x#?Hm*jgsm#Y^8@Io9-@-zgg zoxmXcifGl5d?g-0V_b=}pL|V>1a^mM)^oHN~`Pb-k{O9Xoh* z-jYWp!68Rv0?)N$z68m$(Wm7V||&Cw)JL(rEZK=bRa zkvP4*LadL{%ObWKGBbJ*<(N~YwUlx0QjbAe{^h7sVdf{4UkBic> zHlk#*8UfWw1Mq?zP4YAZb?=HBRBrC{zV5{*b`;%rB^34aUS-C2m5r`eb`mXc_JmMsm;Vg znS6i=fJgpf^5q-9Z1rE)D7qHe!z46esue^r+0y=Ot7Ic0v4nm^XkI;B1nYA!sb^evjg5;>e=ohprh- zU6oz(#PY4Z>&TCKOBvXLR$n=8CSQkiXqyV}f0`E(*J+*a`B>Xri+zafh4BAVVUA_-;KIO5E6c)hqb2Q1*5Oj#%dRC_6RA339rWbiKYhqcs z@mJdC#8Qn)$3)b}J%!v%hQG}T4UzA~7fX1l9B4l#6f@Z_)GsWc@!;&|=<;oodjLF~ zqe-5IpwZ<*9iKl3xxFchGou{6N^Z~)FfM&OTw&RIF-qa4{3th*zL^uydFpB6wRPTb zgY&D)if|ofuNR5ET3Nri&gVe%asUtGXp*NP$j%_u`&rX)iMe#r`f~o_(cYkYOUtAU zUDuw^MW#MDdzhQaQP+)P2h%@L3%|Hn#n9isY%zLe_HIeefwSv=>yK99I|$(UIGW^X z2#SHfykq3wIFXXI+Aeg1na9<&2TO#LCUQ{EIz?7njf`+JsSG`QM53LL+|^AhFnH0V zY(XWhAbxA9Yd$~|J1Kdl5m15h%j?F8%^qh1yS#jF;z~|@n9PYtnd)gyz(yw$0DurU zcTg)t@ciYV_KhIHYnkba9nBUcElUjnJCurbnvQ<#sFW_z?XMW8$rtf6!m z9I6J#I<5?Q73u8rT|daQZP`h<$WU0`k=uJBRUdtZS~Tr))nFa}3nMl{gx#=Z*m*($ zn0pu{^iIJJK|NF&au8`NkSoB)l)(uk01^NRfCNASyb}QMs=s_w|9tt2hu`7zGQOUF zb_ga`o!exS4Lf%<_cp!W!AkGC74Ozr7U5 z14x(6JNWIt`CC|o?~_Svs6XwA_QFxx>^4+htE%fQF01C|@iOtoVZ-xYS=G<(498;5 z$j_7P9P7N?cUR1$$)@q#nOA_KGDnZRa4a%ZgtRPkmwIyA$^U}(RGmfKypZ`*v4I-b zUX~@LM2KO=r$GReh`= zl*n`Qcq>D7IiDXbvCG8uIyAX3Yt6{VD^kC&ZHsEPpLXa`ec{Dcu<3RGW&5 zK%=JGcryEejarCIeLthWyk5A9Occ!Y;z-61b*t+TQIrbb*&Umt!SY zKab{hN!s4F$!ZurQdojih10OdU5txaplty=t#0g zWQ%GHfS2QJl9%3oZ+N{dXpes0!13`fZZ;h!$m!~8{6jCZ?`m%xDVypHixBt zDqn})17as%`zyR(Q=Pp();&Vv`Yz{-j4Ihg058kYBu{62`qUffhcHb?;`{F8B4pbK z!yHC~`ag{Mb_>L~SGL*A=VmfoqF5OAwkJ#BEL^G6s@xB0MAh0CzHN()`0c5lEAyG% zEyK|yPiK5C-oGkV?P&6(HBDypR=*7JU0djG&!|T^VDYs;LEr_~YYcHVdi+B3_iL9_ zEG=2v^D1~1Ftp+UZes%Vll;PiK5$@PR`&9`Cj|PWBVXPdgN#2$guJ z@$`7ibs9fIqYD0-@Si)&-a|?Ip_KF^MRu8-6sSPLD7_p#AN&tnh}@x03-kmnsOM3rX2Va z_dwAkUjM0xF=&#veR2Ay!z*1a*G(THH(ak_B?uaUG?=P3u;B>h(46cI_2jjG zA^F)$iP_`(4*mlhwzjW88l85%hb)A2`%@m_qXU&SzUGN~`vh6(!DWT0&^{UM>_0Px zmuQ{_iA_e3CPA2&X(vjjE{}uPFFNiEz;n5j_iiWVH=BK|=;`iH(1c;X3#+zdpuc zVDutt-3M|AKeIE;hnpe9jmVkiR_aG+*-CbiTu61YUGD?@t`&o+i8I&K-r0G#p`ZS+i&YL{Hx;vAO0j~?! zN6^$SN|x^x>lSp_$uc8f_PAKLC1OI?7CvT((5dM&s1;ciizAENK#B;@i@~n*+)r>4 z&JD9Ja7v?A$geJn^SzDkyM3Ab#&!N-jl+0dG5RxqeG1YA&L`}Q;Tx2Ty0r_Y&gAjy z!wT78oy^1ji&s~uq}okw-=f}BoKYbrNM9Dl4%zPG%_E4(cx$W8%BQalAWT*6LGhdy zv#q|G2&C+yZtRS%nQQ%|*4JK@Qp^+{I^?IGF3i!UUEFEykxYVB&@5H zXQhT3DvlB=^!1m!p@J*~@={JN!m139GNu~~IMuuUS`kNg$cn$UlU@~5 z(eo1(oq0x|mJ@lZ$8;rw)mrqN_R5=R;#Y?be_RnUglyf+sTF(iune9`a7yLHRb#bW zd7OHqrfBkGccx~JNzDKPRHriab8AD*L=9B=M$lif3QZ<{qtVD0j<7h_j~$M;{Z}-R zKdwsc@=gZMJd{kML~$OeQ{Xb5){HUt2=pjRbM3R%&KIZp13;GVX@JaUbXzr5_ML4u zd%HoKTAumM1DL2|mdIu5&bvra+>{)L_{<~K-T`WUK3C7(MA|Hy>FDafMcry|Sfg&ERP8I)fBIw3+TL9u zPEvx4vBbR3$C=I7T$Ka~P61IRuHN2WI%!2fF?d>MB&ek;TRTd2p8TTq58>BgIjkFQ z%-XMGLt`CM(2|?(&SGsTa)cve`RznzYP0lx3A?`4s@ALv7+zs+zfY`YgI2sif<~>0 zD*2KxIn*w1k+JQzl4I1j@f|#8feu&R3g_{|&6I_<)`=~jmG5nZ8ocX52s!BKI2x!( zd@NBWR_Rq$& zruJDYeYrkVDaNKQjnQ04O}GZ9hqOuEAHWCz5w*92kF$y8bG@vMSG4;%?kt+rl0J9| zpiofplNy2MdE>kC+f>T=0|Y?bQj*k`BZW@r^Uc|l%zzuc{*cv;%z1(b$q-Wf#UzQv zaf7o!pit8DI`NH*4I3zh+KNZf#={lK%{WOaK?S}a)h$T^mEWyO3cs;bnH;Oe^baU9 z-ocHl*VsNHr_wG6jWB$PgE1{L%1{1&D^a>*oC4&O8-Z&7&J%>hz1G&iTVE=4>866=$0Hnh(QAnp=jX# z|FbaBzZRB4ZuOn_Fi-t!VIUef{9W=f-w^4=p4hD8!NFa7ufBp#m_*d-dl^3)LXz!q z>Ab{!&$KOzCl+JJICFr1XSGxm%h%Hwtd+2*VsadLX<%m2cuD0)*t+4-W0uH+MGt#i zcCu^!w1&8}bCi#xAvt>5G2+gACw0;Efk(@4r&YMs&8yygn3f;fv z64k%=lYy!&Nqlv5ck#z<2fxY4oNv{1)<2;u64e_fG6#G=^lan8Pp@o!NH>(X?e_h! zdtq7aqY{ck0Z>^dKvhB3-#HZVSbIcDWg+9sjyH8&FLRe^10{C{24tM^UR%B>$(FX& zrdN3|1U()w!}(&5S|^tub1;&~7>z;#CiOv$G+=Pn-~+M#bwI<5Ee18lh3KRH1fCsS zO8qXTKDvEY?<~Ge3@kym3VS0pQ8V{>GJY6k2i^~gWq|1dW)^dmoEw!&?Nd;5Gj_ALlkk1e1)!>dJ9)r z(f+ui>A-{;Q_ffSSW`L$$hW1lUxTj<#vxA`fqbj|5f#$uqq6wTUv`M20w8b8voma^=YDUlYdPdtey8 zxTGgi%e*x1KBL83t9uO}_c*d|fu&m&=>Jn-oJ?3hO!!LLfGnMPQ#m|eg(#-#T!VJ` zxlf`jC6@rkdCmy*8y2+~zT?VhS* zKt2C8T!nRwIlE*SUcn>jzt$9(EK%M%YjbH!{chggcB1(`m>xOirp{PlJlO1)A4w=U zMrgXFk=Wil9O~qB76k#rq_MxvGnEcmx8W?BTolhXY)hVw96oy(Y)RM$E5Dyrf-hl>48wi4$>XA>xQYDrZP&M;vY(5tGxg%YMdL_EgH#j5I z<7%+xq0x7ZXUFrmItSIBE^#k27q%?9!Qrfb@va|gENpqw#(_==fbJvl@WYDcUt<07 zwOXSdJBEkT;)&Lu)NSK;{maUcWQ+xS1k*&qrM)i>(vnef@ph}xLEYH2{-e>0ZgcZp zM1-xGE)hb_j~1wX8JrBPqQ&tPh2A?hI+3pmhn)ejaF&%!A&G7g#yTFqe#LXZ1ch*HTx#V32-2nU}H*&>Y4(|`}lHf;8$ z+S!QpYg+Ea?U{&^sP44iDYKA=?H1dGuUYi_VcZT6F4KQGrWl%% ztids0;bpBa!Dc1c*nAD?hZ!}dJQmjZn&CB0iw|DUwOfKbfjLI}H6<_CUAIS=Z{Cil z<0O9`Sh{P<_uW^}DjTIG0g9(Ja92&|>DV<92ASYL0!h9FF>Q^8t;!7_xQTK@A^%H9 zG6vBHK>BY;N0h>j$z$+oR_^MrZ`5Bc*FvD8P!1>=F-U-lh!6}S0MgfO+S#@lJ@*~K cB*>z3FCt4X=N*8g@0r=P=BabI|E1)A0p*KFjQ{`u literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..03d88f8838bede656dbb48a5b56f42d64ee38d43 GIT binary patch literal 28672 zcmeI430xD$9>;fcfSfBx3kXV7q(lXFlT8S=mCGO$6uAT{HUx+oxr793y%0RW7I_|3 z3o7-#rTP%BYM;fz(@JU4YNb5Equ@nFK%cD&zL`ll5A23u@7(yn;B`j8E7`;TC9@yl`ucq{ z>Lx`CV&b2fdsq^46Lmk$Y^y+f@*er zqEelZqR~vuh)Yt(8~TRIy~E{#fC*#eQ38}F2%aG5$`?2*8CoP9!$%4cNFhlXr%LK7 zVep&+%ImEl7LMf^Slc;}Q&4?PM%)ZlytYe$|D1w8x3>mEGeU2!fwgVtIMfF zg!i0?F0;3Wj1lGplZMs~4rG3^RvDM1>Z;ylaP&Ii-abL{o*dK(f{CF4N=xWL;dI5d2eKuLq00lNt7VrZiTn8Ls$8H~zcREDCkh>V4S z1O`$VxWhmO0}mJ|VGsub4^xgt`y};QLYr_ zN>Q#!`$>Piq*ph?pr1~#rYVee%yl}3f*RT42PmcRmf6Bf{$uywr& zyP!AWX!Rx>vfhM5^(MrsGZ7!X*j+kvJemX>%me=yOTyb6@3|^|P9AKr zGi1OI7dW;3Mh0_MlvowL{(5BrQ}o{Pv9Xb!gFhKL(~-#i>{NC8!6RJG{g9>7&gVBR5pv3!2-UA)VFsD4=0h)$qYj7L99se`7(|;AunZ z4X?e^(IDYC3GD03raTtb*G3I;Ams9cKVDaSJ5i@7cd}Q_OMovK^Lt3(YzA6vs$#m6Xip z@VX~0tAFo_dD$GmiTiDv71&@6b9NNr$ZgqK73Ld;W`y=)#?WsVa3gqJQ%Sf=qZOp5 zrfLPg-tYpjU}CC9J1t!m77`=~3kwpYt3X7fQKzN|w6Lfq1H7+rz}y14(4IR{K0Q0F zcIT?gKbqIL-E~;?Zo}qxn*2^Vu3T7NJo9Q`X5O%+yu-PE+<9>2IuUuUgw^vDvaHyb z5Ae5R=&1=X>;Q4FFg2?5S*mnJywWv3T}x+k&FF0M;U+GJq6b@>fsb&E$ej^`4`1xt)@H1fW*Jr=rF|GLdW>#H+|i8u%E>^Z5X7s}wHh#h zp*=fJ@(FG>Nf993n3D~LeEqFiwkgxz{A|Vk5kDpg6{@@Y&l>%+IAs8Rf4bz3T)QNV zpZVabjjMQ-lbL;8hh2UYRWjqem(SjJ#~n$cjH))Ye&{@`c+i5vi@SbytI8>j8W=6P zn-Jn5J>ULD-ghe#ORvZeh1@kPExG8|QF#0QTxp^5jz#OeVKu4a-{gMX5LD3OfB(q8 zo4@QheJ8&(dOAn`glO6|%10$}A-z+hqO058*SVSraS(3A>_%)t_!v#m-*8a3PZ3;*a8o=YzT#|g&lNp$7z>FlK zV}#NV+x^{r{S*Jy9`3ty(wX9clQI)aa+@PsRMq<}HXfK>w&k!%(>D?FkH(+5<*Xe$ z$^Cev@vz%5)rPyBpVch%-CE;$ruvwT!Z@+SK3R*_w*K*~eb3JvsH2swIzauamgRf8KL)GB-D)He~1^#f>GZ z!o7F1jqP$0gR_qsTsd%j_2RP&Y+o(6o>HHa{fT>kdd&^f`ZZrp9q3awd}CSvb0^wk zJ&qBP8GPre5O~b|{#6f;q&`^KpRR6CZT%)pA&IfJnt4XBb?2@5z?b$O9d}?xXYKlvWGFjz1bDE1rlLU*o!r-Nz z_5c0z4f3qLCK&nA)fI2;W^41mD;$-2z4i3e6@EgSsgBF8UyqUH72X=XN;yo?W_;DA z%xk1)*oq;G?GEj$Jg_ieTW;W!F$V`NNE$ysb5q(T+uPe7o;bQ}K&eUNK%1B-O=-Q@ zs-&WE(S?ti&Xvcmo5)GnGe2kjL??@8?XJ<6z1&`zm(zG_^2aS2RpqxA)^9(zY6+G3 zsj#u;{3DCwU*$h?j%jjjE0!08Im`=aeL*1HdrvlEsq~H&+*QDwe^cBe%rlIH7q!+t*G?0FTQ!`O&`d4|E?b<`;fcHwGQ$Q{NKQPgFD2NL>LY-Y@}7 z029CjFab;e6Tk#80ZafBzyvS>OyDm-pdXhD28p|f319-4049J5U;>x`CV&ZG0+;|MfC&HsJT5`< z$MLfIlfVCNCSD)ua07T*R(*0~6vrPZ8TG}TG`jEqBMGXQQcww02^EQ#4<>*KU;>x` zCV&ZG0+;|MfC*p%m;fe#3H(X|hFnV${QQ*!>fN6TfnVxELmY319-4049J5U;>x`CV&ZG0+;|MfC>C51UfG==wEpjTqp9m zryFtgIUHNA%m_T!;swv?(4GJ9Bd8lxIdzNLM}7IHbR9Q>319-4049J5U;>x`CV&ZG o0+;|MfC*p%zd*o-%aSj8h@b8*1DN}w2d3(78nEWFMlY)SAHsM+i~s-t literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..4c91baa85e018d37071a3566256c88dbf5d53f09 GIT binary patch literal 45056 zcmeI53p`X?-^XXn7}uE*iU>1P%Dp`o8Y#IZm)tK=Vus%Z1-{q}dwtg-D6T%7EJ zVmPFLh^R1D42h1CL7~wo6A}r9LP_#=Dc(N0;dlXd@__e@{!RQ>p(IMr=o6m!9VITg z2qpD_ctxs2iY28c*(te5^7vnM0`-6ZAOHve0)PM@00;mAe@_CTVqyv^Drl~D42vDg z3FE}DELbtD$!BqMXG>F8OOmUpnVltRvX-O~`Ah<^d!02TRXW~k{s+w z<_`8t?X1mRNzRszcBbZ*IwanAreW0aCz|Gbah!s=3K|s@?$3#hUK7eo`molqgNsg{6bhk{^8Nlj!{ADSTP*233Jx=7M3eWND{U%)qteIqCzxH z6H!FN1JMX&u{ohrO>n={K$3sZpldG0;uMt0XrFQ0YuUjZznCcv(cfuAkEj2jLWQWB z<`|s9%*nF}ijH2(iJFqZ{!V5*`v(;!RWrpIEv7&wqjy9gQ#K_q6^TqpjZfQDy)YAJ zYUbeVszYKyyq!01EE;d8!!c3;*HGaqCVa?*51Ggz+=R)13w^jSfQtoi!GsG#xM0Br zn^zbjQqXvbC_=CX6&fE0R-r<$3>AWPs1Phfghs9`upE`bb}Wq^~|gm8S_oG%7s!L$4z#HUw$XMQ{pMEPOqdsFrC*&OvRxSRbyK6Z>$0yjt^W{%HiF}6k zB*rVto*X``rMac@Atu2z|HT8zkUOMD+Iw8me)&3=%B-i5oJG1jnNUTx`l$Kvw}Q3W zd3Qh9#eZCDulf>8sjCkCWYx3nK#q%QAh}EI*VUsh^hM^9W_4Zm9@OmWT%n?d zva~$&zMB(tn0t817w3YpuUk)~-)GbWzP*xUwtahi@AdSIyCXkpJUO#)2cd4Ow5-?M zk%rNEs*L zo4gFo!C=u^SVBsDkrsHVG|LBA=9JId(p@q7Y*tbHkIFJsOZx_#!;* z-In{AJ~#*Vj;_J7{wmoQKBEp&|l7-CM;x4RDX&Z`+?9%7eqY*$@+DR- zSZ>CwB}&TaKYSk>=w%<$wOIO@L#U~jFTha8WansE`R5T%?M?}eT(9W5^8`igHl^xT zu2|D9)I%9Ev*j1#>*r+G4kgnp3`+}xGB3DavXi{!ntpw5`yQR|EBY=RcwSqP@>EmR zkbV2q;N8GjD$C`2a_1%H6PqIu0gLr&QtNz^6>F0r&5n+u8GZ4-?BVH>m8rr|2x8Zl zLG3o5`coCu?q`+tDW@fGVOPmW?T`(%elOa<5=cQNYYz!!+%)IM+38G2B98(`X2;?^ zWSu($&cU0czgj4WY{}cR<23ek?6!e|r!C(59XAifQpFQ1Zsz}}`_{4LT?6jdu)FkU zOZV01_rBqq*LPw}|dIKUa?_422!KVLC2vTijjE zA7yAcPrEL8#G;G4^z6%`dRZ5@S4X-9QkbSOK(~tBiM#sc61y6v@O(X1uX4szFt~aaJmkqVPw7Z z(_k&Rxk=R!iXGeU5aQ7s-gz=_?)@B6Wpn(`@)fJvj#CB?HjNnQ`(3`^ooaJ?1#x8Q;%kB;>aY&-}KXN1>pno2}N`$yKIFD=T?Rrd)6` zOa5WcEY@AmWobulm<*{<7c^Mj(#{Ta*z)@7!!1yINU-)o`qA>l_)7Ir7tR=4`IBnB z`>vg)mJjSs#AlQ?H9Kyxo-2Rx&cM;*1Ab-2HHAq!-YrE|zeKELS~OKzr#D1ZDOt{6 z5mWIzdG%c-o6Awdv(!Vyv+pO+0+$~v?G%OrG*maOdEWFWH65K|#bZSa7dG08zGK-w zi9DK|n>Cn!L?DH&r<-a~f$K;2o4;3TwB}JrO*-v6Ivek{Cdpva!0Q_dnu*^-{GYVl zx#fUwX3MHSE4*`Y{&_|Bc?D`@uXxFIj=$a*3K@%IB*xW0nAhOHvMbnIXYl0qMsKww z&(ig)ZF^4D`K_=K%^r>l&EssmsIU*`l$T}C4u&eUj}H{zJZ&D;eeUydS{11Nw1AOHve0)PM@00;mAfB+x>2mk_r03h%;B4CH*&XV|_ z`enxP>;E1UvFC4ehQJCS00;mAfB+x>2mk_r03ZMe00MvjAOHyb3j}6jm=b^fhmppw z|6iequl@yD&;<|x1ONd*01yBK00BS%5C8-K0YCr{00jP41Qaj~i9h?p#iBfyXyOp; zRdW34Z)F>p0R#X6KmZT`1ONd*01yBK00BS%5C8-Kfq$ETloEXZe?G=pE(U^>67zC6DyLyljTF3T^=oW?J^K<1xu&;zKf1w3}hf4w&( z@=Y@d{L*ZFJioL)Tbf^*&5+`k)@MobOB+BE|D2}zQ}zA-abn_p(@ZgbX|_I&Us|6n z$}i1kVELu>Sr~q414u*)qaqQ>ijH0%5#^8Pz1z^ll_=f=Y=8hD00;mAfB+x>2mk_r z03ZMe00MvjAn@NOz@;dQnkLDj{`yBr5H}H8g_F=qUY7g~j}|3B4v^{8p)|z6l16-5 z+aFzBWdBUpfMso#Bx59#+dbqzC$leza4W3Z9uh&LMbIQj5+^>cA|mnI7)vV0Vy1N- z>HEh1CUx?&@j%$tr`1YEacy3w%4w7$xocJM^}ix29YtJ0C?^o`LDE;H)uiGiTO}ch zH1QsBQ?WeUH=MKRDN#vm0Om4ARU{7GhNkg4{BLYriV}ZfkPyUPZ_ZsMUADsgyJqA_ z$n4}0#~Aj(6XABbmo#mb7Q{tl2qGr2f6*tk{C7PMS3k4sZJ9|+C{^;xLG7aMEf({1 zt?!HFk`+XkOib&a{)|rukF~jOW#&H|L+#mXYm!p&HtdPB{f7;Q)jC9@2rk|C4w(q@ z*dzMln$hRtpxJ&&@_Vl|y5{ZO;Iu|D=?)=i6S3%On;w@ugRe(nIDQ^>jXBSFB>T*Z zc3?p3>O6nU^*m26S^o?`CQeow5+-$6p5YjN==-8WpaJYSFcLU<&PL_9f?S|~OD%Z|C{ z?KBMca~Il0DGuyuzw`KF=8{=U1$n%;{P1W;;t|q(cRe}nHRNM)tzWs_M&goh(kiU; z2TV%1WI4Vb8A5oxr{}bM?(DVpZB`Oy8!j2%Kx?bgAHF_!x}lNEgCm!qyr2YuVL?;$c=n)>=oBCr=4B1cD5joUeM3Ovkn?qdl}zkmbuMQ_p+<1a+m%2t>23+t;QvFWG;pH zheiDN_XLD6=>|R3wkrB;loFD9*|30u)v^2PU?In5KO8#Q^g7|Lz&FkDq7vs_e$mJ3 z$u7O#_}5-vuW97J?J~5wr?J@n^!j((xfB9_lfuk)MhAZ8W%I6woTgf%dh?ImmuqI( ze_p20sHD1lIsNz|ydaWaxG)Jn?SbnzqP!zN(i7v^^T5 zImZj!iW*rTcP|oTa`|+#=)4}SfL^(gcjggymWmxh`zbj2D9LIc*h9-WRKcZ4@ioa7 zW|3@YUVClf70rukSFc1Eb$@7FdTY9KyPc8FPY2X{c1mCh1erW)v&#DC@6B3`S++yA zr4QO9H$_%_s4984^Ru~6N$I03E=7{BNqv?OBv(B$A8~!Nv03ZWoGnkx>SS+?J~)un zt=#F+d((lv?46q+lihb#T6*YmYs1rT7nK@(Ix3oal>2DqnN1oGZpEcI8CP;C5`0Y> z2=lE)tc6!kz|6kJytx|U%c9rrHrIYEb|rk;_fUU4o8JC3RFFykySX>CW^a3`Y9*C7 zKhHego4u+1hT@ZoL7gkJM;YnWT#EP~O#c4voe(6w&HEZt>#9wzyfP29-m3cb&4X+w z&2Gw)c|Hv`&hD83f=phkxJoOOE0r?n?C~Dh+VZ^rPW8NZY8j`f9h%l>^D_5wDPsIh z3bO=_+}R+>P^*7d`)2rYijCM#=HAVH?u#UxUGt6QpV`c`5oB`iHt&&}*7cD5+ZXc< z%a!SSCBCn|S-3jhLDBcoTsyO4Tndh_NuidYvPi~Qn%uXesDZE?-{&350jH&9RoFke zxL^lP93}4FCdgz*%d;Fy>D=B2>ER}ih~@{>&UN~zX)Qe!jXhyFKln>9mmqvXQ~ooZjY_?FI`sTc{OA#*KTOoXmfkw{L_(K3Wl#qp_ZTu(Z=iR z+n{`%1#)Nca@&i~D6I7UP^oYesAJZMEIH%Y6(*LVfwFVQ(N-T!NlaTsyi6gngvJoQW8WCE3zKyt$+Pl zkjal-*$Enw!N$fjKC*N}WLYYZjg8-eBnv?9?K^?$4)Q zZ?%iBq_kcqtkhKrc7eEDC~WF_9}oHd;qu?9O`&+xqbN*(Lj8&4mm6B1LZ$SIB8=Vi z@S7>sMq}^(#HKP%!Z&#tnuEcjwXg(vtA<{tT6=ZX%(&NXXsirArL?2kMq%^AQ*EMp Ifg7Iv7nl1PP5=M^ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt new file mode 100644 index 0000000000..1e4d3f5fef --- /dev/null +++ b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server-cn-only.crt__server-cn-only.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..0d2d3e5bd060df6e7b5fe4f574a14ba91389dad9 GIT binary patch literal 36864 zcmeI530M=?7RP6@u`_H6B0>a|MS%%PAc_l%0TEOXHx!5gB8D9T)|DlSpdyME6>&ve zK|~P+)K;`m_f{-ci!5%4NMbg2wMAWAN2KoeRp&wXYTU9_x@()d~;7GgNM7T zFiJpQ7#11AkD@an6$pkQTRI(rAVqAI!`7aKiW!ui9qbeCWB;D12$|cwR6^cCH2Hc+ zp#>>b$WsVZFvWJj0tf&CfB+x>2mk_r03ZMe{DlN;X*5kuJ=jwi>MvO07sMC(hl)gQ z(Z0b#KN*J^T)UZEy7RP2+_`ijk3M}G{X;(8n9o2hO(swYg;|6`FyB`Y{GkNxBLyPw zQw65UBnnM)s2=Q1)E7nj1`7P5J}6K>Qjq3;s=+`RCU#_+=8&Fo2t}f3LF5M!%10uS z%uh8q43os^u#Bdj9-I;q#rF*se5n4xAW3y*+S$8u`*INa)7@q`PqmxjNq6CT(q~O` zcAv$?TX2{@&C%7_VJ6+qe)^1=qv?DUTN&7DiLFfBCKB)z2A;&hcRBbjhuFo7a9H?; zjc=^*jWxdE;F~e{hL3N2vCSAl3YBaLMHJUypptfQ6$XmSFi>2Ff#O086jx%PxD*4$ zwHPQa#z6h>t+acR{t?QS5}Q!AB$O=)WlKWYl2EoJlr0HmOG24R)MXNNnM7SCQI|>7 zwIXt@h+Hco*NVuslH?M~R)n%OQIepBxP8vyB-`?){;@$CQ^HG0a6g6RxXqsF-7?QY_h+u3+&*Mi&g%SI_ z57#x1@xdfxu2vRzxA>$UM%r;xPV#}9U;zXG0YCr{00aO5KmZT`1ONd*01yBK0D*rF z0a>a%HW)c14?^A{O-LP5h5UqELoOmkSQ1zO0YCr{00aO5KmZT`1ONd*01yBK00BVY zZz3Q|roaZ>dsoX5Mi-MOD>Zy%2&1EGJWXnhqY_4Y=~{}^NFozPoA@S4hD?z&XcONc z=Ko5CkWwKsLb*ygO?j#^Rp~r(1_}9_1_+u31ONd*01yBK00BS%5C8-K0YCr{_=o_7 z48d|vlz0^wwPj2|$I-~MC}c(UOo1qh9vK!EMR%~nf7DHP3ll{JL<&6IUFjYkuJlL& zwj&Y=!$Rp%cu`R__N=(<0O`mKkPdBtbf^QQLm40)vNI)K14iu`w&(=O@v z2mk_r03ZMe00Mx({{jISvKo8cLS*|jwe|}Z3PPhKQ)?MqZoncCxEQ5heG~PW z_LFfrk}D-%M-Fvl=%PA!6hT38P@f=AZ&Zh2i0VtC3`70GLPEkq%|iJh0`u?yGm$75 zFJ_K!B+vh^gODA_Ddal#3xI0mJ0u6$jI8@#IK-e2fB+x>2mk_r03ZMe00MvjAOHve z0)W6jjX+O0L;5MJN*)PI0uwwxzPVpyl#DcohLH7P{232vI#rrZ!D~pu1=1X{G>0^V z%#p)p{T7m3Grv%?u+ZS8xTs|Q9}XdpkW%CjvKE{Bry%u6ICAx$#utnS5C8-K0YCr{ z00aO5KmZT`1ONd*01)`^5zr#D;G*57F3rgeu_cFewhlkG4Px;_#!8-Iz;kDYF&x>G@wal$$hR}C2Z(as2x%$l0QikQvEUW|7A&9NL@kEP*&E5 zlHDMUcoj~cfyb+``t1FVsr)J6NwmFW5= zz00_iRWWsn@ea4(ao<-=^FWnoa;9r0uW40+VFfDG|DXS$x|&MZUm0OoS~Hl~-v?pM z(^O(vp)3YVx;p?Zh++M{-G-?USqvi(Du(4rVvNA)6?dA~QPLyCi26V zpMJe$acuxCLdmOY`<(r-_V;N*>vtE=va{PKom$&krJb>|C2SAL^(z~Gf`GQm=3R#Z zZ`_e1!r}Zj!=LK3HX2{dacekfEoZRAU2e;y9~!js!j45JtZk!Aw|%lF(NWJPurxkg z7A;J8?zQzsrw`|clnv`jI~(##^0h}g(}G@F`scKkY~PqY`F4@GVtb6@sC;;AsossZ*#Z z8HT(2GQ$ov#tepBP#eezZ*B71Z0Q?#d8^FJJuMejz9ugWb{+mt5On(hF;R#+GyCU~}Zm2r? zauNGEH!2~58vD9d%bdA+q>@f`*U*%?NPb|st$p@aPG^D1x-d=P3oAi%8sdsNwKvdjZ=FwhNo2PTF zDRKBq`q#P(bTqe zzUICS>m#(vc@az)3`Cu#8>f#(_2olZ%UV8WkrpkzhNpMJz4Ugxj(r`Ws0Fx0p|{p|OO z*iCE)=9eC0LGXa$G1t9vZJPxHsx#V zwz0XM&e*-Qc+!G76LpV|3O9t3zPS*pmA>Te#E4wW5xpk5$>3bjr_UfgtmL2tTSs&` zbhPe^9<}pUqwDgfXsg97ts2gVdr&QVhcc;=S44Q$PYy6~o4TcJ$`Mv&%FjDShdpe* zv~ZK7iPl2HwGSV9aguk`kKN2S;I+utYF)G)HPK_!@YO?4H$Q`F(H zcWo^Otw^k^pTFmoNO1k9+ZhM0ZB9U9&zjWTD{oaTzLC;u?A2i2lFLo^&|Bf$+0L2N zGGxi7izy)rCDrG1PnjGb`ML!uv3+h`>L(AX_;N@;O6hV9S_)DcoK6u zs_gnio!qCl-%!1~c<#&2tfA5(B8GW}c3(j`)%zos-m3|Edi|)o==5{q?Rf*?0`co- zfKKMmP5)th{!fv40x8$a?~&Vq8DIef00BS%5C8-Kfqw>pRhDwSQ>MN{(okbT%Gf_F zRD^}6)K)7(pH8QUyuMZbw2i;57^_4g0#JBuEDrVATM;a>gy&)Z|KIPbv0yNSMGa+p z58B7^vOjVR`Z>?V-Ynfa&+T_u^s}?vPEBvb)W`N{_nQ>*XwKMs#g>9(Fx& znE#fnHNJvnE0Y{${?@2r7t;rWjh&buJ&F5C)bKYm+XeX84Bq!bf(+@NBAF(NFx8gk<9gMjrmf<3xOnqcd?=25<0kuOw+#}s&Pl)Yc) zXT~wDF!c)^;7!4JSJyYW-G_MglQhW=4{yw`qh>>@GQ-QVz4QXhMOit!h0Z?_HPp>dYz}X$I#cP*nr;)+L|SAVOSYIBFeRkAaqX^++yf@<=_O-V6<#m7 zAEPkFq?|le^N<0gMY4Zk=;v}Zq;31%#~I5qA0Lg)QOb5sDCZ<8)w8#}+MveS`~9!7 z(++-@X1}yv#$>NL-v;vI7;+QEp(j)C9gePbyQ8jVL`o}&N!w|RisdUB6ZnH24qtO= zkD(Q8BIySncXW6kIB(OcLT9%dqF^@fmqQtTiF#8Sl~>vnk5yim^DXJ@!RJl^$8H_J z9eUTvZ@in9mFm8kuRL4?hj3!excKh4qBb{HsPlIY0m)01yBO00aO600Dr&Ka+sJfPkco449!7PNn(N z1L)z@HPmqG{HLIaovD$7DaOIb*vb?$Uy4!o@xa*FnXfmp+k&w)-GbS;!Q6JEDaLvO z#>9GqnU%ST1IEtO#>&XVR2{=SG7Z4beh^ev3Bn{zWWXSwKo5FUScpGUbfrdw2eFr3 z=kvSb=OZCw7)(-94!o6J!QGGQ;}IAZW)tcYNe!n9%$YOau*P&VhApxzEL6ZKQ}H;0 ziXlHc$0l|Te=3dczfcACLk_n1Qx2kv85AZdEeCd;wH-n8rMrhO zch-E)-mE`%X2NXD&P-ruCa^OT*qI6J%mj930y{H-otemPOJuhtvfC2bZHer*nru~* zt!lDWO}45ztFkj|vNLP3YqBZf*_a6I?Iqw?Z3*n{C9pjc+2urbIgwpXVwaHEC8W6$ z)>=q7)>=qxG9)$`5<5SMou9<+2Qs@YncbGmZcAoUW#+`;2zb`Y=R%fy3ab>yuIx@H z6G=oetHNB!sxTL_);<@qEX;+ht(^;5n>-h?h|Yy9tg|7T&s@0Bj7@5;bfKB%pPI3{ zWVV9Vf(Na651I>pnc=)&W;kD$8UCs6{EC^S^M0A({EC_3{EC_3{EC?&Ygc1=V1}&y zZ7yW(baSD{LP%c-J^u*VJI!oe+JYS#%Z>+`iu0i1a4JMTnB-cye>E^J{06(?7h(wW z8%2=yts=sFgJDJ><_nkr0ssMk06+jBz&n8hdSC_wx)_P1{I$(u#&Qx8#QZ@bK_H~K zcme_>p0q4MYW`=wK2v8^`wylBg#7oycxD0!7#tSnzbcF#8c7e;a1Yc73iRKx(mgbs zl^kb=N8^^mARD1@goI5{Sh!ax-QLy;6HX5c$Am>N&nNH-I4nztAf(-c0s?{pH3FHZ zGb@9=G?-ag)mE}*RRs-}<7sbp*A*|%l`G2wk*EPWVAcdW336h-9$j?!pzv;`>tq00 ztk`zZ-~+yHK{ac>%!`W)ban6M;|q3FuW{RCfIg=dtN=>6Q5z_gANANEq@1AmWTkdT zvJa78so4~f9zc3lu(-T0_&InBDq32+bh=1YCGqNGNQ_az&_iLrHcXdVj{V-=Pb=`0 zS}ewnZ=jokyOgW=&18DwScKZ)_IFm%qY;{sA12I)B3l*FQ}JtGq#nt)M|;UV6?o?I zZHUab0<-+-&23**o_24Rkp-EWR=gdc`xG&X3_jW&`~E5AZ2ALIjo0h?IODXm=&{E1 z%=Vd`%6%0&8OYyK5aLcNW?D`?bsIl)rYxz@x!PyXDe<$vBKh9AR)IlaTpTza7XTAd zOUAp+(X!MWj#78VgW5)@NJF&(Ywjk*5rxuIF$Nd6UQ<@PtK^;DJV zEERJT{?(~R7Wa@EC{iM$+9qBZRCW7Hl?-%I#;t>K1PLwSx1BX8dq2Xf%p31_oHA@2 zpMVRRxtxaHi_bF{lx_|9_8Z(TGH#ni39aT(?41BTGokZQSs%uCTB$@nb8^V3ze;b( z3be*GB&UoHanCBbyEjwzh{Y5&a#{M_7(|h~Q z-r@(p|K4L^By4kN^YOS_M~j}T$an0m8Ay$HhM00VZzNzGe!pI$1=>B#wGjEsjfZK#a$e0@84ISe`dv%Ljb|@aO8RAO8v%hsR zYT4Io4zCZMFxO&IFe#XPeFXDe-i)^Onvmt1oqg+vL$sq)Ep>5%3Xgl$eJ0Nv*vn*R zWC@3+7Emf~qOqUeNQixZ+}yM3h_Pj8VMD{i-8;UdN$B6_ zxq45Mp|4Z78Yw1i_xOUB|8LDwNV&cSyO5n5*N*w?uT)Vcgd7q~^4gdb6Ck;`>Vo|) z8`}stFBDXYi&h_kSC%;qzCqv9-ISnZ}_x9D5e0v2x zGA6OnJN}u;+Vs@stG6om@ACD@=`UOn-}~vH4eVAJ)y2B18giTO68QlgN8ZhYC2HkwjgfbUjn_hEh8@Rj9G!l7o#OC3PN6*bN;2P5w}(bgb5(hvu+o@xc3&{) zP1-7ttVoS)F$<5*LR{Pi{=-A*Z@M-Om2jo7#ANVxhLctXRHFBw!6GIF?|b}`6V4gv z*3SJVNUzKGXJ%|aPae2xT!OvVa(r*#6^~cABk3sToAw>fBYk#TU9I1RAs3ZmAs1>6 zWNz1NbTxaxpc)%G3f&!%RxIgiFNi!u*Q|Vb2L|c*xHf3A2(LqH`;Z&;{uzvRrO{v) z+O@6i@~3^3hf}ZgJFiOl`ubzGqStuQ9oyHG&Brz@St)jvb^jXt|NYBam<54(f1ddQ zCV&7y03ZMm00;mC00IC3fB--MAOH{m2ml2Bj}Z`nK!sR0O=i#kr$MOc|6>~nYz{yG zAOH{m2mk~C0ssMk06+jB01yBO00aO6YyuDnNND!_{~`!=5r6^^00;mC00IC3fB--M zAOH{m2mk~C0ssMkz(0t96_l}D=)d*HjI-zeFF>dl|DY`dtN;W60ssMk06+jB01yBO z00aO600DpiKmZ`{ZxC1tp$Pr`KSr88{~rdShX0MUKofufKmZ^B5C8}O1ONg60e}EN z03ZMm00;mC{!s)ZAta%{`^UxnOqXEP6w51o_TwLA8!!V900;mC00IC3fB--MAOH{m z2mk~C0ssMkz<*3YSc-N3UkOeFp+2H?P|~Q&s3_DUR32&zl8Q7&_9BlWr;#_1u_7rV zK1irYBT`;uNTe8X4v{IMhIlJtA%Z}(!WnQH{06)bp^1=!e}(rTLJ$z-Y&Cs`9G`B&N9lTP&bW5bqklqnLNWEy!fCz(uJ#7U-+ z#5u`isu(9(6DRstndVNWX#cTcD2_4($w{V>ML5Z18iJEdBf&YzWU4SHSraGpSD8v7 zxYPgGFhPzoMSzn`Bf~h!WEwvwnMQ(glF3vECs`B62ZzWA1yjSqwg-iJh%iT0DNrH^ zwHbL4i4^fc+(O90e-VBpj1$@`_(IS~;4o|gX2)N~F9>yq+<+|Q3kTl=t1=t>Hzx*G zir*+s9Q5a5@`qo1DvlA0b6$9WFcN3|)ANJ{#Dg~Kk2UzNrKaQ?tCQMnsM43^eZepD z!q&;vNs=!8%>yg{^lV`$Msa)Ajy^t_>0Acp#QQyn;L@_uttgt*FMY!aw$CpPOE9pK z98GHCcrcm%wHI!+@xAA#b!T0*nhf9%-gGrxnM#AbQarU+FF-+uo5?uupaWs1H_p@V z_4;OibBnVS+puX`g=u*R$z=_Rcp^t zO!2PmbuM&BOUoTUj2JhQsR_LbwQ{axLEWcT)thegeAwP@+VZY7QNPmlSJ25tA`Gkq zXOk2jOeRdEQJ)pwzXuBmd1&V-+ikGEIsY=B+m>9!a^v0{wWZulW~hNDV*|BcVghA%cZ?teT#t==V+2f;=v>(GIhO@Wq)i_(rN^yVHZ>~BkTlD!aBF4 zH6s0h;dfzfCPTXv`BM1dUMJJC3W8^I{rZBK#98HpW8G^FT ziMpL?JzQEo948i?PQPYe6uSp~{XTwV$tJvzLH;XlCOtdv8f-0~eR>%6+-Y0>SLY8i zh1>DZeP2Pt;{}p>h?WejC`Xe#4MA^X3pB)Be5=Thgr*`7KkEGYjnAw^3e(xpYxUdn zD?M@COz!STkf(mhLF+#9QnkbP*gQ&zQY{s!2{7n`&p5j%$TF~~pG^LEOu$2TFRnQy zuW}&9<8|?blv;b%(c$5!=PkJ&Q-zy%lFigLmAIK4iaQ~KZ588Nt1Krl9wR}e>6|lL_4=qr+Xm`623CZlNuGwF{CnPIi(H}{ z3$m}SeK=X!92jf(;QY2t#|b9e`qN(F&v7$pmtzin_TtfKisstux9WwxD+}UxSL;#T z7SmxP`?WrNVqg&*P4YAZRiR<4-eVn`)>-W|BNuPUguEzN^CThZa^iZuk8A3KRk@jT zZbBNTTf9u$vJ*5-D_avGvkPPPK3t~XYNf%bl&{ny1{TiIBu_)ot1D;7?RRVj9M29E zEhha(+>PB5^7 zKbidT=$(fl=%{P0Eb_^>=6Gexe*3ZYQ9hSGr~0I*Cf`Zac5Q|&zru}VL`(s)b8xHg z*0IN5@olw>P3lwalQn~h2YWn4&1rfJ23CNxNnVB^k5TdjLoMli=WV_Eh2n0;ioPkQB`PEs+)OUvm%3fE_CmQNt@YZe zgt9kIvH>fig<|$()?N>LIerYx!18l6$CA&(C`Xe#4MCE( z4V0Rm)KsTEPMCSTn)tw{QRCPu1N0Kl=)^O1CdFKjC!;*y=pKm5`am=S?Y%A^v22Eb zyS>icIjb>6L3Rkf!k&SJa5Tx&5TyQDP{u?;$IGrwp|;&YPua(h&sx>k;>n%Ci%nPu zcdjP$_U3K+>cuA?E16aueH35(N&lI=&-E(j+~msJZDde71Ix$JBu_(7o5Y&t9uTp+ zCb{jaYUK%!uy(T(-!r8_U*JVc_vx*KbL;L^kFPm4SziF3Jp`Kb)%OWw6FVE zH7RyKXvG;Jh9a0>h7`AW{yf{YgVcO~M6636>E<~Uv@1?Md>D*lFmM42C$%Ctx1UaG ztL|4Up1v+~bwt5UpO!4YgQgr$B`fqGX!-U+D)`95|C|DJWEWf(TqLpArM2qj=FJhhlqhQ-WsIAD$NHGzAL=!?DzFW9k zSWD=D;HaRbK(PQHQwAo006+jB01yBO@J@h%Rr%?g`p4T}JRFDbQz@$~+~V0}yy->4 z(zPzz*3rtczvhLH2X9r+KGd20=x@FPf4Hvet9$pYN(?Hc1znB%p1FJ9?uHPUOwz%Y zT{#6aXJ*_#FtEy;P4aSG_gG3@hUytFc{6i^&)>4ugQKNgtLz4;b=4nK1qKwY&AFLe zuXwTbCVj)2(u02EF4EfFZ>-Laf&I>3Tr(6j_%yCmmm#OfZ!mX-{BLgs@&MA2SSrci z_Bun`)a^slph-)24&^;*motA>YN+F)Tx%LPkI%(-_ZFykdtc3q`A}H1887#7>bu_M zl#fy^*V;OSt96f6Cz_ErFpzES+?Y?WN z&G@I}i}y)U8B*1&r4=)Sj_lQVtscwGLu$GMRpIU-7(a$xX0ic zCA-88Kf2O>q96sdu^hq8W4%8%z-8nk+EJhav9M}J$K$h!3E!YT$<=BGjYhdYScJeU;ESYno^n|^EfvT?y+e^uP> zr7c&f?<5323@$OAY8<<6{Y(akc%=Tmh`5e)7 zY=yeBn7Si+{d!4mCQ)fBG6xT&Y$-pt@fs~YMR-gpC!&>qB4l_sDSyCQ_iJH?{N|-yZVk5hhnoo8Opao$TkwxItWg}>d*RZP zz)hbl*3R^YU%pf+aDC7%-eQP>UCPlUPgi{E7dhggi3Xjg2P}3?*^d~7fsQ6Xy2_Q6 wHJ3Y1)m+ZvW->A4{1w!;deNN+_kDh`1%5YKlm1Nx`XF~(?27fLMAfJN2Nb@>s{jB1 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt new file mode 100644 index 0000000000..142748c1c9 --- /dev/null +++ b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server-cn-only.crt__server-password.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/server-cn-only.pfx b/src/test/ssl/ssl/nss/server-cn-only.pfx new file mode 100644 index 0000000000000000000000000000000000000000..052a8847cb8f8feef763a7220540f540d8016f69 GIT binary patch literal 3197 zcmY+FcQhM{-^NKJgxnI1d0Ww{y<%@_#NPDQ9yP9-MQm*~wQAL>nHoXSqLkRG_6~y9 zti8qF^VfUM?|tw4{_#EEb3V^G&!5i+frbPCNN*v~5CssJCtN-J%}kGQ=+c8UIY;U3 zo?g4|1=U&BVNEi*;+BLs#9VfIe0`br(O#Q$@R+B(Eza2CUc__~T#Ug z`)@+-gAqp6YprGEC1xUB)I^m^WUq;4WbMH4fTTk!H0o6OP4QM~eGsfmjuVak z8MHEXkuHuWM?DF76H5Kp{7f1--*@YB%9|+}m2odQZau42mzUhszKt1%r>_3q?e88@ zi==qw=oU{LRKb#*2MU!{x_1Qp%mxGb1X5!6CAyqAaIf-G>&=HM@uDc9m$+wC<)xPV zp}3+k>BSGgcrlUOphe|QX7Lq7$dRLsjnGYXb#0+a25!-jM@QFH;HAL}GxiHp4x9D< z@-L$^;HK#z*$_@6d<`Sjq}ho2S__to1g2`5BVd=*m0kG}`NUFf7Z59{EKp>;COyVZWzF3uSa#V_g^Y zcoo?&bJ!|xlI`Folzw1<@HfqAY}z=q+v)+I{>zXFI}9C%Wv;}cyH}@bmS>Y)s&T{& zPoxO?)1<3`juhYC=Rb=rIzR3+$;lcpaQG0C!`^+RqPUpsW^z#iZ+tt3+G|i7!P*o} z#p7zT%j`Z0NX8+roSCc^E`~mD-C6(c%bQw#s9LE7`+7l|c54seej4u**lr$eU8ri_XWw4 z#;z7@O|=*xJuS_WI>L7%K+Tx0b$fcoWdTOP)U3WTS_Yp8CG72n_&c(Pr zsYh1FJ<_)PAh4x&4h5Cx`&_$l#c>*DTgjFpLDu$~wvQDe(SO@7a?Ms%XDh%ZwlmnP z;u0HnxSdPL+|TX*r5(isOAr+(aBWBqO^ z)mITFP<#wO23NX{91h0pm!Xs-nid+DO&l})I5`uJ7A0FBw*$x;)e4WKw#{5C3}yn& z#?J{F*iTK>u7_j4ELD`O#tpm9g{5-UXU2pRc=OUxa}7VjO}C!KOr79Jaszml$R@vL z!j%k@m-gU=86WT>{!yR#t2hXSgDN7^->rWcDzpOR$?h>MqNA*;?M5@u=IW~+GB@;3tRMtEoy6fH# zlY4{8&t6?Ri8l)zlh`q`#PeB@EejZXMjA4Fl(nQNr4U805&-7&`>Qb)`RO0rn z1<6%<bXbO(ml_Hir1e2sacK(Y0zRFD5u4|gg@6*_b|Di77 zbYqut$Xry}1s(-aPaOvqoldI3<44!^ck zJ(eyuZ#-Ab&iyHv1m~FIDkExG|Kc(iwrXwvV+yI<7O!k@Gi5Ju^QyEwUb1V;9_>lPc}%_bhF4_TUw&ECH|XnanMnM!L_S7BcLLxE*vnuv(`TMEUUy4=H9dtu1(SN;m7Kag($h) zxH9FmzTU=3(l*Xj`4hm(852aH9FJJuikfgj2GM86$yFzMrKxRmz}4##oC;qDwK6tV zP@0)EVmc?^h`9PS+=+d??#`LC3yHQAi{XDy|b5BrFsIEf)zZRds7*21>mMN{fXF&o{G)8 z2Gg)V-deRF-pdF!bggK)Tnu~5GPUxDo)HbeJ0iCMoH={aa+MN)T_0eTP_`lP4Ie~n zu(28wW+-`buGr&f_DSCdEOlb7|Ht!Fs(E{G>+jIUGj0PMAYAt z=-$wC+>zUT8n|v#(&uQ1&=1Bu#DqgdQNzic%v-F?49xT3mC z%Cz=Qbu$abF9x?Ns7}t)9B7~?w>sxJWCjQ9Ftb+^yKZ-r7gI&-njp_I}7j1VuzG`Gt}@!MWU^^*(czU2qmGn zLDL$u3wv`GRZ0e~`^&OJu%4qekuIq+M;vqb^|_Qr4S(RlWvGlin*(a>=tW1;J56L( zG~kpb%PeN04oVME*Bm5aK)aMjx+-QpY0>-H+g#La3%9H9pb{}V8wOQZdlbW4*b80` zs|F&*?t}vcWxG<2I`TDT4)a~(MOYgZ0~qiK4^H7%G$3l9hgnYY*BkK6yJi~NDQpLwUD?-fAcjqoG8aXT5w_k^A&d&phAWqbyBw+$ zE)KcJ!RUMSY)+MK);u_Q1DjADq)qN%V9-*)q!2X8BDAS-j*;K?oPs~68dag&Skyhv8ca~ zn6IUMesg)-gSk zy!oZbwip6GE8b*MT7~4fuO;o~iwYC=kVKZki=1iT0U_D=lCj4zT>rkb|M25iX9Xpc zL+xz9Laz7rD&v5}&9&(ve{8C`-}@mVjTG<6z|?^T7sRfw(+2kQ6zR<@A69z1{@`GS z6{3&~q9}7)#y(uo`4}#i!R2txM`aj8%Em0{bQp_y)3OlHa6QmJogwDdLHV>-2@_Yq(a8Sm{|0A?~0AS{>?)#S() fK+pmN5vs3;v``g)vo!PlP4>zZv zXg+gZL{u0rn#qRbAQ*O?JQixCGl@zlOeGXTdA|J6Pbp}hDG+h} z71%n~6q@2UYVd3#zaYjpnC}<;NrC#Af;hIn1`B2BSdeLoBYKV_NFa#eM|~2Zd?q4_ z?61LP=_I+p5{hbSa7tJ-&o`9+Df=gbB-Zh?uynHN%OS|0>FVy_Y~k+BbhPniPMzZ5 zHq{0%!OCTdt&@Y5C)2{x#oben$wRS~g{?-|%EoOX01si|L0o*7i|=xYT|5bwgKv!S zjS0Rn#W!4hGY;SI@Qp9F8AnK=qAj6_;u3MGi8nR84w#9zH?fH~ zIyt^wTrC}Uw|J)>M&9ElL-c{0U;zXG0YCr{00aO5KmZT`1ONd*01yBK0D=D= z0(7b*b}$U21VTEI4&)Kih+IQzkrPNI76cYR01yBK00BS%5C8-K0YCr{00aO5KmZW< zn+VX!6j)Ox*@rFovd*$pnJT0l3HzH45EKgt00MvjAOHve0)PM@00;mAfB+!y8376z zf*E#{csUp~XH7yU(8yCMWNBkhz95wQZ%qTv# zBM<~dgfpY@q=Fc1t~h;=bR-5zhc-w$)Irjr43ZAnff7FyMlD(9=p@nkG9}K}A3Rn3 zs0I8erXN2lT0pYLlo*4dMD+h2mk{AA_5X*d3ZN8gMp8j&uVw3^ZP0(j_ zfQ-wLMw49`D3hg%s^DV{Qqsfv33q5aSTb5JcS_;gc^!s^}}L9qk|$t`TD%jX#H?r7+-+vi~9eO z5ON=>LG~i6kRl`nX+|QE^Z#scpmu-&AOHve0)PM@00;mAfB+x>2mk_rz(1LQ5}5-Z zykyfFexY@d+|eC0$vKTKshtN7i>4>wv7QmE`{x#4m=bjQ$>{F68`8-ZdVbgZwSEFBF?|4!J-V?g;`vV=KE|^Yhen=d=I(7?28m_^D3Uph zFO@5U!Jtv9aI$;LK2z;h3Nt7Dv202qg$%^}f}HsSsHR zBM>TtB}qbzz~S$%KVMDBm@k}QU?M!ymO@v!eb@f*%S8*C0%-GPW;Jg0%7vBBqz9RH zo;Ye;_}==^syB_wnaf^8WRsj0n(-3&v@EmE4^lo83JQWo@!n}(d!&@AeWJ*RI#!tUhB?V#-h909*fXCD5hzlT>BjAa&jYnaSgmh z{?4T};IGGh$>qXA5@iYQXyoy_$IB5PxcLW{KksISVhb)V%h7{0v3I&$^04xNA#7sX zAb^8m7?X4FyFxXA!ubt*H{5(8d&{s@ZNtKcJLk079@k7;UUML_$uVxNMk3{KvMrhL zwqu~R2DrEFOCf&fU+--hHBA^1>;n31037qTGME>7CGxj0-0zATIIpid*FpG(A9eu$ zvwOWadBKSAfQdh>->>^5RL6(ky8j&G%z?D@e_Za3*<+Y?b!Sdv zctTSC0WFHppK!00b=jL**@xWj^0eAJ?d$>NX>lQ?$sJRl@vrP3l2sCTV%K4* zwx6cjY;``{tQ~DV&Gg74NsY&|u1FMUci&oWm3!;kvsWsWd?Z62RcU^k5is{#PTKeO z%h+^E<_(i$*ITNKejVbX!po@5Ta@;)-M!=8=9!8+*R7eqG3}eCEY9QP(Y$BBCLXdG z^P*vOfe-T+^{O3Bqr5r-A2b+@Tlcf&rEF9FiS*N{Ds!6}s^$&5l<@BH7Gp!3xBIGQ zl9OW^+|)<<+)vHywmSB*B#5`qRp$v>2cKovwFt>NA&R>#J8aUud|b`O7<{4{h;z`77r=upb|l z90@PQ|ENrX)~R6r^fL~wf4w`!UI&Je#@*@Ho*H5<)*8E|)f2l|N`DtS2oS&OWWPGK z`KvDUhW+~8uYB%B?n|+rr7!5>UejHmfUs_!2|lrJTeZiTi*^17H(kh;jo6XfSTW&F zZLqR%WYY=O;ewMoc{w*8>n)bClhju^`pk4w)T#BInOkl|c?Nn-6P%=8Em&+VCHdlF zd{OzwM-}XeGI58hqM#}`^G7*b4fA;RcTZI0$a6ds_Q!9zaQ8`WT}H4U2eup}QG7Fs{9EtrfCd;7b8L>fRfIik5@cH5f_=bo!`u%8S zU4w-|q5ginDF6Oh`?V3`#@E2BU4a8tf1vN(z!_G{evOMGCXW``5x;)_k~Kcm&A>ES@Cpc%sQoGPm~>PHLjdmUnPIw{rXdt zt~tr2mp0ce-D(x$ybW$>XVj`peqDZ(I%J_#wYiqf3x}~gR!^I|`(s!4J-cDjm5$9n z78qU}JKZ<&2R-N71t;m*HW$Ir92TLl*CCxbXNWRb5w3ng-E^Z{KQgIAFW;%rnJX>%%DQT074(-vi)xc|DPi95Rz?{%w}xE z46pzKfB+x>2mk_rz<&pU6-JES?p5DI8Y<6$WU+tPuo5fiMu;`(O!(>DIL zVk{Gh7_7o`V`EldycNMlq3}5D|Nr+Jb8O%k!bTYBy(jJSv9&*P4hGmK#@;O5+b16I z5GwZI;fDmN;&Y<4RB_9H)iu5P`qcWAWXhHG{$ zj7{w~nyFW`Y#&y)Yx#$*Sgl@iD4`)N;$sNH{Ykn0YNq6{A}z*_7iBYsAN(j0x@-5V zvWZSkuMTwY^|7>8BwO9PIP(#;5E>#e>U7~Owct8I-erZ^9b4q1eP-5e`F26&q`W0d zp1GQFZ^PZ|DOsZ+yVlY^OWg`dTiWCz!>bo$Mvv;eK9Sn(v^}jhDkh+M3x8%t zV_R&sld9>Qx9Yq?m3^&B8w|7kvQBRpzjsx?}w>rad@s+J}_ zk9^ly-Y}cvViwXt3e=7x8%__H9CoLDRaUCaZk_iT)#F!GT&TVsD>Y81j_jS?Ti<>2Mauj%G zkRMmmCP^56Fzr@;Oq1(%1$iw}dRc7xc5PHBS>K+(8*Y_f>-avFR<@p`9$ai|^)`6M z`V|!pt``NN#y&sq&GbuBo7^tD%3IY3~4r#otTSW4u7oQ&eJostuGw;crs(R;K{mNvHmyye*t1K;X zhcxh3k9mo~XxLwRfDQ|X(fWGRzR!jK54s68*}&WiGgEZau+ eh2?2K8np(E2++#k6Wq>9JH3Cot(UQ))qeokoP;$1 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..e740fd73e936386e125ee24cca039e79dcc932be GIT binary patch literal 45056 zcmeI5c|4R||Ho&{7~3pDwy}(%vewL)VF)D@We-up43q4#tEiD|l|+=R71~rP%biN3 zw4jYrDJ}M05-RkY8Qkvf?q_CRuix{>?|FXLFxPyq^Eu~xea`#LoVk`4*G3z2uMiq$ zTR@N>B?O}h5(a_6pw$=*2n2#No~0&8F}2?+)87FGp!ABvZUe{isMkXINbgvK{#&dk!-#1X?1nHCl*V3a9%96@C@ zFDu6;Rt{eZmFBxp1@=o0miSu^O_jA!m;_n@>^f^Zl});bxbtj5uZvJZ^S7%q(~uGYuZc%!9`<6X9{pOn4kK6&}aTg~u_I;c@QF z<($1)f2_=e*_f4?z{*TuWhSsP6IhuEtjq*fW&$g-CabL`tF0!httP9jCabL$OVwhj zS}awIrE1Nptjt=h%-XD)EJ}D5CIYL!1RS$1fz@9E%d;k{T$5F<$towZN{Fly;#>)H zD?}V~D?}Cm7mDUPh^b)iPe_GYD;3ZC9$Y7a^i3VJagl7A=5pXS&Cy-cBhdv ziJBy4g}IPfVJ>8DeJ*5LmRy`0{hLDh2s1z3P#Ob%Gi)H$H104Z52$nRTos z$Zq>4hu~V?rgM?TLV{l!>BSW@U4LlmBleWu3Ig2%XWbTFtGJr3xqDDX7~*2L|04ZZ z!~4P0&oeXI^PyB5sikK7tgO1SBef~y3B~g%aknOGvigE4qBO9-V{{b_;8|q^O$IKmd#I}d&=*5qo-SJi|y_g zUA9v{qH-AzHojdDx;77Q?cS&Av}jo?7zD<}fcN42U;?Ufrg0MpFfRh^ZmuPX=ERa-yNzHJ809~yJ#p+$5-AP*SK1IFM4Vf?dMcm!~0n1EZH zDVPRohNR~jTk_A2E_?crO?9iyQ!VBwVbvZdw4OD(UT3Ix1xf0VbS^F({(mPwUkIW3XM; zBM(8(dl%W4z47Zhi}%e6s?dM#n+c)mM+`( z`M8c=(5XiU!*+L$2|n3eeW;4hEV&%DJJ#P?B17`W#N*Z5r`#{pAbQ2kt}upyhtn{; zS@eG6(*knmP73*Rl4ISah-O3apv4v=G8;;-iuj;PI1a-R+A8qZ{HuXgPd8igtcB83 z9y>xSyVc!SOv|YEiNr|mP&BdfdR9N0eRuDrJ-t=q%5M>_Xs;o!(3g<-k)s~X&|;z2 zX$|XK;P&<#`a_@TD4tTU6CQe%B`fHy>^0CyA6&HRo6*J{hn2!BPhIU2MGGA z<-V)q1#Q^TUe%++n_9J&`PGN1P5bK=CP|;nY1-c*I(jN4dudqf7doL<-2Kf2kQLVEZ}0$CCclMxo-}BEG+jNJ61BI-UW*i>NI{> zUHN+3p)~$8Xivu#yGh#{yw$TdwY^JmradF+N93s1$e-MDOt`}{4Si_YE4{uDPbI6H z_1VqClDYc^wRF@!sE#`o%U-N`jDMM%RYlvi7d`o234hWd{WCWd`W$hlDx~$_%i;WM ztj4~rbI(!tOM8C!)zp#?CPP=jyE#&5-xKpG>vNS;#(D3v*~1J90%fV8(FI*Chl~Qx z|9myBtsB>voVPIxW9A!(Y=2YT&^Q?AuxjhBAE{nb>h0+z-zksFOPl@Hoi5`QMwk~a zSK5$R8kF1d!2EV!W&FA7(BAr&#jPnd7CcuUU#yY!eLyqxRGyL}hLs&nNZ9*xQ|^ts z9`RvuF(Gwd+A=P@vuW^qZ@yLH>c<%y>5=q3)f;0^aYMnqL}4nWoKm$aRi*2y^U~E( zIguGB-+Xa1TM~^PnY{j%BL%6a?$w%^Xkwel=Bszy85A0yooui1E-_XDFRf8i`cf4; zE-n{At4$cl@pITHLAIA(IUS|nX6)Ve%*bz|eU-3T!`a==F_T^;AG%+g$f&A^^YHMR zZkE10uzkd1S%Ka3kEl-tJ-dfe__l|;x_v4SU!Bv}kov8wb-c|iY>3*>CNyv~Tu9YC zA%2bJmwJ3*6zOMbVY-yFtohDXWS;j^5;qhcx`;o!On|Slc!hqw&pOkOZ->k39ZD-= zW-P^ml}$eSbEMF7N}H;m6{U}mjTy+f$)NC|eZpQjPOxBAo^YGt?c!5)JH4RArPSN4 zq8iCn<5B5Lq&ob)9bR{rN!a!qsoq@a-<*8HIbq24V(rO`ibksZ_D#;$l7rzW`mp)g zW}T)zJNetnS{xMhdmg#BWk>zAb?Ef{!7; zHes+J-Y-O?xJDEyCvy(|wX?8M|D8)`DQ6$;PS~!Wn z%M==!s`+Qf#M#Q^#q4A%NsOILqKdMUsYDTWGKsQ?oveiu{=2N>PNL!e>==rzOh&Sk zsU!qDnM8%Nlc_`@b~1?~$WGS63H)6q>v*^?ycPM`%49xvGL-~lCzGhW>|`nt%1$Ox zAnar<9FGu0Rv?fP92_1HAe1BW8WM@{g5QP93+)tqA&3(=z~9Ah$d?V9 zfZ6h1bw+K`)6 zDU^uLrhV!9>V+9A3~i2}M%S!f+Gat=O0YGlh2z3x-q{wBP4@(4-j*8|^DQ}y3~%ZR zv2ZLLT)xzz=b+IyS579K(a65%cvYR{h!bZfgO*dQ@2eGMo~~bA*X@QbDtG{+W5s_n z`Rh!>g-I3ZwM$-!Q^ZUIcdK?5RyoS_k0-^Xc^=@a%Q)#gG~~z0`junFxhpBY_VUl3TF8v_<@Xsr%m>WsMvMy zN#pe&H?AysA-RK-$)yiOlHF}-k`DdD>%_ZT-C8Sl4Mp@Sew9Vp;`VI9V^1tB$dd8 zNe`zIqWeST-fv1T*Voopy9xT<-K6~{#8_*};DXr3+j74|JT^yejVAh5%)huzC#e2*#{egj7OgSV1KXF;{h?&Y zS{L+7iPn%Kw;sK2mGwCqCZB@Lq+?OPnf!I1fQ#XlYfpC~DIGl5`nIX4BcmI(^BMK) z)7lkjk9I2>$ei6k;bd~ZL!L|h^?P+kBcA8pTVL6ry}a4sLm$!kj$_V?wNhGd=~yIt zliW-}&u(`@dnTfYiZy4wMYo09>5ZXZ?TVpH4P6OOJoeJfl#|Kcc8dhPp+`y~hmC#4 z)zR(5@14hmobaYdn7G-p8y_KbEP|~`uBMNy_j*Q{IfB26Xyy^82qI9rokO+j_& zu=5}KAH;+eTFP}r_YLhiz5jj=grwX0V7u|vuLiuFO!lr&J7lt}^7~BZm~H&@={k|? z9yHOe;U_dlumsg<&BIK#sHAYLWJl}cHN9nYXpqoml zhnyWJlRECJDvT-v%YCSOB?Gfc-R~b*ueI*>h9N@DBQJWonh6~%$krrRQxG_3cbOv0 z1y^_ZV_*Bd#Rgg#x|L`9$O?mv=O$S>FD)Vg@)TF&Dh zbh7KJfm?cmujyC;wkElng3dnlR@-Q>@6{ctuSL)FTaF`&-)H!bE7~VqEght!hC(=* zy!$HPZItRKck@Fo+ec$Mq#N%d;GUE4)Rf!dgxpY1Svr>gHl@I?b~Oa0~&lL zRv#iIoY@Bzu(&J?U-x}Pd1KX?id#mxTR53~qn{etBjKSdy4VNnoTk{d4g1+3o-&bp zvCHt=9|Af8bSxixliW-}dNo&MV}-Ybd3ax#vr^Aawcv)xcOxF`r*O~=C6n&fHc{$nqv#qi@uGo}5TN$uM0x;_s-m_vzQjnXWQ z(6JD(@$Det(Uj1Fzb-MU4x$N$<-88Odq)h(_7xc13Rd>KEm!t=I9M_ z^a)MfJu$l5yMMNG+@Bm?-`+kt*yaZ+l-{MLxm;Rr6QfM$ zd?cPUD@}C#!&l%hXMW<#({)fJi9>;#jceizoZ_!b=DH+`?Kz%sefzXfiVtI-N144z zZqDm!mOoOt``ljKY(-gr+EY(u$U3)M^mOlrqCV`o=tb&_IGMz^_CP+4@DUVSLRcZU2QF9mV|@~w85rM1hl!~J|BN*$s%%4|?= z;f9i)PLkOgc@@nkIiC38l}p65l~yXdTsCTi*spI-f7!XnW!gj2`?I)u!S(P6x`Gm0 zkKAyyUzxYJu{U5$z^(j6RhqtDd*qdpd(}}}LvrbuugYmboH!1BDYsqTV>3vq+@ikx zFtW$LIRA|H;BUf+AawT3m1xQFtlf8LoB*FEiS9;0ZHg#)ejvTonQCD(c(ABY3 zg}k}kij&7oqQ}grF0DA^q11sZ$A4_i$aV-YAZ~r)f0yW-D=c!5u7F|dQIm_YE6EYp0y)FC7Ir3-awd(0XUiOY~bKVOo0(V=~Y zCi!b-wIJ&tJH?ZhCxRx_Mm;_g!lDG|3UX{cYIDKy;4V+1anI^= znmj4WeIw}xUo=SNX*;B7e5Yzw#$Gu;#);#}B*#;MBy~@m|9Stz3^jKn_-DTXMAni3U3zId|_t3RovNbzdT~dN@(WAdhHI6tS?|D9^Lf?C>E+XW z`D=Cz3Hv|Hreo1;O>%X{=lKbcT1&XkGuOua;>8Awss~6B$zmaic~VGs)ZkY%$4g3* z2z@u3xGJyA8;@JmM6|8Ck9$HckNH)AbJEKvDlZArvC?c!a&^W>-m+ub>swv;_`&Rm zih@v4e#Ldi>rHx>U6>J+!rioy;56I?3G%y5TW+k@CLfR)KS}5~ic%XH1=rxlQM)S~ zXm>Zzu~KYJa&^WhNYyab@w`RWNRo>Exu-hgNyPA=Dw*~Kx^70J`sK?@IGLQex#RrH h6O$gdW{OTuUD2)D3a+&9ZVIX2@>1CD3_tDM{{Wb;!ao22 literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt new file mode 100644 index 0000000000..1d08f78285 --- /dev/null +++ b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.pfx b/src/test/ssl/ssl/nss/server-multiple-alt-names.pfx new file mode 100644 index 0000000000000000000000000000000000000000..8ed37c04dafbbb1e34561794ae0f876e0688c115 GIT binary patch literal 3325 zcmV|!+`gOdox$-FiJ>&_3SIb|ex@_neI6u(9Uky~D(`5|`+ z1MA?X@~~jo6*sn)Hr!7b$Y__-jUSiGE}tb8I{sHhH<5x7a&+N7%<+e;}=+E zgMD}LV9ndu4SyDqjepbs)wBB&%8tw|F|LcVKO(hv7{$grjoyXL#io}-oB(y9DPv@y zh#iKn-B=;qx87qVJVUa6TnGW=P3M+9P;bg>hLO!b!yn|3DWAi%GwgxW!3%SaQ}`!a zwI)gTy8@^GNi@EQNV)EGp{H?t_Lv16e5?LsPYqjxyTpc4B-x`XP7+BoOz_Mym~aYV z+eFV`l^Q98iU9%N$`Tk^opw|Hr+)6CV>!#c^@hLCX_a+bF)N}QlT{{%zz52A0Y3nT z*aEQzH~@(L+?qtha5M=AV+v?gB~;=on#$tLE*5`!$`tE&z zWM(2df->h`@QS~2f?VKhEIusg%ZEPtQk6VhhOrpVnnBSQ&Q6{R2mx8E0=QMj5o-57^HP#ii#P5vyRK!x zDRmH%BtkcwnfyxG1)j##*te}!#qq9`+t$Kx>-#XJu=&4J)4PdVR^(&$?ye@-Yq@iW z#c=foM#6Q`wZ~I@n+-QhJiqsPa#Pr%@y~L2%&KPd^8n;>ldXdEl9^2}w^GzW}U`*7JhpLF-#y+D^jJXfb>o)?}Y zp@!*>0pDkqp1f=bPD~&#j_I_gOgTT|gnc1_4cNE!9RB=7qN^39^D6G+PGQGSxt=8Z zsMaQ&IC_rPIXpZu1(~hVBV+F3Gir+adQVVq2(<~Yztx^F4pirv*G z86EN`GP1?^lrnaz%V#zQR%`aMxB`%{PeLTjuc-$Mdu~H~@11yv5$%SLhscua`(mV@ zAou%OT`Ckq&Hd-u=)c`wF#}8N4&BtvpML;%tuhqOF4;U(R6LOo;A@+VbMVY=Lj=jN z9{8(ri>;a>n>WhUoD6GF&dBs;rOv`MGkM={p}{>2RUqeiD>M`Nv*y>@Y&v>&X@kMj z64-i4e3!R?j*!x-fZM%O#qyW|+fYFZ>53x9tZ-+hyL&+7k+tjyb`g`|3rF~0Gh?M*HVY|s?@dJ;OAZ_zD$;v%Z z18Xm;hGdz6IryuOAy*>l-sIli8xRbd{!Eyj71=odHQ>37=gDxNIrVqj$igzBjSe#4 zqTQyL-c@R*Zwwi`<#nQIa9Yyj_*dFrP#&-yeq8OJq&vZC-WI5&PHU+pP^tWW2SYC| zNoY9{y0b)`{d?3&%U+E$*zil5bvo7R6H6zdYyOF~gbf8>1{C zSdoreP@AeKY>6U94?1aI;mC_=9<|f_FxK}rms;L&gDuL4a0){YS5R)6JMH<|mL;YWYET@)L%NiG+(a{Uhz z_GSIJBa_(^6d|7pxoeFq1c^T|`eAu=9{2eu)`?_{(VsSVlFfe3uoR)fR|E z8#Wgw(nv+HFoFd^1_>&LNQUk=@s=4{7hH6(aywpvds)Ak-R%DwfYc?os$_TPHM?b4!Fk#{xYX<|=@98xFv zSV4{^(6f$G$Dtr|+oDJb&x$7ghBQ-yC}RVsNct)rvfT2E;nT#IiJH2itvQM`FzTjiFP4~^N(=dh>&rijr2C0=AM0QC&ZkDlHT5_}2=xw<*Mmeqt}*-ulHwFHM<1b=JUyYkuO|(xxdlaGLpOYa6H~<$peQ z54A|2xa*}8bd&q+kDed@&-AlMDzYmq*FRW>`R~t#NsFp02m;gFdy)WpcO_*Bf3)tx z+`}4Bod&_l46?O+YNkfglGDFzD5rRNk~=zEH?Rd*AE_g-b}p-nD8s1f)w|)(wkw8h zI_p;4Fu9Y7O1imV#lLlF0jM(p*uRuKw?m z&bXMfa#8Yu9lEs|tiOWTQa=kW?`U2ro*Tq>Kta?^QT9Aj-GswmJG@mlis;v@m{ zJA2vtuCOGnI6j;HIj0`8KpD*5+mcFT$IFl3(QsSGWe`o(y_}hO1PKcHf=X~;H{#Xb zX2gS$>;wQNp;Xzndl}je&*3Pg^7(Ti#2n+lGJhL59BvZ3Ufk`eYmXwrZ4Yt>9iL4! zBc$Rmsz=$Z_t5$FWsLXHE#bPtpd<{G!+zua-3>_i`;(QhReA0~F(ZH4>ETeoXId&w zBRAP?N%;wmP0>zzseoj&Fr3HrjIPHwQvnbWoc4rq+H24`A;{EpxwSxl?vE? zCm=f31nIwkQZ4e#FU$KuJp04f9j7U+KbtkvZZIf(4VZxyzJrH8RzX!CxI?PUAn!15&4IfJ9rj~(^ac41L&4gs4q@Z_zS^DUOWy@2^3mDL1kp*yS~SI^x_kqE5|@ZE zVuubUoGyyX3<}fCQ?#7yL2EH3Fe3&DDuzgg_YDCF6)_eB6uID$bzi8VP~V`{n|+@x zBE9I$+b}UOAutIB1uG5%0vZJX1QdF+LOhkHzX@w00qoUPrM}Z&7U~2Dqb`jBJ)YBT H0s;sC!G=jY literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..bb19429e5560cb66b93edd9fbe4f4e5d93e1153d GIT binary patch literal 36864 zcmeI530zI-|Hsd{Tiv$PHd>gvTC_-=yS2zxX;ZW#B)7WKPPY<9az|QFLP7|MC^V9Y z#-s@`GDQ)hu_h^diSj?^+?&dn@tc3mYyR{5KZkSf_dLtzd7k%q&i8en=RD`;;pQ9^ z#b?Zqhz#RJG1!ni1jEoI1_Od18EmIxd+$cY3`*|__6hg1|Hzbqj4hwbBApOTsu_}g zg;YuxN(W0DVkck&1ONd*01yBK00BS%5C8=JMgo&)G!+$1*gGgZfFJ80!V3xr7YJOV z{X&EMC2ZVntvqcRj?*UF&SVgA43}w)Pw@8<%Nz&W<*o3@d9FcTXb*55;ySwzIIEjoU;39>T3qlGN9SKDg*I=Tea&Q$UipwxjT!)F`LQE7_VxqVd6UDWd zC@#iC{qdu?dZPLf$}EvhD6eP2^=0dD%o>Hj$T2%%n+RtU;cOzDLxgaM5RNzm zFNK5RrEmx`9D)po(B}~P9O61~iM(7QFPF&6C8%PWD9U2ug^NwR_U3pfN+kB@bJ-j= z7f&EI@dRQMFI{ZnRS=taYsDtsWU+}86`MF#kxB3on|;{`QsU6QY^MFP;g>{|z^tzh zX1#SV?W-?l_SP3Od(&cOzqGvtW1+qE#mwGVGIscPMbQ)1wzrO1D;nfM?^3VW36g6OyXezdvFeGvDaq6KsG0AOHve0)PM@00;mAfB+x>2mk_r03h(+LqL)y zg*Aqb6hcTR(vCbr8j)+rCFCq}5(@$wAOHve0)PM@00;mAfB+x>2mk_r03ZMe{6hpJ z$rM;ex6zYM7&=bZCB;U)1Yv0F?VyQ`?Nq|hqVA)Jja)KeFdn;;B*+xH4&$*KG5(i5 z0m+^~bmbc5GUTSpQDw`J5+v*&Y9J^U5C8-K0YCr{00aO5KmZT`1ONd*U;qIM8G`Bd zl$G)@I*B;}9Y-U3QOGh}Pre|E5g8E?#jvr$U+QMKMhKz;Bl#X~&I}I^XGSC+I}r$i zBElI_cv3+$wpLtnh;$@|NQX8=I@BT3p$w4@*^#nR8Ah#{lh6sG>t#klLF;9`_P)lJZEc7Tk_ zk#xzfbd2mk_r03ZMe{96e0PE&|KB^Ah{V9|twuRqV&KQc-}9799MS}?xE zLmW;Ohg0wzqG!3T1o!?sQVZ0}+ZWu%Oh0!h-fjk0#U^P!^*fx47PQtCQXU9qr99`)S}2P9>ty^Cul3dtI%kVM->Cc&gHHx`wp(G6EStnQG7VQDHfc&4a^iY)dQOPDM(CL8-( zBb-?(vK&*C!{mrhhoA%@tku8TFcl&TVFW^juoOv%5jg%`{mT@})KKQ z+jkv~zmAP*3ZyNPozu8wMh>igJ|oDi^Xw^Z{`<+tk~7+9TC8{j&wGtw+u1+Ocl*jgzmmsuo5ZicU!GqPR?Yn4M^+X&GF( za-k%8BB5o@=F8o4&99`cOR4N`Eh;ZkALU33dCm$b=qTTkmhW)&q_A#FoXqGVcx z3--J-*;8nu$iG~=#oq4SmJ{FUk0`ee*nL~_?J_^hz`4Ig=a9%S1n0=3a;OZp@aJ14 z3Kb>8@W=kluuF|GgCQr>lC-(aaE0!ArIUc4We7A7I*2DSM$8{E7j|U=@fdMNW61D zZF=$K{JqZktIVyma!)VJnR2PJvpstM+cjgiuga2EuWw$s+P9|gLyYOqZ`o@$YP2pW z8<%H7kt*pfy`{12UX@g(YUmBs3&Jr<#z&_wN%#<7)Db-;cNHLcXU z^Nt>SSKlKR-3vuGEtYSaON}Qt;d)vwd!bP|CZ@BSHuEFG~=7z-&ch7CL`$;D~zVh(GCZ`o^wO3P) zC)tq+Z#xQFYm9r_{uEX!|NY)pi<*mZ#%`bi)9skQmBqZ!8NDJH>n!4H;j@U zai?c^>P)04xOS3t{$l%*P=sE+{pBWo?Ze;3ZL7xZHtmLpspH949y)J*;qbiVZTrQZik8%3?*$~= z_fTt|ku{$?2DXZr>0Q%pmN_QK_Lt!YoM!mPr(W4yUvrs6Ff_wFzV_>?e+riAnA>?+qr_KK97Y?gWUlCH2)b90yUvo%dN8y6A zdyY%D{_17BW$J}y{iw;)%}O6hX+N1$BXL0gV?(@6PQ%0tH78Ylr9vK+=}g=jIBy~+ z{RfBTY)MMib<@-JE#(D|6~^DIt6Goq>b)o!>i8ho!OVRzCHbnGvEHHL*0Qa^91+~1FU#gP)x zgY>4@?{M{b(;;Xg38wzupK4ZhFn-`4*1M`c?ChL&Ih#zikH4&|i1a;cUH&20?`B>@ z4B0+07G8#bdmRg{nS}Y%0UTWaes_xf3>k(Kcc))|Mu~lit;hV*k68OY_o+ib?WNB$~dODZfWHi7JM$Niond7MN%!@zyhwOXhv5P*qWIj%sx%Ri@GT&gcIe9aW zzH&d?b$2#dCz!3XIHsd)vR^5K>5r~>Eu+$L%riY(Dej?}J4rEVRMq@q`)Qd~iak{c z_nZ9I>swr{KUm|kO>kyz&tX%`(dXZ+xUHR6=FkzF$g)9o-!&cgxc2yChhwc(+$xJ| z`^brnZCP+BeJwS@*e9NLdRy@I#FKWyQ_p=L@rq>+Ugruf`rYp_JgKdr@Y+C*UbLj` zS<%l)VU!PBh4!g2X=R%Y&ZH%!S65z@xn${mXIhqO(Cmss+R_v~*Y&#Nex$u|$<3Wk zd(w0M=SRtk=QRnR`Pro-zJMk^&NsL4?czz@ys4J3YgCGjW8+xu*F6`09V3(Tp5Krw zc*z;j{eDSF%)|2ZyY^_=tOa@jB{MHFGFCeJzAhNK=5iOU{&w~F+oN+v@1*F(x(cQ& zEIK-YBlQ5P*i@}uS)=T>=3N&*=XhYaznYyIl4r5bd-0P~gijLmml#SJ|l(G z^}5IHI{&nfaZjYqHSV%ANiE}6oLnb^dy%1VZup(?)o%Kw;XjOz|H+cwkaUUEQS1Y3 zfB+x>2mk_r03ZMe{C5-ho<;8){`GIFvLXkP!~S8<9k6E|imPOx&xeLYT>mV8*~Wjx z8OuZ>o@U^=v4>`1C}U%HUmofY{)nGxuDO+>fC{km$vBqwpmP_)ez@^l;2KMQwg!^H-<v`+cn^tB`H(U7r1jnhz;Rj69b=M>Duqu=k3RPkW|fl<(}?%!x54C+uCi z^o6UX`EB^)ddiNGkiCzqxzD^wSw(L7q|8?Nh2iBfSy3Z9>&H_+I&V+E6d4^@p2?rR zwXrp>+*!kH?mI1B{)mH5RX3Pq`)6yY8HNPD@l56Yu#ci=6)ikvYo@0w-TfD4KsAaI zUoPxwEV<>waj^_(CoRxlK{lBgI3?^(Tk?)H+gyY9Tg%6Of8v+&+i}ts2DRj=D*Lq| zRg(2n9e<~bVO?8pJjhzQ=fS}h1+w{$3AN@)vd!F$FV-oV?>hfXa@xM1Gpv_1OBn1@ z;#ore<~p{C!tkT%4SCT`uJuZadZdivxQy-ks8Fh|ErB=8ChwBd`#4(hdXiS~5j&fA z!L!zXf5OrAvLKY}dvkx5f1>7;Ho4`NrDNq%3eJ#D?Q5|QJXCY!YWNL%|M9M>rV6_~ zYbUPRyeq=FZgVU7?PaCFgOSIy-_^#F{3MT@(|sBIJm-b?luiw!Dp&tv*`JEZB{F5! V*0@6&e6Pp6#87nXFD)#9{|D0SSLOf! literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..e66a9a26ae087c879a16a4d666c9ac970fe3de48 GIT binary patch literal 45056 zcmeI5c|276|Ho&{7|U#SS}-$IC_1y*D{CnG5{j6yMI;PKMI&idNhK0#kEkdvS+ayS ziKvKH`;}6%rG7Jm>vp?$W*(2<_mAKG{?1{}ywB(L`Ml5T^Zd+wX3jYej)R@0Kf?#- z8yp%$W8laTF$fe2F~H#<5D1F(K(Zb)3xXBEXEs>R&_Bih6rvy+dLPl)QHZdpJ_Pvz zTZO!Wq#+eW+eGz6v;L_OSPl{Z34jDZ0w4j907w8N@PCs)ppcNPygZb-m_efl`ULqf zXeKlUZRT0n*xuC8(G=%sXk=-Mn<>Sq_t)-!{=@K04n`sbn>WQSfR2U&^EDweFZ}Rqu3=0Wli5|3YMlfgFVlbOWHOyXoFaWa!QnaP~CWKLT$r!AS&mdt6Z$x$^qswPL( z)=%E_E^GN+uvDWPymDAOhEy-)!5 zUML(g6b=~*CqIRgpTZdjDyJ=#)0WC5z?eD&+8)4riNjNKKc{Hq-o5Gxm^7RnVIC zpf%$`bJi~_obk&FXX>)TKh>StF{^aOFDsncF)N(eF)N(eF)L)h)Yu+aA^Y_<9kO3^ z)1mil=rbGo{tD5!&sjv!t75K zH0uFH_(52|-~ti=34jDZ0w96^G=U@;C{q9~g~90lHM5j01p{IIU@#B}MnWPE1(ArK z8z(pOGgF9l#M4 zfcXfR6C8<>whazr_=Wm7*jeHjK4A=8SUBsbqa=DsMdFK#?)${|ju%T6T==Tm9|&bH zkPDEttltcs@1t8=aWA0n7q0ElJ7*z2;N)X+BjasFWXLz0k3{Yv83PN(UKcn#?fx-h(P$VQr&Dhh zx}yEVDQL0CLBU`R_nnB6)PQGuidM$n{^-#~yM@krMh&}9fA?LjNJ&Bbiz-GWf9r>V z{OY|y@NX%xW``mUm!429KfE`w{%#ZMfu3uJ^(i_3byYb^NcbY#BMbD)5W_YXF04WH zey^?W+9y$~2!%j_Sm-Vw2qB^tZyrB_h6ip_%nymezY~B$1)w-U6d^p7ML-0YhY<0MH;4Mb;7~O$9kt0@`BB5EqSlr4F7fxb@+O~q&Zo>nCb%Rn zLEKSl9yhk`7s^c!UJPhgtvVofMZPDJk`7rC_dGupX>=i1I&xb|qt#3Drkg1_Yg3~) z)CUpYh^;HSeCc8M>3fun_49nno~|?0IWgD~UUZ!`3LVHtu)que@^N|o2Y{$g!$Hz%m7JJv={OFElqr)VY7 zw<$l|S_0UzE#kJ63F++Fj@mM>W8bswrGN%uekja6lZ^B|?R@S|y@Vw)A@<`o$P@TQ zSZ9N!UqRBAk_0iH6!s(>%>CMLTUmPPghO*Rivls&N>BU1A{eev4bk5DoY+u0;D29w z@cSdLyceNjw8L9m;f2?n&IcUXXdUem(djMIwARUL$3ss9W%t~YjV>mNqP=2)amKbP zR{Es^*FD6{nv%W%x!2&*(IYVv3nosGoYiz3&QB&KMR(%#3XDfP0x^+P|L3OJcp&4z zXv@$(2PdbFc_oaz;dkQ8Ry)}7LqWF9+i2(aCQO3CIp#LFi(5#8(i#NGLVdlz=sDp+ zzd)W8j@2%Rd>z{mJQlJ&I%SYW!QbsO;>oyyLc6AmetGT6x4&H~549Ve({6^AlF*Mk z*DUpcsoG9;+RtcsRmGGby^7dz*7<(w+B-@y^j0b|d8~SS6wbbv>~to!ndGiwg*5DX z`5t%GHRa(pRqKPVb35ZJUw<4t`ltia=0GLGzc0-Y>t9ynEOGwBalfTQ!@f&YuN$~b zX3n?3IkqR>g0)}dhr(#>tJ?yx9ve@>md4zL>|T!dR?EGRUXSmsiOrpOl&i~=LcL^k zNvz_HqFXUa&0cF*6y%4*A6&9xYCX6wdzAF$Xw28kckUf)SQ@TX)|CAu4ERRw%S0xg zMlZg2d!3-A!IF9JiB-DuzqRaeJBqyBIJ|P8DoN~%mHj-+;dJ#Rvy_j0sNWhj6xQL< zXR@jpgHU4w`e$g653u6g=}(F}Z)8^4_|XRoh-DtayF5R;7*wfi&gYAQX8%|>) zr|#?aNA(e|>-@V`6iU=rcg4$iEACg6;hG^$>In z5&#K+1V92H0gwPl03-ks011EuKms5Ekiee^%!TQS{KLOInmYdPfna<7R38jM0w4j9 z07w8N01^NRfCNASAOVm7NB|@N68KjVkcCl1{_Y446_rx7wwOMqiZlq=uY${)HT!*^kUQidKDUlsz)-BbYvOw3`!Fvha5+~ zM1`Up|8a+)01^NRfCNASAOVm7NB|@N68JACpa3(3hWYz>c=?1fJV+E0)!Um&@tC@K zI*FvpRR&b#VJkSTH~MUyX-xj3@d9otpv+CxRN|&m3EWf)o|{U>aZ|Mwxv5$Tf5kze z(7m-->^S#O*OBKcYtQE<)2Z{g$yEAWZZe%Rhnq~L$#Ii40olLGWRjMS_a7aT;VNrO zbCc;*DQ+^AF3C-%QzW>_RGK(9SrZWZt4so@G|fLchUF@2W4Ot5Dw>;2rK7mXbPAH2 zOr?o(lQjX6zsi7*7M1iz$Ar1c+Cto9Iu*f9rqTtu$#e>wn@pv_xXGG;01_rIvY8eZ zwk0^!8_k-1c814ltgUu0O zKp#WZSPlM@3zHxxXc#L2`SUdS(;J@#Fn0oOvo{dN05-qePk3%iS%>oer&ao=+fM{8 z()AplIBB)K&sVrSnR#(x-j0;Nxnbp>?kx<*xsRM2cD@np^kler)#SQGhOy46mQR&# zED$y*eSg$3>nxKX%hjYNz=uf-Z{m*h2SKrug6Id|RnjTT4>*UbKs>(H*^9SZRk!}# zT{V9)xw|<2>G%tc(gn58Vvc=T%n;2mQ66fc9nMI(`~Xv9QpY67{9^LwnT8LOiMfXA zPaB7vUr0sBZ3C3wC00ZZk!6i9;Jl6e^6Q_(@*|L=%4e z=}_`Ewc{zf4!OKw5~R7C)aJvaJUq{4VxM`BeVqKmyCOHb6NM8fjvJN9@7;(Z)t(9u zd6}#c@y|EKG~Up%NMp#XsHM3cTx(R2!nsZqqXQCps(a6#P;mHO+=cyWR>jLCBVqN2^$gkYg2}37#~wN z3{tskqH#07zH+?lVU!FphJGt&#mPuj?4>K0J2S5`tA zYWBwQe5ypov7qRT-oSh3PCl-j+eq~1Wztwi&o<`Ac-Py3>&1cz41=srX@SqbyKivz z(v4ble5i&=5a()=%Fh(^vGHiXbWnMWBwWT(_hOP!|6&WjVc!*x-n9NuqrWe5`iTPcA|B?Ni!STKd|kD&$6MbOoA9!lYC7<8md{y-ZkbCd8)zGnXZWxSy^a(u!Aec9ew(Q&VFK=B_)ePM|Ug815$dnS#ztLXw9qd~=4{z4b)G zBy*l@U;Sxr%NdLVhFJ6HYQGLIlUM3YT+M2L?iVRm9=dno4vD5T)jS28y0{BE^7%d4 zYnTKySCf2AK_i1$&yz1*Gx}6NLB#vdV4b3F*TIMK8Z=HYyIz|F;Ji!*YahNpCMy(|EqUZf(d{5gU)Hwj^BRU!$awf2^HoZ)IGcU;-~!M9fFzOrqDaH9i4CE;$l zuU5!mdbm_0FOwpZw|C~__WF^Hbi2bkQ!gv^t-yAxe`CB7vuV4veYp{nAi~uoUsF(2 zg5{HCsq3$rXrBjy4Q#W=tG%9osgCO3`fc-iuPcj$c$w6@IyP*%yMLc?aY13a`q-H3 zWKoH&qlddcrSHjMU!4&qLHHMwKYx4YV+x80>!{Jsh$K|2b{(=rX_N)73_?+5=EKHr zg$S5NJq37~B((J+5*P=8&lULj-Op> z*VUp#+f@ad*W{00fQ3qWCLKBOYRhqzvWTNzIy~Rq9{DT3xL-CCx^tLV*7wbGNBZI0 z`Jb~NmXPwQKgpV`DQ6N8Tut&d1%1dK6a2BO6jSuAuE(N<*^(Br-E^qhG_<~Rv`O*ZzqnQ zScNh~VMg1S1UOfdd`&^vWvKSF^O*VDj1066jMt_dP4ipae=O}zT8sSrmPbNCyi5i( zn3H`}dMftod5cwic+;!YnJk{^C?Hj5fQojJs@}yUz_^;^YYK{cAbM!g>Q~QGd*%kd zGdGG1^vq6CwiWnnY5LIPdpcH^mr0SvuW6b0j{X=eT>Se|{BZEe`{v#&D8!Z{_2FkI@T_<>JqsXD)yW%2Q&cW{$HxJztqBCP1%kK06#K zRA`WLWX^?5fXM`cW)Eu7fafm6@(*+!`JCiyw9o20q^fO*nhfId*AT>Mfds9G+Mno>TGdBl3-nm_CqFKnX5;BI7Vp~(Qqs$ncRF6+?5nTW|1B< z@p!Ht`8lPV9OX(jwf42sKOYvFdPwaIJ-yUbu`mH|S0*u*sEEJHi{ol}v-%gVZI0dg z+k1G1fYtgx$6&O*i{yFN;eAKE z3F$}w;P&9^1BZ_B@_02NPa(4WgxR$x2p0hjdGo#%6O3Cj*wqPx>-HlCKNvCbid;SN za}MCUOv={}2_A8NUki;pdIo==STOgTZie&nC2f_%=N0a!^YREac|P*+ZLnXJh?G*^ zp{_H}mWEcOKig(f?iIJ)a;Jm~6R*J4qZS_=Zy+)xLV8@K(i1wq+_@$8jrz#fXJT41YRDszdX+QI>%uwN`szWD~AZ&J?cnqz54P}PeHH6jT}=rlOX@gB>vMC zL>)d%Rw;W`DVXW3J+(UH3NdW)4$7$;h=vW)3o8c~$BX1h&EsVeKX_bJ|H2 z=dOKc)dqV~T_5IRDhenuACqkNGYRv#o8)J-=>h4>HmPqfHdDG^w-~|54-9d3zcFcK z@v_ZV^EB4IkeA7|X{W?uOTO1x+q+mZ3G=v`-%9Mp?GvCCvLlQ5U7NxshbM3>eLJYXzrtnW3cxYZ#_*`L*F;&yxe^5rp! zis))8&(E6N!hr~+a&XR2^4nK$*VO8Mt4pbnwBFw0d4N!)?z4t<(s>S7lYE`=`D}K9 z(e2q0sQY%Q!`Usaq7yPZE>%7eTF@%%^X$Rr-KTkx9PXNvJzQ7fMP6A5!yDZcMJo}7 RBoyDtmNG0ILbp9Y{tp%$q~QPn literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt new file mode 100644 index 0000000000..78691fd862 --- /dev/null +++ b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server-no-names.crt__server-no-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/ssl/nss/server-no-names.pfx b/src/test/ssl/ssl/nss/server-no-names.pfx new file mode 100644 index 0000000000000000000000000000000000000000..c35fcdabc7a2a7859bc541547a557ddb7b5cfee0 GIT binary patch literal 3109 zcmV+=4BGQBf(#)70Ru3C3+Dz2Duzgg_YDCD0ic2l*aU(L)G&ez&@h4qhXx5MhDe6@ z4FLxRpn?W?FoFhj0s#Opf(C5{2`Yw2hW8Bt2LUh~1_~;MNQU?%soGr>%@FG01l|%=i$fLqMs(^~-*cyNpH6UfOR;3f%=(`TNeQW%uo`ts)2u z^M}5=IUwAU3#5h4Dqdsm%lvV|&zwe)scwul`F=fuElknkcW8)_wlK|`uVCUqioaT7 zWgkb%3&B!Mv5?xYVVo4_)OZZn9AysXf^y0o+M*8AkE>= z(VW8a0@qN&A_5j2h;~&R54&&{xs+c7h?}(5)QK_qdNUyS8J|O;3rM*pW|xohkk@^j zJC9xRL9H`Ib7?{SRO?~mPuWSA!sOn=%J8Znt%Q?4gB*sKDD#H1QvjVl znqjEO7(ZSz%)6U%Y#QdMZPaZ#qSZhQj%{Si359M5n&Cmt6G0wr14%)*9S z;!R$sn!G#g^*Q`X0^lJw34yr$XHb@|mthjR?>;tlmgE>v>gmVsn7yxf|k|gv<--N*#nwyhQvDEv>(p((%^ebDbs zL?0%hvDiT*u>>#WRN-9^@Y7ZPL@z?CRPl+wH|^wqq8Y&HGn{9=3363 z(C7#dK1x4>Hnx5CR{F=29+qJ2*2l=Ih7gA)SK{Py3vlJTmcSpY>)=(&FE9=_><#tN zQ513yxIMmHmKY}MwFI11n4yfr+gvY#R`ZM zkBz?Gp?*820``=&OjVXPwO)FI0vIs27F3=Kq4J<`l^ylXt+$(-G3)?>o=zhfWScxx zn`K!0nI2`YmSgwfvaI{tNB8K}vi9I=eT@ONuwnr5%<+RtG=t#hvqbgiJBMFHX7`6e zaFo7XOL*1+3bT~tQ}HbE<8xNcGG|||`pjUj}o z+BJio_pPFTrsl7r97IqPa_8@$w{VjKN6DxKI%c)5bDDLLs#q&?FL-X85DX0{%BPjdgFz*a}c1Wv;Ni1A8! zTofh`A~gyWy=bvZOHYR;xZ_AqnN6fdYl0lTC3{k8OK}R)1T(cO7uk?yfj(2hY*99*rOVB97Y3hcE*fv6=Xs$#{ zH_aaH)7(c8kAET4JWW5cw}BQYc62z>GSRLH(X3>OowI0F5}!400i#V%;*TO&z^Vf3 zhk_rQ)7!v%FXW)hQVpDLRgdsxzJ^&Y?>fPN&q)w1N+z_M}VlP3h|A?-B-|yB2fA>o|8+x&KV8b+#*oaCs z!J*q}qDM?%<3(#Nq3^Wp+8&kU$7>eO?l}sfJ;mTYeArSft$jdL!3 zFoFd^1_>&LNQUrU}f;F0-@Mx9%r*U0pIekwd@%+T^#!ZfhXNN+-8YY-76z;1!3@8^Li-TR}a5Cw*`RLWLga{ET1isJDcB{PNHbXulTI`9!s zM5EEFf?eMz%@o7x9C_RhZPEi_MJ53^D&0Tdn(6F|eERy5Ig&t6lY0eTl8v?U3G4h;g;}d1;&z zTu*e%aZ|KX6V@pXyV}7xp5i-8*lb);$Dub#zWVi-UNp)(pJrDDF#_xATQPU)vRNM1 zYD77yNp$aOXr^H{K8y|&Z&_-jY2bmv);5$d%Z3`>d+~1`9oGsJK)(&en zGQxSKn_K+<+CDGZgnyO)5Vl`cWyL#~6h@rrt=K0rxbqiLqsuWg+j9TX{r>aQm=m-8 zWbLnwN?zWv_C|U^#oq2<%isTVKxfZ&ummzoXc5vhC`dEV66JowS(Era<(&o;v zU1+$g$xxY^6cZ}%4MXzI?zxY!;aMm;mYNmM_3@iad^>B~rC9jv+H9G0=S%X04{!6L z65MaRrFPv9s$vAY$Ja6wp*C+f2v(RuG1cN8biq?qIG#{Ji*k-43G)s1?qy4p@b?6U0d2k`x>Q7;FuXo)Mp6-}F zPzaza&M`vFf*TAA;^1}VuRp+_k^oP%{=9|8&@@S4d7)e@=s?F#%H)XZQYe*Jw|o& z2A~c=^gml$KxRL7oe+IRluHe8*!a*z>y>FN*+COvSR{AHt7`gJd^?CYtWtZbksieF zl*nS5c$SpQEU*Z-*MLmMEi&I7|43!qet+tYb5_t0rt8xT_aRzcM@kz@HklFeE1MS=K0=ZdgmFq!%-G&L|4P2)gLjkT-K)?&>3g>edT}k-4~fgotp2UAgoD>U zMNN^{LSx~a=5TZirukaPknk+LqEKnm*><(S+hIQ%Shj#V?+S*-Cdr+-nbJomQo`O& zm~a^hchN%4h}dlq>w&y6Re3x!#6D!a6|&-k^}FwhV=*z7aLTD5gWr*L{6oRfAYFjp zc4%W(>$={v=@c;~Fe3&DDuzgg_YDCF6)_eB6d%d=AhBhxC({}h!d&kTLzfx<%rG%9 zAutIB1uG5%0vZJX1QcP&BVd1XEdoIGPi|UJ;~$Lg$?gOQX;D6_#iXF}0s;sC#5V0- literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-password.pfx b/src/test/ssl/ssl/nss/server-password.pfx new file mode 100644 index 0000000000000000000000000000000000000000..a6ad1bb869b043715aca18b25791da12403a6be8 GIT binary patch literal 3197 zcmV-@41)78f(&^A0Ru3C3_k`5Duzgg_YDCD0ic2mFa&}OEHHu$C@_Ks-v$XPhDe6@ z4FLxRpn?X_FoFim0s#Opf(FF~2`Yw2hW8Bt2LUh~1_~;MNQUU8Q zxC?%AQ?DnuPAF`D0}#OxEu|%n%Pj%%3Q|ieC;WW5c`KmTmXacbxh( zHJ+;)L`VDSQTPsR;p^FlbMIo?ECLe<_N|;}qpN?ccLh+QKBJ$*Ehtsif6>1N- z!wtWg)7JU?X$W4NRz`KA{)_>@ct1iw>1KaBVjoBQvg?5W)RD`e8W6iIfQ`>nwOIpB zB@M?VH@3BSzksw7QbI-bh!*y!Eb)l;%Z$Hgt1L0lZ6#phG7TYW2)%>BBb_r7&=TKx zEmD(l8#PT1g~F?-G~tRZ3JxUHUtbcbjEvYywE(^;19M~?iN^m4}W zJ72{AA#oOesx{8OY`LGw)!;#r(kqq?BsDg#ITr)(29d*$&at>Z+gb6rYw6*R)|7QP9RRrOZd~L~@Te!YXtQ?{`qt#C&9oCUbL6e9y&0eu(QXh_VndCyugXr&rpC?iQ`nz5MXJr-3pK2430^|FFB^c${ z(Eg-lf+LvneQTNM#+b`l@(u)W_#PMJE*{2BeA%DSyGI715LE~495xNY1re(F;pk1F z-*5-h5bq0{g;-G8S4ir#XO8PFLHIny@y{mep^yMQ*Dw6#Bx!|}MjEFpDa~^I)eDQm zx)n;HzC-WLn@GRx*)A1g_--P;MvfKk4Trp5Z^z$diRO=dbC7lRtx3Y4U=Mr~u8=4C z*{62)POD%GdMC(sZy0yPZHV^ggN`2z0Z~Ayehp#_L&^s!+0MEoTLik6^BN7r~Qu9;pC@%~Hc$PU_ zv_NH8y&S)Yc zWFXcuVYAHxC$b+l=5!W4*^uLlU)K7+jjo7~(d0d+mCN0BD?>hlD8xhYB2fqpwX@0B z^im^j^h(TCD4bXpqn)krLI%5g>iV=#U>C4Q?AB3tO$pE^>}?b>jC2$0@Py^W>AAQq)cRlo)?eF7vffcsb=iZY%8ZA9Z3uda-cR zPqTIBB|>Wd3{qk-StKvV*;XjJC>qHRFhT6L+u8P?lC#L9YJQm!7|QIpj1S{1Hnea^Bzj|(ySsgA~}yBSpH>(uOa0h+*!}P zWkZwj<%fL85t!r8P_!RLBl`S#BUu`;LNQiuK|zT_XSYDhh#REDt{Y0Oq|IM!31-SB2c}<(fP^Lc7w@0}A7&C(513zz@@Z=P3 zqa;~P?`qZu7LY#H{vPY2zwEVapqQS6ABbD zhSCPq0h%%697;q&LfXX5v2(~Sp1oy_^tM9+EN6IzH+x+|FoFd^1_>&LNQUmp+v*iN^j*VpaVw1QqI(*X5#tJiYBT-` zRCQ=l*XC;e+-dtVDSOl-^7o`t$R>;O?RkFd23ib4>hJaN4vg6{wc-QNDT+K_3MR;F0 zuB6-lv>y9B$zcF5Lh_}j+()|Z_9Q2ajjF$Lq3mWSEnJEz|R*|$in3BIcA zH!xT6BVV0<0(^b_YX8|@i@ymFHpX{L+7_8WFtSo3przQXdpK#U4qRw0%~d0n**`sz zXPM_K$Ek{lSBIM1#H-80zr2s$Au4$zC}S_Sti{?pp(e}3r8cwfU@?!dIvn2iM`+tX z)@Zdybr=Yi7ltq4riQ1a!{ELM2&x1sB$LC+rUni~FR%k9j^)3B*x-P>vh$p#XBq35 z+z6H+LO`XYn%e0m^$b$BQSsN`?59yEA!zTpjMbLC7--XIo=_ zz*bybdF7;1_Hx0btC1F!7@&*@?8xTw*uH(;oUE2pWX>f;#U7uMq1(0Ggdg-HW_=&1 zATR$SNp4b`EaBc5i4p;VoKZvrF`N3vJ}a7NCt#*q-I$E_1#vO`fXl7OT;AMZ*SSs- zt1TM%x3qMN>Nf*d8|V;(oTr7i3KQUy$>5nri;nor8%VKb_NBm?ECs#+z-J40(Z`uujy<>Z+)Pf!kkM56V z`-DUC{^Jtv2th()a#GYXYS3D;fyB$Z8G=EAWz|rUUY#;yk0yi%#eG(Ii$Qct%GJSa zh^!#*q5XOjd{Xaan!hd!GSjj%x_gl+1Aa!Sg6I2U#4PeWgfaAzh#&~?Av{b29jXYU!E$vda~&pE%Dd7qqjW`dW8 zYe=k+HCGfJ5fIDbKuQn{LpCfH1VIYeO2^iog^C%Jo*nEH?qmO!sQ{T+w<#hW5KXQL zl7ER@kS~-El{dt8zyb&W0)PM@00;mAfB+x>2>gWvY-ltlQyZQU5*Z|1BnS%#35tw~ zagPfO4-v@Nd-83)`7Ea?6Zt+YB9G-Zh4m?)r60gX%?!p<35BVILU=%+F#J;q+Gh$x z-j@m-gNYOxbEr1#N7Rpr3k($sVm~QRKU0wAeyPDm*#@>`8god`I6`7#;)KzkL@1w$ zNHV|F;IR#o-C!A}wlI!(6qoWXM8&tOfR z;^Z-vkGEj&HpRi!$=;h~Yv<L3>(FD*eEW8On^p8+Blh}l^8KG=OD4P+=W`wdCp=?Gdn-R(!qArK1%OUD=h`Jo2 zt_6{6LF8HxxfVpOg(R0ywjh)(iIM~*Hi5~E7_S+M*EJ)?Yew{$L!@(vbPkcuB~rLV z3Rjwfx57p7R=5NiEpiMr-QU2~$YIYAZEL{T#~-ni7nd(XpDQKGOw zXwKns%<%$J6E7e&@z$j#-UX?Nk5+2pLzbF2QK^Yzm6!w{so7hNASF%ht!B}u8h%J5 z1uT2}VA<0Li{AcXW>0@Hv!^U(_9@%bFqYcWU(D=j7&Chs#>}3EF%v)4@IGKBe!fXf z{G^kbLA|E1*PQ#wBu*Mh*}&fJ1mfKZG7mt50#Vd}O`Em7gvjNU&WE>=YB z`+vHw{n?*PGUjS!ad(SP>S5#qZqg+mxCs_O01yBK00BS%5C8-K0YCr{00aO5KmZW< z=Ma#k%3*_{BZUysfjmbZBMr!p$Q7glIf*5K1rPuP00BS%5C8-K0YCr{00aO5KmZT` z1pX!hvSbRZYeH(J6NXWGv#iv3B10IXeV8<ugNit*#U045R zJ2C%PEQJ(Hk&%oBMh0UtgQ|E2Ie|p{O#=kY0s?>lAOHve0)PM@00;mAfB+x>2z*9> zLWW@aBub(ZjM}irqho30sT8t;xwkMTmK7}$#j@;e@t3+;?xL93;Ao+jhbzm=%as)^ z#CBq0LPU|QSiERV9QLfZ>;UP=43G|OfOMz>q(d1X9kLT8Q4L1z*f!{R$?>uzj@KVN zRKn;5!f2L27#$l!a>SJA1EECB{~2Wvauo4LR2b(GCgTzkgcM^*U;zXG0YCr{00aO5 zKmZT`1ONd*01yBK{u>C$kX7LQ&`dfW3X$#C)LIZ8B8-fcOs!>bxdDqn;9``1^)05) zw4aR2kz6T>nsn5Gt%YjhQ3QE~L4ATey-^*uE~+DmG7J@nA|gbQ#*qOLLX-Ky#xXJB zcrg=vBYFOR9fa&ejv+r_Zvfm!zDM$r&B(g{hC>Yc00;mAfB+x>2mk_r03ZMe00Mvj zAOHyb(+Kp0Go+ug%H&b7BrxGG2rv;u$I3`^Xb4#c#-H(!rco=9;8b=Ekh{A+HxTs|QKOaIKA{UT@$Xaaf--OIZQjp94G`?UwfB+x>2mk_r z03ZMe00MvjAOHve0)W7Oj(|Fu3#$#;ynV}Px1IMMJ@XjNd$TJ)#cs0XDF!^(Tf}}? zwfKiAA(hW64^v4V^`2)JNFGYSb7}dmZuYi@gIf5c^Ubn{I-@oSVyMJZ26%2+dZ(!U zx|hGXFH>#)CDz`9P0Jz4Ljz1Qm;SYO6|tdHp%0M!Nx33g2sH>Z|5uhZbE(THY7B-B zw80%xOH|_Z8F-=+x6j^hn2g^@|6|FzqkRTrC9yxZ*e8~Qipg52m_*x6Ccz|G=!UBuSHD$+VRWk-~FtcivAR7;AiYW)Mp zFl5d!@3+j^)08*k@Iuj zndTIlstB*1+CItQ-S*OD`kLi-L3`?D-z*KZ4xar}++GqHhTy$QC<9f%9@!bDN}-}; z81C-N3_H{qGZ=C~tw~#34OfiZWb&$+;_~45i3hrOf-gS|P7XdjI<)CYL`FhY+uDYl znoOhRD(*Jyqi;0^#~8OzJNGl+6wYyuNae(6q{d%)Ikjod#YBzT!McT0OOx+EOr2IT zF>jx1-YTB0&i>Q$_c~v>(D6L(;G6YhcCE^k*QjfnzuNys;l~9Q-@oCkPuFUhcV_G% zQ;OV)&Qtfamj0_s?t*&wZS_lHV^x!)X^WFSCKSJoGtQna%YVP4V211M)yIvxXDeFe zoYbEC;Uy>SXVK}jrd@Y$=q~mZ%ll|16a*R$f7@}+h&ie}d(Y%asnhaHS2ZT;-G4`4 z^g!Qh5xNhGYh0+*I-8n6Zon_D{-2S*acTAYRl2XaXIM<4EWsU(3f}ibCE^1&|KRfH z-HaNx;NlFf5u}U#{!6u&y%!8&&&mw|I2eX8InTZ;bYY%2>fXW4x1TZYm_F6syztSU z*)0y|bkh!Qo@K}7tm)Ba?IZ< zVqWOA#NWd37gt>WdHt?)9e}q1u>t(w?)6{J3x-4nk2|~Rh~cwv1ApPuBUSW^MWWv5>L#4cqZBpocMVPPL5f3bZ0zzDPC5~e(5rW~Z_yudbXfe(+C%S5 ztCLH7G-jAT4f3$EsOcQL;Z|B$Ndy0w$5WY-;#!BUoln}9TI>vHR&H+{aYrb4tmKc_jV^sO6B6ozUDEwiWrzxY233%{YYr!_dPn(*+4B*S6MG z9X5FHxbIv-omb@+r^x4y(ci4?&Z3x7x;{9)G7wJZE;(=BZZ+hyBi{tk`Eo#qxk;`_d3JZz+y|MqouuLSbe9r{lRIM zj%rL>5mvnB`P3J}8%LD03g=bi9G7poK9#?H@}(yI*oo6DPd%0!@x=Fr%whfRI|=rC z?@YLK8m2ALEaDd2iief7VYrXTE71KK=Q;pYNGiZM~tOiji3rN>@&I&apZPO^>7MS9{=YqyJ|;3A>U8 z;Kcsg*I8IhA@%X5YJL3(-ud5K`sq!v-_GjwrUNiU5={HGKh1V?zMbVbWy6@(pRO;{ zxmB;cS$Rqz6y?vj7|p)9fqOC{pnZl zD`H<_KVp9AXKZ|5`qTlS_PbtnfS!*2UC)}cvbx>7_+h+3W1A24*wuC``B@8PRJK%T zZzz!GFRIb3RPlSI+5Y5Z@Y!^YE_=7#3$JFMsa8L(fS_sRi!Y; z?(xw5=cX0hV%S;kE{n1`v?MLL{+nkHM%beT50Z9w=5`!)F0!%I-~1>+wP;i1Vyn9Q zO_@B`7f(^OM)|s}`Q4Z5XdjPFvl!$RkG$UhVnTV&Fv7Ebae#@hsVc7z-2B+#v=Y+G zOi8PLwq(oMXNqTP77z0o%`mUnVU_V4U?f&LP*csc>W2q=IMD+DFZ97Oi>jIOkj=MJ=pu ztMBEBjFdHF+**QOkI7%=O(Wg>!mGo7w5{HwD4WNapd(*A?;1u_0;P& z3)faxblfdH?CZQ=t$S&P;nL~096_dGnakPPw9%e#Bjk-cZkpCy+EuojVL%OQUva4| zNcZ@6?~7f>8))wGt6#q|r*oM+xr!D$*9NlAVf|8MrD|d{Q#HNluvOwZm+T*LH#86~ z5Wju~=w$xd^dH9O{}h==5Ti*ho4yk>zyb&W0)PM@00;mA{|o{v&FH;TroKZ`Q{h4k z>>m~?!opK3s}!Iwr&B~;-ztCF#(%9Ct3)CKPU-t=R6ntW$E5|Zok8#*v*Vz&vHANeu&|0o80c#DP$wwn2!%r`7Igq zng8FJMc)^le|K(M_KQ~gNyYetf)TZQPaz?dmm|Kt{ZsIIYhkt)k|Er>u6=Z%Z}d~8 z;qfJYsj~Ht1;#wXTEiLPv8J1UoYYL;(t4|jdPC3QQF*IgP{hi0I)%rQ?nQ{Y!Vund zjoO=;a)a{q=-<37nK`(qOC~&L|Lc-*uCA|-b|3V&o5&>F|Lf|k$J9JXS!Q@;p09Rj zP0YS)s(#P6sl@uvs@XPS!O8LamMnSUZq2KQyEjp?hC`G5++U>e4?Mif9aQQajtQ`$4@#U^smb2gK1mtPvK2_grnk~rI8e$k0{MtJu z;M)TfJ=-{O8Q)TGq^W(k{tB|GPq1^u{noWvsr>y0 zA9j?FSy}o+d40URl|c=8GV|aFNS$Q&R9E0~IpY2H+dpS6$@w{VMZRL5Q&J6Yjbf8| z`iqS!yxkX{$xb=&eTLoQCK-d>ssYxJfTzn(7DpDP-8mH3=w7F)qDRUoiO<-jkBa4L zTay9?+aJ2(@*$p9vWcV{qG*k6eMdqw=$MnpBlqhm;W89 z>_GFR;3GE*ZbsgoBpBzeZlS!#yJo`rt-D38wOd=rZ?38a=SCkJ@vdeODNweca%6jG z+uj#5oIA9Ps@w%7iswqmClt=u+2IbU|7ShsB?jWe{@M+6SUiZ<*PHge*ZUvvrr59Y z52QE!>V4r~J6IR}xgqygo)Bd@GDzUOn^*UWY1ob%#XS(thT zx}n^C>E4t;6doi70)s(%C=>_;f-_$t%-7r`zzm>s3(R-$pW=TN!a-WAhD4F$AR*Xl zkjO`5y-1M=MMM$S30n<2_pcfOf}bMHcimPY#4Mks5215+c^Tq#P`(-pPF(!@;Payx31(RP&0W)lk=Bb51O zl%e_N^`<6<)+kG(EvEX0Mw%$*FH>*q%o|Q^g^+->p#m7>>Er4a8sJZ3iaRJlfxhhJ z9dr42VCN!X0|5bPX(g~dyMl`s#naU%AYcpKGnf+SCOB)(Wb->Rf295f2mjW%CJ;HMmH@s}KUwe?T|X*nhEjv3oQ)Lm{af%7@|f65UsBma^G zi@~ZHLIk8`=eEW(ARx$%KA#5qQ<@p|mn>wgT7o55P+Ca|ob1c)viSt_5#Ma8nQoge z=cVKH4a_aAHBl4{^Tq5p3Xb{0vto7us|3p`BC{6BtVJ?=kyV9EV9kiE8HqL1X3fZ~ znGS14Va=$_nGQP@W@gULh+*ZxVrJIE%7VqP(qJ*HJXj1X5f;PBgvGE@VKJ;+SPUx} z7URO2&)S>u$IgtKiP@QP?94cJW*j>+j-46D&WvMc#<4Tw*=_Ocws>}1Ji9HP-Il~w zNo=MFk z32Q9`3~Ma}HW>n&41t}Wz|K!#_XCmLmdI{PWVa= zBjO2oBCEn|$f__KverHuvMkJotgW35S(`i?vWU)xEUYsjo6l@G-;7OawsgK3=}*mA zT{2Tad)|ZgoCngpUuHPxml@90WrlyMJGWwH>6~9?IJaVEIJaVEIJaVE$oiQd+JP+4|di4=@06@yX3^9e|AQ2JK`qQ0>peE5Fijj zLLv?hl89dvCo}h$tIyO~)&7Gi4z8@lH^@u?0fPeqXe$ET=)rFE<#e}TUoSUTEf;zq zD>-I8b}>d?0Ad3bfiK+R8xZJ0ceAoEMFqMA1fl|hn8y=XWel37L*Q~QzTV!xKFfWW zhcjA!9?O|oS=F>yGfCO>>`V>woX);M3k~wv(UN2XGcaocod(%4pC@Bmhpj7KN2_%Y zZR4+O8P*Z84-u5eyrp=cOvEVkfqa96-?#-e*}|zIWW4u499*mKb8nUhO?Td2YOPW4WHT zYI@)91?8zeVLDG=t=)xMaHViNHkVR?ucBanQH(Q2e|`~;AwW?OxkmUY5t+Wk;%ZT){E$VykEIS{cfw-ovzG;% zXXd`;1B3a%C=5(MXeJAvFh)*5*g4)9>;{2?)u9NDb1faO<(q=*!2CIugU~%-vBt9{ zO?6+E>0fTf-WymGtnyo)BKUhI{_fg_IEBR1*54jwz%ndgj#gAt`0>m;WicTix}=`z z$t{2NAT1{fr~m#*iA;3Fv+4{L-}Y{ISFutPt3zYi6Ox+JBMaL`qRo1mGU`wpo0Y}S zf8N{j{ml4^f?}LYeF(|X%Sru7({tMm-bn)bWw6uR&x`rFniQF7E7^`$>X=?H_`Z<7 zv(2uD|6??2BJljtI}-7J#4<}khkAI9vB^dobjl14eO3Y?vhTZu=7j|{Lw?ydXo{hR?a#6 z9pU4hFuv>X4)Iz^uyPTz8~C_&!-ar#%8!NKoP9Ilp?@L&&c(NR7U<&cH3RL1S*k=; z$8@gU@Z)Kp`R&F94^0^5J|I6RBX#=wYr@Ap2I~)Q&R)?vMJo-Wv=(12H*xU}!I&G5 zIXzRUYV5{_g*rvXIOYW_-dTimW6DGtEw!C`PzfkfxDM-2g-opu9+o-Ktae0)*aQnoQ zpXB;`9EW|1)l*|etwvf`8b&Vo?lTNl>x?_NZ$x{8y6>Q${0iCu?CV&2QDsN#w=Ra$ z-eCzHS9zh}0r9NN^=tib#r^({u;vs<{VVwll;R8V0;9<4%!K1QTq!L4g7DpXw1-Ib zbQ#;)z@$){A}Bc`wdehcv@IXK&dOsFLYMKIy!}ypenDvS>d=GFe2&O$F!U79qy+}L z$jh78|A1bD25I>yK|X*BuO8HVtob5Vr?!5g7#!9uS>b= z02L#+oXqnR|GIYVTl2yc|4SMW^{0*pOcx)j4~yyLhi%)Ycq>mQ5JuO@T2H!uiguP4 z3OOxRJMWryRYlh(ruwxNz^*jIu9lW>37~mpHnz7sUc{Axxq#pPC$39s(jF$G4%#y* zTw zY}2~HvBzq^o9#6=$}<-Zl&`f`>Ph%rrQbYKY-^%>TlB@&Fk8M;Eg>uG{Zp^nUUsF1 zs?##!-e}aHQgXERynH!4IHohwdn7>N+(7R6`iUiUw3=c-ul}#4sfsFQI5@G0d>tb!TKz5?rgR;$5Bib$!$cg`B8whL; zKmZ^B5C8}O1ONg60e}EN03ZMm00;mC00L|R5C}+k=J>w?gscFd00aO600DpiKmZ^B z5C8}O1ONg60e}EN03h%WB47$-$P53s{+My*_`e^7?EeRCAz%d{01yBO00aO600Dpi zKmZ^B5C8}O1ONg6fq#R5EQBol_x~7a=J@|D2>JHkNDDLp2mk~C0ssMk06+jB01yBO z00aO600DpiK;R!mKpH|2{=0u%%+GWQM*d)V6`6VaN7)9<00aO600DpiKmZ^B5C8}O z1ONg60e}EN03h%m6M)IEuK%luP(jEM`52jn+>W3i3=l66`G^TbEn>H5 zqNpbVD%yZpBHAZf2rq-DifX_IMK_AV;jJPJ5voY7$ZaZWM`BlcHW$K4H!{bR$B9Az?slT0Owa*~NuI47A(5aA>fDKJhl2_yVh zne2*p$N#ZmLL6nXASanh6yPKisr;N|Dgnw#CQ=}rWD@!S})H%m)9> ziGh~k*WV)n`tvaP(-)tDVeG~@%-=v5fieH(e!?Y9=hqCJANuq$q*!?MDRlQ)2QnRR z9O-FuOZ79VEgttbH>~{Ay@jEuQRL>A%1(>4O9dwIg}Cef4S zHyLPYjwVSM9!y3QWTrmzDpJ{-uHAXNFx{8mc~sBeK(y#pt)8QJf%b3QOn$4{@OyJt z?r}#uMU7``8#@Yd{n=}!7?0i#-S4lAu$W+=rG7E_^GL&k$vYihS=FQA@T5=yBh$%c zUr$D4K7mCHN@R6khxOl@Hs@yY1^z*#YSNjwXUoZDOA~{qQ=?Z6iw$30jO?4F?07uk z$3QRSY?91_$^Aokk&K?g`~E7uEmM~HqsQxvzI;qfQLA>h5wN}uI>pW8k{j5Lx^Ih4 z95L(6+jn4J)sIitCn#nC2YgjX@AVMxjTvZ3jwY!@9!zG_6b)>aS(%d0jwcW=y6S95 zS^gk@`oN~>QoFVvle8XgCOeHqwN=c*`J%k?TX5>tMWctsB^%25b_=D(RNvN2-OoTT z;AoOa<-uf7t=UJ(TkjlJfa>?wI3Fy)J47mWo^g`c+GsfDn_MTw&1A|&!@?i|Ez6*` zf_V;v7v9 zc^QI)Vxt_pJVtA&7U665I@iDMk|wK%Tv77EQ-)(!7f+n$W->DRLWK%$5_Dtmz1$~Q zN@mKd``^AOi3hFde`qc%COgDHi*Yo`(-73OG~KpAYr&}`4-NMVmY_*3OKEeF6`28F zm2(fG2b@~DnKU2l6yAJbjhZI$uDyq;&bl&+=jGH=ICgjRODh!p^Bx8o`HRV)e-rS~ z-8PT9pp#F7v$m*4KE&_SuR5%Lv&uAZ?a|uLyXq<@G;+C_EGk^u$4{m$JO5fummxq( z^DIz#9<4+UhE0Z3w;=JQ3^anXNnVDa10}|JA+VyY_n^n(jI^BZCD@3;MbyXqHpM$d ztPGxDa5Jg2sJ&@rOPl8TugzikNnX&c&A!$9_m4dvvhO^7xb1Kc11-wYBu_&S1etg7 z8Grvbf2xdJKt*|2$Z}=4c$m|`t)}K?+(TJ@ZYJgF`)v%6sdtqo9o$ioI>AFp@8sax z-4)M25Nirb-4qyTI7gE_4M92wzlC<}4Hxf*( zlMxM8x}$Y^>Y;QCsa>5Os^6=qzQN>esCBSi4$1y6i43#|N0U4aLCHezibq|aK(-XV zzmA~PSyNT7Hy3+Fed|@XI-CTKsNrVP)Fp!?KHPy?Zf$b2`IFS{NvE4zBf4c{=s$Fm z*E}{(W1wLiP4YAZ4cl11dG3=YP!m+xRAI4y#p>fiSB}VhzMg&768nvAP{_^XnW~*( z?+&Gu4cz#!nQ$sHY%jzARPt-t$?%fR#b2^yn7c(`jwX2;f|jVkgJWr%Bfg}{OB^=% z&E|eQNpSpzwuZ$S{!qQGTdcX6yjq&O&GY#&Wb4c4Aqqt@E1vEOQps$Hi?n#Mz3GD{ z-!%qW=ogbe|9a|&v`BT}oNmA9=vdFLf~dfYPaMH`ns{d*rjEy=4!s_7eD4IffG`8f9Ku10Pqop&DkgspLI znf@gAS}C+pMwM}Fed)GmNp;9Q`8x%Veqf;aIhy2Y2zt>eiyt#Tu-o4ywm4nS$!0f{ z)ONxeYAdFm&5zR7yT#3N%4O@pxQAO;%B z(Iihp(AeVWtcY-|{!QN&;ocY`bXi;P(H$ka`IWKBqZ#dLS=>xozjDd*{?QwJno{es z!Y}wlQ(*Hkl{00Acb&Gb>US0$V4xu!P4YAZsedYaxhf;D%lG+k;wd|!tzPyt#HyDk zyd5-px|@S0nz@;@aonL>+vu<*Ej{yI%)v_m7@Eb@xw2!agzS)DJz0+j3^X4{lROPU zQqPA~Pd>Jr2-?5gd;|5Fvi``r@5J_osjx^Xa0Pz9BR7-pA0*StN#dr7LqjS=!F-GO z$@Yqqm1AR&51{J%<9;@brC@#q!XC-F<7~tAPXq0bxWzTDKDgNBTd(Pt7XJtggMsm$ zKd2SOIRA1`TX+9zuy3l%At7?aiNe8)uph?4U-L&scdgzTYiW2)rNi=2uro6HxF@@IVXY!Sgk3H{A3@Tc>-;nJat?Lyi|F7;59j5^O$h&g2}FV=uSTN8V^=E9LzXg?Z5NtvTZUN~w!PHQdq%Rh{qpkIt@wUHjmAZuaGWKXZM z@$G3ZaTej`aiGHXz$wP6k=6HJ#&=z>T^^ltU+C-}&z2iE^K?5dWMUXfOE`KY@xbxX z?XJ%|U)VgqW-O*bPm5ZDsVOOGkd^m+V;7Ph`cj9+%_Brn$DxcgqMJH3d_Qw7cK0Be zR7MXp?4XZPgmP{vcrujG96j=K;(7H!k+0o@sSkPrXu;MNAtKXtjfci0?j>uji%7D+ z)xVOPN4XaS)%P_oRPNQ+?31nBFp&RLCWtS^ZaHQD?THk6N;pGFiK9nePU%`(~?Ld3M=$Yl0d#kC2wlhiu?yo=zp@8w}pIA5d5n&^c=I zvY^snmoiGP{~<#O#nB_4hrV{&@3b-_`L%7k?xv^iJ+V{oq$C&tZ}K{IcSgvfA#HNp zJRWZJ>`b0qtRG41EAX-XO^Od+l;fp1L7J$sj!!(1@|2;Z$k8J&=Ky>xchrx*F(6#N zaxA;cPWy2#^3n46C!+7iJkxXPrmCK!Y_mPPgf9icrdx_SWa+l$B&Wi z*6kt6&o#;)E{)iUv=(&0rqv}^Rru?31DQCPx~~WAleIy%RX?FH^x)RwD``cdf;kOK zOj4!pZ7*b?p(B7WUSTh-5Opu(PWB4iw_*lbj-yGQ&iLHiGxR}xA))Zbf@u|$ zmE3`gD#q(KgA=YK-qMU&Q!&7GcW4z6eBu2&mH3ZVert}TVzOnbRYf(kU7{p!SNOo;O2*g_!i zddygn6?z#r=&{^@(lHqsR-|!Kd^U6&Zrgj14+?Ey7Vi&Rtdgm4GB6aaBAuXarkJa5vyxl7aTZ^ z9MrlJ%b zm|tW5tWFdTJV2RhlR%h5Ws2F4oeaRBlAPKdXzZA;??{5hmJpXUzJttZ2+9~K&|wbj znQ@<}drHt(Hvhb~n?=)dwP zB**wl^pxkjcBay58s0bO%9$|P-2SlpGR+-0Sm!jib(6V5uigtW;9mYp7!y0xt+ny$eiFwoRFJ za@S+%0f$mGKi|SwSZ8NIH@P;m7g0Y4dv<7gczzpN^vnJYw+Y^1fR}QY7CRqzZyE|D zyelGM3JCh{C39jgNIHE-Ls*q@140N|8*F#rJqjMAv*O9W^F2M;iZbZT3^~5`oOK5= zgL#m9&}X)f-HOa%iZWbIT4!R!QX3O$S)J?eg@E9d=LR>3Iy6K3zU9&;eU>a`cR0oM z#&h=iWE7I1xo0P+5~f|^H#Pj4hE zhwH~9M5fKSk$unhmIDWU#XuDP%S4%-qNsDpW`rfA<0_%d)8q6DBQHxc)jfeX1Ww-X zwVaa*mqVlUr!`OStKa!^M?YH)2QFi;#Z^@=D*OJgS+R!;Ftlhdv6{pvqy%YdZW zg{UCen->gC7A(7%-2{9Zt3i!28)^?-4ks!2hC}TfpSXWxUjd?E+J_%NsSY?O zjXa$r!?)wD053-!`cuJeDBLtSzK|vSW=$FV8=(=dSxZ5V@Y3V-Xh z&q&f$XKAlA1lr9tb4&;P$U8;Dv2ZBubp9pV>@*2#j_g4?nnxU zZ9BXL%77fe>jC;6)8Pwup%^naeIZBQryZq|DYb{gitVVYsH@HD9>cAdN&srdcR0Ie z-Brpp2q8he&M)F}m=bo)8?N*`SHXlW2)-PK1!)ZKr40|6S!cM5Ti-jHB<=Oij?SM? z%2D|B_^z`B4>+YmIlsX5-KQ#umy@S>O2e*ruY}wb>)6eMD^;FvePndab$F&FaGA%D z0Im?d_j@7#6ITinJQ4U9*um0bry$2Mw}RS=L=ic6ejo1z@(Q~sV{m+2mCqbLJfe$o z7HYx^d!OPNL*@a3sPuVutq3TG33$ziI9w{6e_Bd`NoW?Lg4*%0`~R~^S2mh!I)VZM zx}9pzXKG{hsL_}y4v8=hsN5?4FoFd^1_>&LNQU63oc*vMBz_b z)wiD_JbvZ8S+u7`>s6vM^4#XJo3K;^ zC($#MzXR}T9GW3+Y>To*sihO3A*r|J=Z>FyJQPh%Uj_cRX0D5xh>cX?eYgy`BHKn4 z54d%=S+e_*uSV!BzNU8srd+1{;M;@Sho;gw%#eieiBxNl5P+o%x*dWy>WeqJ^mloi<`mcc~GC9uM`$S z3z#v4h#f?6+t41DXk|?~-W#y*Zsb+fgx)^8N)w9L8Syi4QlOgcg|s;48=KCVts=o} zzJEbf1VDfnU5C^WD2Iz-HBK-rxPVUgXs2>@k`j|0wZo$-?HvT8Z=~M z3bmq?agqS>a}M~ZDQic8*5l)1-($zHkc|be?Jzfi_dM>4N9Zn^G1oc%X(5{{yAGhI zIH?%v9lfnVrg7mKa=#S^i(77ptE@Z!u2E9Z`_Ktu^6Z5>haf;6xlM1UIkID2*uS;4 zG?sp~)mkA!P~>OoC$IN@$ZZhgR6;No+vdVOXe#!d&ZpbjmPD9L%1VOrh?h}KHgBTBC8tm5@!aAI$+Lc;9=99S7G3d|E zp79_#k5PsRtjvBMYr?)*n%X1UF`Q9W*@dJk>L3Davt4;X(s=%BaYa3a2`!GbDq&mq zal_7tu%j&BT3g>p+W?q%KpZs0gcZ;6?|7=8#ID%=wr>yKUOA3(i2y31mM4qzLZDf| zxVrt*AeWVW`L%R@r2i!Sn{CWXx_X+a*QWT-Y|zdrB-w=cfYQ~cy4%YLeua^zf};a4 z*63^r*kyNgh_+ime TbYKJshg&M|@u8^*0s;sCT(as- literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..7f677ebc3519f47fb1af0393737e3c7751d568a2 GIT binary patch literal 36864 zcmeI53qVY1|HtRdt)|;4#UyP_7rN+j=GH}Sm9C--QIt$IrhBPLSY6CY$d;r+2t`qn zOC(uhL#|sZmnB-ajoM0XCGnnfW>Tzu?fz^3yYKrxhjZq4p3C=n&gY!-Yo6bEW@d)F zOR$j7SP&T<&J!}&1VsV_5hgPj1Oh=0U1{jrw@^@n+_!_iLIdpIGvx>-Rvq$i7lA6% zOptvJ*T|O1hR7PCJ756>00BS%5C8-K0YCr{00jO*0+Xp!I$aa;4vq-qFAfOh1qVjN z#JI)!hXn^n*?QPn&$MGWO`l@t#lZ6zuG1MG@)`O(Cc-k9NWm36afL9RKR@h43F=1* zc;2T9Y=bFeDt(kD~m07ql3s+|0$}C)&jn`%4b=i1bHeQ#F z*EPd)&G1|^Jl71*H52FJ%4WE-IbIT{#KbYN@Z)76SX~x=yez!WY&@Nfr?c^N4xYln zQ#g_otQ8J|wZg&4aBwmlT%UvMbMW)P#p`nMx?H?27pID9A_$9#H7+r+-dkX)2wpgV z&t-GiT&#e^#0p4EtaXWrbwOfcM=LS0Lzb8rQHhCR6`MF8iP>KbCnZVkuVyx&8g@#= z1VVBXgUv;O{~W?z3%v#%^_4k+8#Fq+!eU)1bt7&ZGEM$Nv4Q4_n=us)zBcD+eV z?4pyHf&C`G-(2v)#4j3gS^xg-_+#A(LIuXGil-%%mfP{00;mAfB+x>2mk_r03ZMe00MvjAOHyb z_Yjb#$e;&9gUbkT7u*g%h8y8)@J0AEd<;zj3m^ap00MvjAOHve0)PM@00;mAfB+x> z2>eY1q)B8*cX;Jm8g8h#luApCeNwog3{R&@jA<0yP`c$!mKa_n+)zC1K$IepX}XGs z?eX!yd<8+i0v@f2>fFSsFFBP zhI-kF(4JGr)3#Px+4>ZWO`fCpSUf!e%bgj?d{DdO()8f7znJSwgHw) zEpc(RwKg2yYDYZtRJy2l;o5*03O;=R%RQdi8`=583_q?9T_x%~BfqdYo*RRQLe%_UT~;liEF-HZC}=riuT*LGkh&+{M zxYBXuYk3Hgr4R=HaUev4E|31|2$N;bWTU?q!kI&t=a?ZJCP%V61TBal?Sb8fC$ zjd7xecCZ3VURQ5SFLwO#n5bc6g520c(6|~+=TPWiVsnbFjV*iPPG3`-xnnE6-d0`+ z+Nyjeq*Zx+5c|XVI6G;#O%2z}b5IJ=6&R5E03POUQ_XC-sry6Aj5vC$m#OyZ1#L??a zUOXjFy?5m3J>6S^3l9V-f~v70%}>I!l4?6vH}0&@HHshRHkn!aT5Uv(aVw>F7yVV) zeCP0Vc8pqj!o}yF&GXMKS8EudTjp7ja`!>{tnw+v1un%aEUdM6RYm1HU##hBk1c$a zI&RB~Tv@g2%~31;>dM|OGW-4&J2g|IHR#0nB2%)=(ca428eiY9m8nq;yQz9!WUOp* zaMqIKw@HUy#~SC&mbQDdX}`D2&6P)t-p`Y_+<8oMLC2>}jOHyr)#)zr5y^U~ zC++t))Oy`@%7{LuI&a4`hxAz`6)T#S>)q|9ExxBeV=+=dh;52fY@0_(A~j++*Wj0APpLa7V=z@tWaEu7L==Z@~nPEEvBA}Dv zh5#G{L8zR^z?D!FBwBd8aQ)3+6>gcfXs(ZYv}0bY{VCmyq?*#Grm2Z*bykv(tgRrX8$7QsI@clibRc>F z|K7dccV09yLNMXGb^8o|4KwiLx9qE>ohyw{MmmDHPwj-s3n_^&np92L>&M8e-+ebK z%?myhQa{g<4|w5!?IYxfwuaV$8MbbZFz4Nej5j?vpzzu!tW zCBN%&dSSqy%~^Ve+i5v+_jgkjcM;FDE;Y_K+B@H&fFiq0@7~$?;`#^BTv3l+C87~>-H&aEekrm^N4Kg z51w`#r=4%s7fzXFUinx?=ZR09)E@o!w~}o0Z%sO1cTCk!CiL+M-AS7S^CxjK4mifM zrOCNB%&M+GtuFaR$yJ@V>0-g+j2CSl?QgQ@(sz8Dx-c_iRMS?@lU1X6&wg2X*lx`8 z+iUjtF@DxQv8_pKc6-pn+a{LZ{$z6{&zyfc>ukFE{HEI{77V|V{N_mx*VL|i?}@pj zRk63-wZHOvkj&p)+#-@0l@jVIs-QNORc5ZJO&B?%hVFYWMYP}CDLCta+`X&|3)E~* zkKTG(@nTi)e9L2m*|8M;EAE)v82nXFMDL^_xUfI>_7)P6i37Z;%0NGYb^c4sAiXL2 zU0VI#bO;WS2$6p4PkT&HpO4$0nQeIa;kf%hsU;QEUDy!TYFXtxJNt3L1=G;=0uQ-W z9O!H8kBTEuFI{Cty0ops_%b_@M%9H__eVN>i&%~nuGkXrXxy^cM0$SU&#BjL^VA;BseQ5#m}tv;w8<-hNeqK#x-$o1)hd!KNON)1?qLfbAGNp$Lt>0 zQF|iSuxr-CoH(_^bD})lhQDN$$etYWw$!n^@cHiCG0r{G`jl*iZB6YS!_zwF>1;Pi z4cnoR=wFd(V$kl+6d}3?LRQDOmBi@;sT7QfNImeb$tvD7!$hHr3n&+kA4W@i(tCpUW&W z$f@t_*mW*Q)oJA1dB4_PPcmtm%zKbodTdmxMV6Lzw)$GPxVRpUgSR@31}Qxm{xaU* z+UVh1q2c{UJD+%MxT;dua(LXdg_QjBrA6B^LKNy+Bl40JUsmS4%xZbJe`3vxP<^ke zR3bd-EmyPHThrR*;FIxlHm?Y)@7g0siJ8_h zzJ-OVdCdjGMqE4DMZINmBh`2V`+`y{XUY9V)`XJzmE6^VuW!85TYsubVC1uHl5CX7 zbs;OPOhxsa_jr#uZLUXjl$U92t4dkZWzHfirIYK@%7*ux>?mqmwYGNL>0(BSS5pM$ zoQA?NqF&?6Q~f_T{D-jdKUwM#L7`bDkG2^#zyb&W0)PM@00;mA{~ZLrVbS`BNCOW^ zWf+H`fc`^6Lufc^*a|tqr^6>aZ(x-_ZDZe7j8-Dz0Vk|B8h85aTM;ypgyo_C|JUDN zqrqPS8YPtOKWQJw$NtDU805GX{buR@aqXbPpyAtYxyvcjtzf2<;S&V!8 zAU$D%Hmj`Yt4kqY1!fkk^ye>)Uu7@#w?+w7T=t=`(F^mV8M&WC35lN!Z3Z7N`D6^s z{rC|Kch3KH%rNj1%wHVk9{)w7^O$@>(te$W{7N|Z?1k_HH-8qSTJiHV;4FUjn$EHQ zKG7|TS_$R8>C$%|2N+uzHW+$`2~F2ub9hSI&~~GlQm1GCsJcxrF#MY}+GU56Z-+;| z3xzFyP;2-xS7vyL9&Ow6@;M_8zLN^ux$9;51Q(Z=rSA*t^9Qe{$|2_hMpB zt723{^`cy%R@e0jl=m)MGA>5P3aWGXb2l}%CRDpD6Ur!QSY@I^Fe)iT=|2 z&yMa4>BxWP?cAkdRO=Q{E`O?=bX4wyjSc3I27lF~UScRN?9V+wheX4v1HI|MXS@Fo z-W2^-{-N}ypM4JeTL(K;e?jowZ;nQ8wQux@JDPEl)e<~XpjWgzq>Y(zc3+bHY%bmQ EUr6s&82|tP literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db new file mode 100644 index 0000000000000000000000000000000000000000..66d43f59a56e3ac78870738b91363408252785e9 GIT binary patch literal 45056 zcmeI5c|25Y|Ho&{G}f8PzB4l-OPCq6&}K^uvU5wsjD0VI?2Lq{R8%6Ql1P$DqND}4 zJ+j@ELQ$!-sVM0;Gq~N|-OtRtUccv$-}C&=F>~g7uFrLS&*yqyJ#Q!Q30%@&!2S-kU_yksi z1SgPp1WN=df{FqU1y&1`{;NhnIY0m)01yBO00aO600Dr&|4jk`yu6a~@?g3~D1{o} z8R!{GSw{(_EWGj=+n5;InV{?pjm%9@3#BMkUk{X(&8E$UHd|0;CRE8`xfi^eHXlsVSRM@W4f61epzR1?h^~~d&|ucK z>q354+(N`}1cOORqQP5P72N$Pz8*m|npKEzI3?7Rci!A4i*+WBD3-{yuvh`5O2J|A zY6eSKIeug12%u0s0~V{me#*fTf61YvwjK(TltqJG=WK^j{XE@67jrE6DF2eXE3F~MTQGoNa1*cQvV z88|~DOB=ftC<>PGWQ-dH&v@!EV^#sP1jj7WWp3&+H+5N?%qqGB=8DK%k(etobEV5% z=`mLn=8DQ#>9JB_=hm!@SY{3!c5Xk+EI2GP4Gzo9gTpct;jqk1I4m<24$I7i!!ncM zuJtq!ZL4y&yWt1XG8 zl2|HdtGKJmQ~r^ zlc+<`Au=n>hs+A|A#?BZA=AQq$n5QW$n5fb$Rs)+GO^BuEI#w$Vlx)0`O?K^q`x#{ z4#`{v@}dXwf(O!~Uq-m#mk}=1WrTmJyRc(M>4INIxUgeJxUgeJxUgeJ$b73YJupJ% z`)xjCzUk&ekHye)G4%Q~WW8zT>QWc&P?>f-h!m^`6^m8V;eknRK>w?Waq&0U6}K2e z7@sJ7%uf|K;|Yejffx^90SEvD00IC3fWW_vKqlk(fCnmuKy3VbN--+}0>t=1AV465 zh)9wUNF-S%NowI|p*llnR{LKpNkYrSYtk7BAYd?!7NAY@3<>uP(WLnXc?WoEQUXFX zgBS-bTJ9mC%$;CSI0dX63}O!z6cV=zriFTkc-mT9!|6RCPvWy<+7u5NM!n41e*6y9zrhjaerfu%Nt;Wo)4|n}RtF!=n2J`N z?D$sPq^+tW`CDjursb*_|4e70t5pM9QW=4MzK4BMTuIHXZHj}vLv1TG8+Oik+pF)t zR}A^=v3wfoG~C>Tn_l^@`9`k#l*6;5J7q3AZMU%!|Aa3SyeTnLzHz$v4a8#Kp`TYTAit-_SPDgh+THkZ%^z**-j-NvC}F+=@(~*R>f)` zbmnVCA6?h;#5*7Zk#y8Pw5B~{Bz_vhtbsSrT&UN!0}-l6AB zQ^<}OKX+}XiSh?~*)CrBl*h(vidQ)LV7~9^=sx}YS^~VhQo!LjHsD?4i;t%zN6mUP zF&l?kv1rZNkBuwqQl2F$#fq5hD{Ucf4BPcP?;F>f)rz1C25l4GshbO$eNw;duwHu^ zq5Ij|G+H1mz5A&~|fLJN|+i!IM1?{W+ajG}sQZ?KvxMtM|??xZA3aztY zyJ@^-hNEZoCdajkm1Ht1L(cFNB)zhqdWqh4<+tuF;Rz+DAHGv`@&T`832L{Dk zNZtG1kA|PM5BQ$F?ffyM@PW`q;YgE)@=YnKz7DwrHLaTKmRb*MS`veaBpbe@FIPS; z8ybkta1>D7JiaAa*cpAbQx~H+p1fPIH)fi$u`xOC(4PGLW19(SRm-pENVI0U@A2MK zy~(MWDE0ulS!DXF;wj~exE~YGy%L}8GW9mn78^YJdjcss^yc;s2W}|rY90^7Z%mZb zc1G(?KFQmnQ9DV2Sg7!-q#t{fIpuSkBZc#SgeznWA2?FD(op|ogY>j*?7iHivQ7qtO99^@X_;2ba(Kg=w1qe5 z49Jdzt(7k5FRdZWJheUdT*ect`!+v(O($X(F)akYDx+^$@D<;&>`py>DEj<1M|ood zQ4}<{>(HYFthFFrpO6(=VdUrLU*wv5=kl#{eMi0t6Bn{S!Vw`ANX zg8W)JJS)xN(b-*U-ya#q#}AS{-qlz36iIPIfz)*W)w%akhj(v1aMCpSPPl|pfkqkM zSLX@*j@;k6;$%5eP-s(k>Lof2m!WzMK5k=Bm>98Z6lwH(VUaVWJg$D?nPsux7XEhw z-k#>x>vdMcEfZb_U2$FHqU+jHo)!N988#F!vW`5(u31?nfYUcL&6 zeDOA^P)xYQF?q;z^38$Ijt(l=?!L+!cz3v=;WB-?5;N+SxOCnAtu`U* zTV)J*hBm}X<>eJFKlmMA@TqW(GdC0>_CI;%IBH_NB<$7Krt-jGpWlz%%DIgl~vg`-u_f#uKxQK;UoFviu`Yt*;^V-57jrj zEs--beK<@EDb#-h@-65&up!zgbZ6!s@HVUy%Is!rN?((+PKN0za8pFF+HL)$Du+^M zzmgZ-?(3i5m3VYDLcBz6pU+tTtmW}IEY@C~|Ug=?RGcyilX zwUTG~y5eM?DrqI-ZLrJC>(}7_?;q9zObCqY^Na_u00aO600DpiKmZ^B5C8}O1ONg6 z0e}EN03h&RMt~OrAp%Q^^j2Ot0t00;mC00IC3fB--MAOH{m2mk~C z0ssLP0SE-dKX?590EB!1KmiB<1ONg60e}EN03ZMm00;mC00IC3fB-0~KoUaW|EGUkyoAv)F!CF- zdxCQ>|LHvi`~w640ssMk06+jB01yBO00aO600DpiKmZ`{GXVi9=Jo&Of>aQ461fs7 zi>yLMAbXKVky{WHgb`v8QGl31)FBe!sc>He6yAtXf{((Bg)RskfNKc7ft$jGggON2 zf>gme!4pCxAt}MHf{%nkgzSFa3$O(c00;mC00IC3fB--MAOH~f|3g3lVhE=Bdb_%N zhJ?D}2{4S3DWFjB1MXwOu|b3 zUDm;R5f(cp!B*B4XD3sMV(erhRg|4fC5W(-i4SNsD}d!s=NscQt%A^&j0%D>!O7>a5?<6q!N7Z-KC zxyL-`Mvscvc8Jr7!g%Kht$nVkyqD7G7)iD!NmwpSB3|xWeLKNrh_Bctt{$n_l(oZI z#D3Q7g4Yd_Qhc7U4kwd-Ee?n3^6O-W5xL4Py*{-oUmbf|@|#kSm-4P4z9NNgI!59b zlRwWiT$p?exsVZbD%Om8&eWc7^M1SW$vZ2r=265xbhUNjgLv0+GMV+HOC<8X|4#Au z_u(>4D$o$|?wz$ut@>+sW$T0PW^ATo#MztF<-(-V&{jx<+il;#H~IJE^HA5_#mtZ= zAExECy0qXTKO8jVWb%{svp|34nD*f#^5iZN!h=&n3YnPTcd7j`7hE5_S2{$;h_N+E zC30cXc1CN3)XBUwYl)6CawM8=Wck~Cc+a~7&V&5-(~Nii(+zchdQVoJY82VjY4$r` zXG7$z17&+_FovbhYMYkduRp9j^t6yp$B42uNu+XN(rjHbx!%-m>S#@obY)N5_@})7 zicNP8zeppj&c-xUo#jLlbw>M-H!gl>qI+Z!3-zKUkHpzUaot1E}f>Skh#=`g=|$A4oK2xwn{odp3D! z%^T}G{YOJ>15UX7KndP=8<*^-rPDFOY)ulmnSxT!Ud6OnL}IR!O*Lb|{1$zBu@?pQ z+PywGu+44_u2-FtNwPzDLDJOg@t#2A0*t?F>~o7a`WcW*Vz81$X=3?lWjbalTa#Q( zK?5(xn~h4;YOsnzj#BsAH|uv=$~0MtDjXd7E`GhD-iMRPZ%N^;*J2u|TL*4Vobhw^ zc(TGleC9}u36!{bQ-hbX^S9UIR zsTcJ8&aoHw?Kzn&gBL}2jmzpijI-NccIiW%_Mk!Rtsu`m3Z;?bG0EmWbPR&MNp7Z~ zPa)s4-!(>DREg-I4Q)GS88sHxRV{Mjo`ey;I^)qMOHL-=YkacjO`qC0QdVcT6Psmb z=R9<0vV@FJw@mDr+6AenW8iE}ay12IqDJKTVxF)2Ld~w(wl5(|BJ>in^7$nH@yDp@ zZtT+QoJCMKOW3D*VwLKfAZgQbO!4S{-(jP~PuOURSj?n?Q9q zs`>Uy>fWw0Qt2`}Mv$#ZuBM=@{x>tXEyYc&>pRr?-u!Xu;<|P#e_4^w01XE3_-THYzczZ$8>%F%IuBpK27y-5>xtf9mqf@de26y0& zYsJ?4>TRz}|6>#HaD$(D%;pe_LgT4&PA0w1>b-Ocy{;(Nwu$(xCM?eET+x+c=WC^y zX*IiwGs}bM7=E@UxtfCT2-or`@zK5`=A%_c2<@0(qp~xASQwCzH3w zD?SI;JiqoTb>L15N=jumZ+%2y;@RJ!ohsd8E4nS{7`|Uj{`~Eoizz5LU90)BOV0C@ zOa+YR3WeuB;Y2ZYOnjX1DPm5}AiSHC$+-CMzgv(R^;YaW8J{b6C|sju+1I$YsM60( zlJc z(saxcwkElnf?i`cTRhN*(wlr@&;RCBP!tzZt}!*Cc_pzRB=?8F#~Ds0mwky@ottpt zn&rz!hcYz#$nLuMZi^cD`i765DaFg9Z_+VPwkElnf_R3HrmDQ;wS^@_?s?v-u@aqr zWO7Gx1>IhVW1m!;5LdyqTcI~D9nWJ*$MCQ<$<-88qO4(bA)_#|RT{0GUtv8SPQ2StSv4Ej z=;~hdu`V>4lgSq%9npiQl$HIxmKwm6Q=~@*HuDq$#sOk62`oQ1GVdZagV37kDT@=FjAN%V)-0%*(@&fdwD{ z5C8}O1ONiu6QE<%e)**S`SKSR-@~&Gt+7|E*HjhV7j>oh^}EvMi1n&P;aYCwE~i(i z*F_=!@DcdaIkai%@W;n0VFfueR%@n$$1&FnvPz^)+09@ zFRqfQ|D2Oi%ERBP^EEpCtqUO=Tv<_nYsg|ad+eacD^4C2`L>XxJ3?li0yd+0&R@XWW&AG?dI{Qc1|9@CVpDgEYPB;EZWw7t>%u1Yj)Rm z_|X)kyGZ)2Qz+YbIvUN^BR8jXOZt^RXWA+iYnzWbChvGYutKW9tN%0K#K3Kmk41Xc zdQKi+tB!=~8X1U#YjX+*oppC-H`bt$*MdiR`oCC}wj8I?(I~bab+{O7w^-db=FQl2 zsb{og)Gq55?S^>cYQpx^j@MMtjkhNzIe84VwSDA1-2STZdVf;Uijlx0JKqlb22hNz z;m*wJzi5}FqZQeD>rpax>Z`L%}BLc%@vUbp3)s z`@;#mxwj@C#&!KxQrRCm3#-@XL=p;78OLoFlC2d~g$;Bg>_x8hOP>P@s z1cDIhMXD4rNGKkvl;1P+-+S(T_~x5gduBiGg~Y=WfB{108#+L^xp;;0D@!zLHj@KF1<%kzXO3# zx+pxP!hp5P@J;{C>|ygd!Ax4?8wKUQ5)Ow+S?HCjEpQf~9aakVnK)o7^l@WTuGK0| zIYXKL)i*8)rsl%j3HsmJI0TYwaIuZsPS0cMvZL!6O?3=a-z=laboc#!lV86Kv|tBt z+|I)Y*@dE2%%4`2jeRQpZO0<(7}C7wS>%L!aZ3GaRe$a>(-AE{r3p>rhlmTK+qC>i zthHw{<<;0pF@V|)57C{=WA!WBl+d_{^slmCd^zV*!Lhsgzq-YGoM+Fh!U6`5%9m@+ zfF-L8#2r|hr_c{o`Xn{EAEFNjHTvjgx3X?jou1SYJWJ&SSQ4b^UE+GR)aQ#4l6n^F z3gX>kWmhMZr|*fS{Y=^~ZLcyrE6=Ba`#bQq5wY|46pn!T{2)}WI}QmMZ@r$V(CK!y zn!9}c@bjmISP0ec=z&&8^J8%OamsmmS#9~?l7?YHkKXDyr`|7LFC74PHg8Xc#pS7C z5Xgzqmp&hH>ZslMh`Pk|sS8aT?`Hk!<@J#wH{G%#Fq3uMbo=tfGyAQ0tW#4_%12lR z8UOv;ByhFR{VAlcfuc!oR#l}0{!79v3hMh__{=NaiPPw*(}<+XHO(B_cy<+atA$?0 z`1SJD!jMFVSCfOLOXr@W6i?5%qPX-YzAih{ofZMnF}Z*r2TxJXnBTgiu+er7zrO4M z)dk|kbJx??DD4B1TrRY$L)*9qP=2k8bDtA24Y#})tq`KFGc43u|D_Qymc3u6h1v0S zp@Fmf;nNz?%LWN8E;@!&YizzsdVA>&#A$X!ei6bl?Iee~U5fH+-nW^csabdc>`!P@ z?}~=Qi$bJl%AW!Qn6#P*b3a_?Ah7mPMUbY;H_-z0BlZ;C=!}D@dm`D3r+2q9V)|hp z3z`>>;$B8o%HL~n?dpy8uZ6#G@940%Mt!PaKFRg|tPaJn47RH%#&Y(+mOQvSwK4^k^e<>^vvv*xx^&V-MXN|Ezf3x;UK#t! z>?mu-8voUi(Wya+>@zj3uxZMC--tSsfB46BK1_l(>ci&Ht_&4zd&Yx=c;1kt9?R`qxMDzESrZ-0~$@>o$M-kgIEOsjCPkVl7({PQ^R}z4EPLguww$G-?1Usb2v?h;gWK9k{e853Q(2M*G zz=&kHs2DomQtn|ZMut6E4{~T`?@DN4OB(TCX=h(GyEHr;z{^8=rM&9^wndC@JX{}M zPgaOpSi8Hdo21^`k214Nw0r}$i`MJ@@MRLVx^rL_f~a{QpZVBl*LTHWe8G{3mU_p!(+~vgPYg2Gg6K1Zu#4@v z%&*bGi*(0FJ`UqvvnP%|XCQre)_c153>cG5<6O%StnYaIg@GU|#^@E8VI>sBJp=ba zfe7Pwa{clTBuJtvYj_z+BkchmT;;vL*GK1;){cnNN)>RaIrHmJJ46m1PrQ1eGW8*i zW1+{97@FEW@y)16p2?6-+rNN6A~bj|uYCF99!iU%8fyP}a2{zYQ?sa&9eTSj#3I}Q z#b_BiFO{hOAxLj&m?dQ#rI5_u1`RZ6eH` zD}nG}`9E0t&s~Ht|BvRF06-!hL_^|1)cV?ZY=fvpvkNrS+P%p%j#J9*x|BXH9i9puec}6&x52{8O9))Y z{VF96d+jw8wiE_&;T72Y#;@lG?YA!z@9wj?Hf>9umG+zI#$_N#-g#~tPzh3S86-Yux$HsdXSz)cq zM#qvvzlC}W-;r{*jL%QK`$h9m!wrj-L=BB<1hXVa77rRu@Szu>jF}gQs06aCsq-PL zy0e6l%gc%QnjV@>%6)0dhY#z{l{;PdmMVQt?2|kI{oS|1KfWA*0nf$lorzOOQ#>#8D-5p%g$PL}9cbQj!%<1dPIUOU zdi@-36ac-%Zw)VgzK~}uGL#uGlyi?#@8gs~H>cMQ^Q!Lbsyp zNh42YG>CSN&FyhtUxAzwHzS7aS(zgpCJU@UFQMetq8oFnD#aom z5|h>%*Q@D;1;th9j{1GwH~;L2VTR zjTU?Io>4pHv)6P}g03Tl-d(10KNG<+mnv8r%-zn=d#I>D^e^QlObI4hJ*SKA$!1p) zBnSR+36o+(Ho8RUFt&Io&BNBK%}y}#_&6W?HPa3N>3)=+4Q#U3H|L@%vYG|9yUa1( zyBhaWedCJ$gN?A4diQPO|DJ(-u-uttM!1*~82H)y-9@UuXU0kp%6FG(Mae8B0lrkV zVG{c_z2C|=9m}{a->;LI?ivxcTDRmTG85VjV983q|oTd~S!$H5$`4T0yRg#6-T_DwY5ELI-Xk`6rt@fXl{126v`g8yQ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server.crl b/src/test/ssl/ssl/nss/server.crl new file mode 100644 index 0000000000000000000000000000000000000000..769196dda6dfffeb4141ec007d6e276d3afb5e84 GIT binary patch literal 418 zcmXqLVw`8t*lxhf#;Mij(e|B}k&&B~!NAGT!N87J?sVYt_DoZU=NKP#(DHi87v@kR@GB-3fF)%fa z66ZBBGcYkUfpQH*41|~%+0YcBIfJ>0k&z)cx-<6WM&pI2r!*dm3egYCR+DZEcFbs= zJLCSW&CW;U#5aBOwXHll$=p%k!bPiXhut}MT~u<8-g_X&?EdN?ab}a1JABr;+ig`= z<67*aH7|L#+SOR4x3|MWJEoZ4vY)6nxx9MOgT+t(bDezlrzuZUzqqQ}z2kL-Q>O0U zHbEu9KQFgj zG1J5K+BS|et`!}!yF)I0+pZ_l{^ZHDOBr?gx7Y$1Zp_zSS614#>}BGLu8NhBoGu3M o9tXbUKYKSkd*T+M_r-Y*A{D@~ literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..93d58e2651fdf3614ff265dba5629dbb27e6887a GIT binary patch literal 28672 zcmeI43vd%f7{~8&NlIJV6sbli*pn(W43xd(lC+~hAEdNWD18CtVMx=1hL*-ADL4oM z8KJ09El)u~5EKxp2qL1uAPmUEslp5(R-{^a7A+tu;uPH7T+)`&Q3jkr{BGtp|9$=U z+uz=0x=DIDSs4zG#E)^h#@jr+fr(&PmPzD!hG95-2I13xsIXA_Gx(Klq5n#9Ox$A^ z!!%bJb;wyJ^e4@p&<&yELc8M(96$gF00AHX1b_e#00KbZUnG#IR%^AjHh*c<{&;$&&S#Xq}TOPQHMP0P+}{PN&+p^ ztsH3G%?<`#Kc!k570r&K{oUmS<0QK$;Gk;dAlKgPAs|7Q#HqC%{PS?Q-Q|)iV4`eg z;;X#bBVN!|WU@ip=xDZbyvJ5hA_ck!ghKYoO-jzNwB+C@oBnc$3k)!}83DgStQtF6^hk$(J5ElUv8vzj?0TCks5hno=D*+KN0TD9+*-0vg z=ZlXz>wTI!>#4JzI_s&ko;vHPvz|KZsk4FhHPF5W+Sfq)8fae=tu@hF6RkDTT9dDq zI-97onYN^q1d2&d=c`Agub$3VPh&RFasw?l&~lNMh_pnMOUNi9BBO|uj7Z6d)L*3j zB3%a~?Q5icjkK?kQpKJK=>;;lEJ^h7q!iJ{cFAZE4Mx&HmZX6!$>_2qA;^-(zb%$6+WH5^rT%!a z^bd@se_$;A17k@pH4+1sT(y38&C#Lxlwh=>&yZ zYl&tV-&;#r3Et6LZRH*(&07QawN(g6vbS$T-fqM2sR-G~gl@qJ96$gF00AHX1b_e# z00KbZt|Q=8C?+W*!^7_*kxh@FFSih6_${>cHI2jvQQ=|_Cg#*|O-)Wp4$HjB3`dDV zAN07I%Tsb~jk%KB!@HbL51*1mzE0x@JKdhKE-5D~gU`vy;9U~VxZMtCDeoao-R1bN zbOp<@*e<)}$?PfemesDF`{fVe$9pwI&z*Q`#gi9OcRo@zZBO-6bpxi(j+v?aU{)$S znLy~u%#LFsTT_@GDgON&ZyiHRPmF;W;I9hZl52wGvf6ENc9#cvxiI8qe_qZhSOuON z3R4GnpP4rE*D#h1RWY~E3q7O_!y95jZx#%AD=QAyhKVL53Zk4v$wDIP<699kU6Fsd z7<3lAU2=KccmiEo2F|J&&dX{TTpptE;wgXk#Dor|V|(v-d42aEN_1AKVg3H#PpeDY zql-nx^A^vHGS$>8bq~fF=5`J1^v(6C%3+#K;|?b#ubbF^ONl19=C#Z7V`Hj2KfC0} zn%{cWRBRsBG2hrwn3Z5U-1PYDV^zhQPgvg1Y6#lA=}7AJCFd?aV_IT6-|q5{F~^+) zdvl+k%2<3U?c$bS8V_9GeZF#Yev!iRJ9A-8k7UW%lTC6C%Rkg)UewcJ`7CPffT8wj zm7gy>x__)`#;ixSp-MPI| zg*cYI(UKWnY|M;h@<-}S^PAGlDQU%DH|3_R9 z2)*z{p5>K+`_9IC`VBFEbUGyF+{i;gYh!O5pO&)nc;9`8wmxVLDL%dZk-m$^j_xZ~ zy_Yt{&_?;{G1IoA=RbMpOuNiZw#5fmJzaI>$Lz*y3rA>I%z3eFUR6}xQt{lZM{SqR z%zWR{^{3hw)>`>*yKG-p_wdlhqVH?t66SoBT=TkF+O=TsOPxm7)oveif6a_*=N1`z zS$=za`v`7Ud2Lpg&er-F(vo!z-jJw@;!N*{>JuA2n)lrPXFEKwM?30dh4)=^x?@3o z+mj0pjOm!X>(QmVA`WhA8lA9}8CtH2t;r(y%7b)EdX7xf@fLoq>_ra2uF1RR!ihu!1u6Nl*m$&SKN@Xll zSd_1PFrz(ndf5~`%qG&()G19(Whh?|2KgLPXUtcY-E(%gt79(A^iMLso!PU$`}>{q zJ>T;=cQ4#!hRvCh>2y1o;>zlB-p%MFkrIlMjAa;!L=r4K!-S{*Ark_r|3G-9ZisIe z21_0qbuNOwERiclOO(IS+m!DqdF3$05yfc5`r8eHJP-f^KmZ5;0U!VbfWZHgKv`(0 zTBD&nBiy{L%u()e^W%6o?|+r2W?Rg;7ADu6l4)W5Stj0TXR@->Cz`Vhn8z#y%+yKg zQ>I#&$&;AW$&=DD(^GSqY)e+AIn|#%Fj6j4r)nsPv%>C}=bBR{6s>%X zyOJDR{rXncABCmJWNLLRHJx-QD&?K_3YROZ+F8rH9icvR>66A;@)=UZ7Q_xrJkKI7 zVQdJ|$RiqMyvkN<>$B(eN0d2lOq4mI%n@adD04)a zBg!06=7_S6jMb5`Ix<#A#_GseBdHom)kvyFQZ;(3MA=A`lSofOi6xjgvR)41u^d@1 zM?C9DUPtmelGl@ro@DgC44y@g@GN>lMo-A-iN2ob>&ZSC$XEjzYan9{gsPy45Xa)l zeIa&l!dXN*7dZ?%z0QC;_(I&l7vkA{A-3QP@oIe`Ua~L5M13K~>J14WUnmYEqT; z=bJCYC!H^}i=jgdi~kA9N#pHn6Ybcr9lL=?b{j$ox*(Z)eC+KmjN&`k%8D_*x0mCe zDiOGe#0@-v01yBIKmZ5;0U!VbfB+Bx0zd!=0D*x@K!Fzq_x}TRdtqHb00;m9AOHk_ z01yBIKmZ5;0U!Vb2m!eNhZ6w^00AHX1b_e#00KY&2mk>f00e-*z$XCr{{w%IVTC{d z2mk>f00e*l5C8%|00;m9AOHm5{vXZ(AOHk_01yBIKmZ5;0U!VbfB+Bx0t24_-2V^! zJ%$wm0U!VbfB+Bx0zd!=00AHX1b_e#!2kbWu4tFg`KnJ7~qz7YoP4AA2NgGkxa3iMraJs(Y6^UpX-RwV~blLsmDBTp2`B zK@@`&GPzeJDD1{q%6zvb@wMLz*Cp4Ne{-s3+u;#U{Iu9cpFD1H=C^9(=(B^KxX{2R zP5m(0@>j1$yW;)GjoZg-FJ5P}*6siE`S}-|%AZ#ER4md=OY6(z&b+ffr(b@5Lwn}* zYrCo{Hbnf|wPj1igU6=K6vEejvV7kiRwsC z^Q9E+?u>Vzd!y&o_hrzI%E}+-cV2F6Ymt>o&P@9}wQh9x_ZWcZz#7E^<^?Vy0=T?u`3MM z(hlSr-#E2tE_>ziyR>HQ@D~aXW}mp*6DJL5(x&f+$#$-`pv$!TlQ*B4+KuEBTN4+W z_B!KAw9^l6YCF2Ddw*Xh8@BG8T0D4G%HGbd(@Po_tjHblQciE_noV`x%25k8&VI)e z7aY)}@E+>>jk9a*p)n&$-&|I^@17Lf@~A)Bhkj7mG-}aDf6kqzIlp$?qkWmoDM_qp zzSiSe{lN9wuJ{s^)MJgR8``=wFXz%n7oPrMttT!hph+X@hsguIdn#Jfzi98BalU!k z)sgQ;EAlSSJe2fh=jm;#XnOzaeVJT$Qq^)gR6g%qxBkKPkE*{OQZ=Wk^{;Pd7er^I zZde~y?-@>oX!H$tSMe^_+{$YE6sjb@>dLc{dfBS^9X-jZUu_+0M;;F<7q2=IXyz>! zp~xp2IyNakRCOdi_4=wEO^f@E-{b4K`D^{{&GUuxttqRJIvpfyxG3 aNT9M!FAY>S@WFw~MiitB)`a;#m-rj=KB=Yv literal 0 HcmV?d00001 diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt new file mode 100644 index 0000000000..b81ced09e6 --- /dev/null +++ b/src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:ssl/nss/server_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index fd2727b568..00530d98af 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -4,15 +4,22 @@ use PostgresNode; use TestLib; use Test::More; -use File::Copy; - use FindBin; use lib $FindBin::RealBin; -use SSLServer; +use SSL::Server; + +my $openssl; +my $nss; if ($ENV{with_openssl} eq 'yes') { + $openssl = 1; + plan tests => 93; +} +elsif ($ENV{with_nss} eq 'yes') +{ + $nss = 1; plan tests => 93; } else @@ -32,32 +39,6 @@ my $SERVERHOSTCIDR = '127.0.0.1/32'; # Allocation of base connection string shared among multiple tests. my $common_connstr; -# The client's private key must not be world-readable, so take a copy -# of the key stored in the code tree and update its permissions. -# -# This changes ssl/client.key to ssl/client_tmp.key etc for the rest -# of the tests. -my @keys = ( - "client", "client-revoked", - "client-der", "client-encrypted-pem", - "client-encrypted-der"); -foreach my $key (@keys) -{ - copy("ssl/${key}.key", "ssl/${key}_tmp.key") - or die - "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!"; - chmod 0600, "ssl/${key}_tmp.key" - or die "failed to change permissions on ssl/${key}_tmp.key: $!"; -} - -# Also make a copy of that explicitly world-readable. We can't -# necessarily rely on the file in the source tree having those -# permissions. Add it to @keys to include it in the final clean -# up phase. -copy("ssl/client.key", "ssl/client_wrongperms_tmp.key"); -chmod 0644, "ssl/client_wrongperms_tmp.key"; -push @keys, 'client_wrongperms'; - #### Set up the server. note "setting up data directory"; @@ -72,32 +53,28 @@ $node->start; # Run this before we lock down access below. my $result = $node->safe_psql('postgres', "SHOW ssl_library"); -is($result, 'OpenSSL', 'ssl_library parameter'); +is($result, SSL::Server::ssl_library(), 'ssl_library parameter'); configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, 'trust'); note "testing password-protected keys"; -open my $sslconf, '>', $node->data_dir . "/sslconfig.conf"; -print $sslconf "ssl=on\n"; -print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; -print $sslconf "ssl_key_file='server-password.key'\n"; -print $sslconf "ssl_passphrase_command='echo wrongpassword'\n"; -close $sslconf; - -command_fails( - [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], - 'restart fails with password-protected key file with wrong password'); -$node->_update_pid(0); - -open $sslconf, '>', $node->data_dir . "/sslconfig.conf"; -print $sslconf "ssl=on\n"; -print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; -print $sslconf "ssl_key_file='server-password.key'\n"; -print $sslconf "ssl_passphrase_command='echo secret1'\n"; -close $sslconf; +SKIP: +{ + skip "Certificate passphrases aren't checked on server restart in NSS", 1 + if ($nss); + + set_server_cert($node, 'server-cn-only', 'root+client_ca', + 'server-password', 'echo wrongpassword'); + command_fails( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart fails with password-protected key file with wrong password'); + $node->_update_pid(0); +} +set_server_cert($node, 'server-cn-only', 'root+client_ca', + 'server-password', 'echo secret1'); command_ok( [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], 'restart succeeds with password-protected key file'); @@ -149,82 +126,105 @@ test_connect_ok( test_connect_fails( $common_connstr, "sslrootcert=invalid sslmode=verify-ca", - qr/root certificate file "invalid" does not exist/, + qr/root certificate file "invalid" does not exist|could not connect to server/, "connect without server root cert sslmode=verify-ca"); test_connect_fails( $common_connstr, "sslrootcert=invalid sslmode=verify-full", - qr/root certificate file "invalid" does not exist/, + qr/root certificate file "invalid" does not exist|could not connect to server/, "connect without server root cert sslmode=verify-full"); # Try with wrong root cert, should fail. (We're using the client CA as the # root, but the server's key is signed by the server CA.) -test_connect_fails($common_connstr, - "sslrootcert=ssl/client_ca.crt sslmode=require", - qr/SSL error/, "connect with wrong server root cert sslmode=require"); -test_connect_fails($common_connstr, - "sslrootcert=ssl/client_ca.crt sslmode=verify-ca", - qr/SSL error/, "connect with wrong server root cert sslmode=verify-ca"); -test_connect_fails($common_connstr, - "sslrootcert=ssl/client_ca.crt sslmode=verify-full", - qr/SSL error/, "connect with wrong server root cert sslmode=verify-full"); - -# Try with just the server CA's cert. This fails because the root file -# must contain the whole chain up to the root CA. -test_connect_fails($common_connstr, - "sslrootcert=ssl/server_ca.crt sslmode=verify-ca", - qr/SSL error/, "connect with server CA cert, without root CA"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=require cert_database=ssl/nss/client_ca.crt.db", + qr/SSL error/, + "connect with wrong server root cert sslmode=require"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=verify-ca cert_database=ssl/nss/client_ca.crt.db", + qr/SSL error/, + "connect with wrong server root cert sslmode=verify-ca"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=verify-full cert_database=ssl/nss/client_ca.crt.db", + qr/SSL error/, + "connect with wrong server root cert sslmode=verify-full"); + +SKIP: +{ + # NSS supports partial chain validation, so this test doesnt work there. + # This is similar to the OpenSSL option X509_V_FLAG_PARTIAL_CHAIN which + # we don't allow. + skip "NSS support partial chain validation", 2 if ($nss); + # Try with just the server CA's cert. This fails because the root file + # must contain the whole chain up to the root CA. + test_connect_fails($common_connstr, + "sslrootcert=ssl/server_ca.crt sslmode=verify-ca", + qr/SSL error/, "connect with server CA cert, without root CA"); +} # And finally, with the correct root cert. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require", + "sslrootcert=ssl/root+server_ca.crt sslmode=require cert_database=ssl/nss/root+server_ca.crt.db", "connect with correct server CA cert file sslmode=require"); test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca cert_database=ssl/nss/root+server_ca.crt.db", "connect with correct server CA cert file sslmode=verify-ca"); test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-full", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db", "connect with correct server CA cert file sslmode=verify-full"); -# Test with cert root file that contains two certificates. The client should -# be able to pick the right one, regardless of the order in the file. -test_connect_ok( - $common_connstr, - "sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca", - "cert root file that contains two certificates, order 1"); -test_connect_ok( - $common_connstr, - "sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca", - "cert root file that contains two certificates, order 2"); +SKIP: +{ + skip "CA ordering is irrelevant in NSS databases", 2 if ($nss); + # Test with cert root file that contains two certificates. The client should + # be able to pick the right one, regardless of the order in the file. + test_connect_ok( + $common_connstr, + "sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 1"); + + # How about import the both-file into a database? + test_connect_ok( + $common_connstr, + "sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 2"); +} # CRL tests # Invalid CRL filename is the same as no CRL, succeeds test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid cert_database=ssl/nss/root+server_ca.crt.db", "sslcrl option with invalid file name"); -# A CRL belonging to a different CA is not accepted, fails -test_connect_fails( - $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl", - qr/SSL error/, - "CRL belonging to a different CA"); +SKIP: +{ + skip "CRL's are verified when adding to NSS database", 2 if ($nss); + # A CRL belonging to a different CA is not accepted, fails + test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl", + qr/SSL error/, + "CRL belonging to a different CA"); +} # With the correct CRL, succeeds (this cert is not revoked) test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl cert_database=ssl/nss/root+server_ca.crt__root+server.crl.db", "CRL with a non-revoked cert"); # Check that connecting with verify-full fails, when the hostname doesn't # match the hostname in the server's certificate. $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -237,14 +237,14 @@ test_connect_ok( test_connect_fails( $common_connstr, "sslmode=verify-full host=wronghost.test", - qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/, + qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "mismatch between host name and server certificate sslmode=verify-full"); # Test Subject Alternative Names. switch_server_cert($node, 'server-multiple-alt-names'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -262,12 +262,12 @@ test_connect_ok( test_connect_fails( $common_connstr, "host=wronghost.alt-name.pg-ssltest.test", - qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/, + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with X.509 Subject Alternative Names"); test_connect_fails( $common_connstr, "host=deep.subdomain.wildcard.pg-ssltest.test", - qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/, + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with X.509 Subject Alternative Names wildcard"); # Test certificate with a single Subject Alternative Name. (this gives a @@ -275,7 +275,7 @@ test_connect_fails( switch_server_cert($node, 'server-single-alt-name'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -285,12 +285,12 @@ test_connect_ok( test_connect_fails( $common_connstr, "host=wronghost.alt-name.pg-ssltest.test", - qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/, + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with a single X.509 Subject Alternative Name"); test_connect_fails( $common_connstr, "host=deep.subdomain.wildcard.pg-ssltest.test", - qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/, + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "host name not matching with a single X.509 Subject Alternative Name wildcard" ); @@ -299,7 +299,7 @@ test_connect_fails( switch_server_cert($node, 'server-cn-and-alt-names'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -312,14 +312,14 @@ test_connect_ok( test_connect_fails( $common_connstr, "host=common-name.pg-ssltest.test", - qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/, + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/, "certificate with both a CN and SANs ignores CN"); # Finally, test a server certificate that has no CN or SANs. Of course, that's # not a very sensible certificate, but libpq should handle it gracefully. switch_server_cert($node, 'server-no-names'); $common_connstr = - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/root+server_ca.crt.db"; test_connect_ok( $common_connstr, @@ -328,7 +328,7 @@ test_connect_ok( test_connect_fails( $common_connstr, "sslmode=verify-full host=common-name.pg-ssltest.test", - qr/could not get server's host name from server certificate/, + qr/could not get server's host name from server certificate|SSL_ERROR_BAD_CERT_DOMAIN/, "server certificate without CN or SANs sslmode=verify-full"); # Test that the CRL works @@ -340,11 +340,11 @@ $common_connstr = # Without the CRL, succeeds. With it, fails. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca cert_database=ssl/nss/root+server_ca.crt.db", "connects without client-side CRL"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/server.crl cert_database=ssl/nss/root+server_ca.crt__server.crl.db", qr/SSL error/, "does not connect with client-side CRL"); @@ -365,21 +365,21 @@ command_like( # Test min/max SSL protocol versions. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2 cert_database=ssl/nss/root+server_ca.crt.db", "connection success with correct range of TLS protocol versions"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1 cert_database=ssl/nss/root+server_ca.crt.db", qr/invalid SSL protocol version range/, "connection failure with incorrect range of TLS protocol versions"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls cert_database=ssl/nss/root+server_ca.crt.db", qr/invalid ssl_min_protocol_version value/, "connection failure with an incorrect SSL protocol minimum bound"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls cert_database=ssl/nss/root+server_ca.crt.db", qr/invalid ssl_max_protocol_version value/, "connection failure with an incorrect SSL protocol maximum bound"); @@ -390,7 +390,7 @@ test_connect_fails( note "running server tests"; $common_connstr = - "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR"; + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db"; # no client cert test_connect_fails( @@ -406,32 +406,43 @@ test_connect_ok( "certificate authorization succeeds with correct client cert in PEM format" ); -# correct client cert in unencrypted DER -test_connect_ok( - $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key", - "certificate authorization succeeds with correct client cert in DER format" -); +$common_connstr = + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR"; + +SKIP: +{ + skip "NSS database not implemented in the Makefile", 1 if ($nss); + # correct client cert in unencrypted DER + test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key", + "certificate authorization succeeds with correct client cert in DER format" + ); +} # correct client cert in encrypted PEM test_connect_ok( $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+'", + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+' cert_database=ssl/nss/client.crt__client-encrypted-pem.key.db", "certificate authorization succeeds with correct client cert in encrypted PEM format" ); -# correct client cert in encrypted DER -test_connect_ok( - $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'", - "certificate authorization succeeds with correct client cert in encrypted DER format" -); +SKIP: +{ + skip "NSS database not implemented in the Makefile", 1 if ($nss); + # correct client cert in encrypted DER + test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'", + "certificate authorization succeeds with correct client cert in encrypted DER format" + ); +} # correct client cert in encrypted PEM with wrong password test_connect_fails( $common_connstr, - "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong'", - qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong' cert_database=ssl/nss/client.crt__client-encrypted-pem.key.db", + qr!connection requires a valid client certificate|\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!, "certificate authorization fails with correct client cert and wrong password in encrypted PEM format" ); @@ -471,18 +482,19 @@ command_like( '-P', 'null=_null_', '-d', - "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key cert_database=ssl/nss/client.crt__client.key.db", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/?CN=ssltestuser,1,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions SKIP: { skip "Permissions check not enforced on Windows", 2 if ($windows_os); + skip "Key not on filesystem with NSS", 2 if ($nss); test_connect_fails( $common_connstr, @@ -495,10 +507,13 @@ SKIP: test_connect_fails( $common_connstr, "user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", - qr/certificate authentication failed for user "anotheruser"/, + qr/unable to verify certificate|certificate authentication failed for user "anotheruser"/, "certificate authorization fails with client cert belonging to another user" ); +$common_connstr = + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client-revoked.crt__client-revoked.key.db"; + # revoked client cert test_connect_fails( $common_connstr, @@ -510,7 +525,7 @@ test_connect_fails( # works, iff username matches Common Name # fails, iff username doesn't match Common Name. $common_connstr = - "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR"; + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db"; test_connect_ok( $common_connstr, @@ -536,17 +551,23 @@ test_connect_ok( # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, 'server-cn-only', 'root_ca'); $common_connstr = - "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client+client_ca.crt__client.key.db"; -test_connect_ok( +TODO: +{ + local $TODO = "WIP failure cause currently unknown"; + test_connect_ok( + $common_connstr, + "sslmode=require sslcert=ssl/client+client_ca.crt", + "intermediate client certificate is provided by client"); +} + +test_connect_fails( $common_connstr, - "sslmode=require sslcert=ssl/client+client_ca.crt", - "intermediate client certificate is provided by client"); -test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt", - qr/SSL error/, "intermediate client certificate is missing"); + "sslmode=require sslcert=ssl/client.crt", + qr/connection requires a valid client certificate|SSL error/, + "intermediate client certificate is missing"); # clean up -foreach my $key (@keys) -{ - unlink("ssl/${key}_tmp.key"); -} + +SSL::Server::cleanup(); diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 01231f8ba0..4ea81fdbcf 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -11,11 +11,11 @@ use File::Copy; use FindBin; use lib $FindBin::RealBin; -use SSLServer; +use SSL::Server; if ($ENV{with_openssl} ne 'yes') { - plan skip_all => 'SSL not supported by this build'; + plan skip_all => 'OpenSSL not supported by this build'; } # This is the hostname used to connect to the server. diff --git a/src/test/ssl/t/SSL/Backend/NSS.pm b/src/test/ssl/t/SSL/Backend/NSS.pm new file mode 100644 index 0000000000..837f0d9891 --- /dev/null +++ b/src/test/ssl/t/SSL/Backend/NSS.pm @@ -0,0 +1,64 @@ +package SSL::Backend::NSS; + +use strict; +use warnings; +use Exporter; + +our @ISA = qw(Exporter); +our @EXPORT_OK = qw(get_new_nss_backend); + +sub new +{ + my ($class) = @_; + + my $self = { _library => 'NSS' }; + + bless $self, $class; + + return $self; +} + +sub get_new_nss_backend +{ + my $class = 'SSL::Backend::NSS'; + + return $class->new(); +} + +sub init +{ + # Make sure the certificate databases are in place? +} + +sub get_library +{ + my ($self) = @_; + + return $self->{_library}; +} + +sub set_server_cert +{ + my $self = $_[0]; + my $certfile = $_[1]; + my $cafile = $_[2]; + my $keyfile = $_[3]; + + my $cert_nickname = $certfile . '.crt__' . $keyfile . '.key'; + my $cert_database = $cert_nickname . '.db'; + + my $sslconf = + "ssl_ca_file='$cafile.crt'\n" + . "ssl_cert_file='ssl/$certfile.crt'\n" + . "ssl_crl_file=''\n" + . "ssl_database='nss/$cert_database'\n"; + + return $sslconf; +} + +sub cleanup +{ + # Something? +} + +1; diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm new file mode 100644 index 0000000000..62b11b7632 --- /dev/null +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -0,0 +1,103 @@ +package SSL::Backend::OpenSSL; + +use strict; +use warnings; +use Exporter; +use File::Copy; + +our @ISA = qw(Exporter); +our @EXPORT_OK = qw(get_new_openssl_backend); + +our (@keys); + +INIT +{ + @keys = ( + "client", "client-revoked", + "client-der", "client-encrypted-pem", + "client-encrypted-der"); +} + +sub new +{ + my ($class) = @_; + + my $self = { _library => 'OpenSSL' }; + + bless $self, $class; + + return $self; +} + +sub get_new_openssl_backend +{ + my $class = 'SSL::Backend::OpenSSL'; + + my $backend = $class->new(); + + return $backend; +} + +sub init +{ + # The client's private key must not be world-readable, so take a copy + # of the key stored in the code tree and update its permissions. + # + # This changes ssl/client.key to ssl/client_tmp.key etc for the rest + # of the tests. + foreach my $key (@keys) + { + copy("ssl/${key}.key", "ssl/${key}_tmp.key") + or die + "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!"; + chmod 0600, "ssl/${key}_tmp.key" + or die "failed to change permissions on ssl/${key}_tmp.key: $!"; + } + + # Also make a copy of that explicitly world-readable. We can't + # necessarily rely on the file in the source tree having those + # permissions. Add it to @keys to include it in the final clean + # up phase. + copy("ssl/client.key", "ssl/client_wrongperms_tmp.key") + or die + "couldn't copy ssl/client.key to ssl/client_wrongperms_tmp.key: $!"; + chmod 0644, "ssl/client_wrongperms_tmp.key" + or die + "failed to change permissions on ssl/client_wrongperms_tmp.key: $!"; + push @keys, 'client_wrongperms'; +} + +# Change the configuration to use given server cert file, and reload +# the server so that the configuration takes effect. +sub set_server_cert +{ + my $self = $_[0]; + my $certfile = $_[1]; + my $cafile = $_[2] || "root+client_ca"; + my $keyfile = $_[3] || $certfile; + + my $sslconf = + "ssl_ca_file='$cafile.crt'\n" + . "ssl_cert_file='$certfile.crt'\n" + . "ssl_key_file='$keyfile.key'\n" + . "ssl_crl_file='root+client.crl'\n"; + + return $sslconf; +} + +sub get_library +{ + my ($self) = @_; + + return $self->{_library}; +} + +sub cleanup +{ + foreach my $key (@keys) + { + unlink("ssl/${key}_tmp.key"); + } +} + +1; diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSL/Server.pm similarity index 78% rename from src/test/ssl/t/SSLServer.pm rename to src/test/ssl/t/SSL/Server.pm index 1e392b8fbf..679969902e 100644 --- a/src/test/ssl/t/SSLServer.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -24,19 +24,39 @@ # explicitly because an invalid sslcert or sslrootcert, respectively, # causes those to be ignored.) -package SSLServer; +package SSL::Server; use strict; use warnings; use PostgresNode; +use RecursiveCopy; use TestLib; use File::Basename; use File::Copy; use Test::More; +use SSL::Backend::OpenSSL qw(get_new_openssl_backend); +use SSL::Backend::NSS qw(get_new_nss_backend); + +our ($openssl, $nss, $backend); + +# The TLS backend which the server is using should be mostly transparent for +# the user, apart from individual configuration settings, so keep the backend +# specific things abstracted behind SSL::Server. +if ($ENV{with_openssl} eq 'yes') +{ + $backend = get_new_openssl_backend(); + $openssl = 1; +} +elsif ($ENV{with_nss} eq 'yes') +{ + $backend = get_new_nss_backend(); + $nss = 1; +} use Exporter 'import'; our @EXPORT = qw( configure_test_server_for_ssl + set_server_cert switch_server_cert test_connect_fails test_connect_ok @@ -145,12 +165,19 @@ sub configure_test_server_for_ssl close $sslconf; # Copy all server certificates and keys, and client root cert, to the data dir - copy_files("ssl/server-*.crt", $pgdata); - copy_files("ssl/server-*.key", $pgdata); - chmod(0600, glob "$pgdata/server-*.key") or die $!; - copy_files("ssl/root+client_ca.crt", $pgdata); - copy_files("ssl/root_ca.crt", $pgdata); - copy_files("ssl/root+client.crl", $pgdata); + if (defined($openssl)) + { + copy_files("ssl/server-*.crt", $pgdata); + copy_files("ssl/server-*.key", $pgdata); + chmod(0600, glob "$pgdata/server-*.key") or die $!; + copy_files("ssl/root+client_ca.crt", $pgdata); + copy_files("ssl/root_ca.crt", $pgdata); + copy_files("ssl/root+client.crl", $pgdata); + } + elsif (defined($nss)) + { + RecursiveCopy::copypath("ssl/nss", $pgdata . "/nss") if -e "ssl/nss"; + } # Stop and restart server to load new listen_addresses. $node->restart; @@ -158,26 +185,51 @@ sub configure_test_server_for_ssl # Change pg_hba after restart because hostssl requires ssl=on configure_hba_for_ssl($node, $servercidr, $authmethod); + # Finally, perform backend specific configuration + $backend->init(); + return; } -# Change the configuration to use given server cert file, and reload -# the server so that the configuration takes effect. -sub switch_server_cert +sub ssl_library +{ + return $backend->get_library(); +} + +sub cleanup +{ + $backend->cleanup(); +} + +# Change the configuration to use given server cert file, +sub set_server_cert { my $node = $_[0]; my $certfile = $_[1]; my $cafile = $_[2] || "root+client_ca"; + my $keyfile = $_[3] || ''; + my $pwcmd = $_[4] || ''; my $pgdata = $node->data_dir; + $keyfile = $certfile if $keyfile eq ''; + open my $sslconf, '>', "$pgdata/sslconfig.conf"; print $sslconf "ssl=on\n"; - print $sslconf "ssl_ca_file='$cafile.crt'\n"; - print $sslconf "ssl_cert_file='$certfile.crt'\n"; - print $sslconf "ssl_key_file='$certfile.key'\n"; - print $sslconf "ssl_crl_file='root+client.crl'\n"; + print $sslconf $backend->set_server_cert($certfile, $cafile, $keyfile); + print $sslconf "ssl_passphrase_command='$pwcmd'\n" + unless $pwcmd eq ''; close $sslconf; + return; +} +# Change the configuration to use given server cert file, and reload +# the server so that the configuration takes effect. +# Takes the same arguments as set_server_cert, which it calls to do that +# piece of the work. +sub switch_server_cert +{ + my $node = $_[0]; + set_server_cert(@_); $node->restart; return; } diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm index b6d0cfd39b..c53c59229e 100644 --- a/src/tools/msvc/Install.pm +++ b/src/tools/msvc/Install.pm @@ -438,7 +438,8 @@ sub CopyContribFiles { # These configuration-based exclusions must match vcregress.pl next if ($d eq "uuid-ossp" && !defined($config->{uuid})); - next if ($d eq "sslinfo" && !defined($config->{openssl})); + next if ($d eq "sslinfo" && !defined($config->{openssl}) + && !defined($config->{nss})); next if ($d eq "xml2" && !defined($config->{xml})); next if ($d =~ /_plperl$/ && !defined($config->{perl})); next if ($d =~ /_plpython$/ && !defined($config->{python})); diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm index 20da7985c1..818a1922f3 100644 --- a/src/tools/msvc/Mkvcbuild.pm +++ b/src/tools/msvc/Mkvcbuild.pm @@ -192,12 +192,19 @@ sub mkvcbuild $postgres->FullExportDLL('postgres.lib'); # The OBJS scraper doesn't know about ifdefs, so remove appropriate files - # if building without OpenSSL. - if (!$solution->{options}->{openssl}) + # if building without various options. + if (!$solution->{options}->{openssl} && !$solution->{options}->{nss}) { $postgres->RemoveFile('src/backend/libpq/be-secure-common.c'); + } + if (!$solution->{options}->{openssl}) + { $postgres->RemoveFile('src/backend/libpq/be-secure-openssl.c'); } + if (!$solution->{options}->{nss}) + { + $postgres->RemoveFile('src/backend/libpq/be-secure-nss.c'); + } if (!$solution->{options}->{gss}) { $postgres->RemoveFile('src/backend/libpq/be-gssapi-common.c'); @@ -255,12 +262,19 @@ sub mkvcbuild $libpq->AddReference($libpgcommon, $libpgport); # The OBJS scraper doesn't know about ifdefs, so remove appropriate files - # if building without OpenSSL. - if (!$solution->{options}->{openssl}) + # if building without various options + if (!$solution->{options}->{openssl} && !$solution->{options}->{nss}) { $libpq->RemoveFile('src/interfaces/libpq/fe-secure-common.c'); + } + if (!$solution->{options}->{openssl}) + { $libpq->RemoveFile('src/interfaces/libpq/fe-secure-openssl.c'); } + if (!$solution->{options}->{nss}) + { + $libpq->RemoveFile('src/interfaces/libpq/fe-secure-nss.c'); + } if (!$solution->{options}->{gss}) { $libpq->RemoveFile('src/interfaces/libpq/fe-gssapi-common.c'); @@ -428,9 +442,14 @@ sub mkvcbuild push @contrib_excludes, 'xml2'; } + if (!$solution->{options}->{openssl} && !$solution->{options}->{nss}) + { + push @contrib_excludes, 'sslinfo'; + } + if (!$solution->{options}->{openssl}) { - push @contrib_excludes, 'sslinfo', 'ssl_passphrase_callback'; + push @contrib_excludes, 'ssl_passphrase_callback'; } if (!$solution->{options}->{uuid}) diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index bc8904732f..ac11d9ab26 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -484,6 +484,7 @@ sub GenerateFiles USE_NAMED_POSIX_SEMAPHORES => undef, USE_OPENSSL => undef, USE_OPENSSL_RANDOM => undef, + USE_NSS => undef, USE_PAM => undef, USE_SLICING_BY_8_CRC32C => undef, USE_SSE42_CRC32C => undef, @@ -537,6 +538,10 @@ sub GenerateFiles $define{HAVE_OPENSSL_INIT_SSL} = 1; } } + if ($self->{options}->{nss}) + { + $define{USE_NSS} = 1; + } $self->GenerateConfigHeader('src/include/pg_config.h', \%define, 1); $self->GenerateConfigHeader('src/include/pg_config_ext.h', \%define, 0); @@ -1004,6 +1009,21 @@ sub AddProject } } } + if ($self->{options}->{nss}) + { + $proj->AddIncludeDir($self->{options}->{nss} . '\..\public\nss'); + $proj->AddIncludeDir($self->{options}->{nss} . '\include\nspr'); + foreach my $lib (qw(plds4 plc4 nspr4)) + { + $proj->AddLibrary($self->{options}->{nss} . + '\lib\lib' . "$lib.lib", 0); + } + foreach my $lib (qw(ssl3 smime3 nss3)) + { + $proj->AddLibrary($self->{options}->{nss} . + '\lib' . "\\$lib.dll.lib", 0); + } + } if ($self->{options}->{nls}) { $proj->AddIncludeDir($self->{options}->{nls} . '\include'); diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl index 2ef2cfc4e9..49dc4d5864 100644 --- a/src/tools/msvc/config_default.pl +++ b/src/tools/msvc/config_default.pl @@ -17,6 +17,7 @@ our $config = { perl => undef, # --with-perl= python => undef, # --with-python= openssl => undef, # --with-openssl= + nss => undef, # --with-nss= uuid => undef, # --with-uuid= xml => undef, # --with-libxml= xslt => undef, # --with-libxslt= -- 2.25.4