Take site read only

git-svn-id: svn://10.0.0.236/trunk@265943 18797224-902f-48f8-a5cc-f745e15eee43

CVSROOT/commitcheck.pl

@@ -13,13 +13,13 @@ $fullname{'188'} = 'Application Suite';
 $mode{'190'} = 'Closed';
 $branch{'190'} = 'HEAD';
 $fullname{'190'} = 'Bugzilla';
-$blessed{'190'} = ['wurblzap%gmail.com','olav%bkor.dhs.org','ghendricks%novell.com',];
+$blessed{'190'} = ['wurblzap%gmail.com','olav%bkor.dhs.org','lpsolit%gmail.com','ghendricks%novell.com',];
-$super{'190'} = ['mkanat%bugzilla.org','lpsolit%gmail.com','justdave%bugzilla.org',];
+$super{'190'} = ['bzrmirror%bugzilla.org','justdave%bugzilla.org',];
 $mode{'204'} = 'Closed';
 $branch{'204'} = 'BUGZILLA-2_18-BRANCH';
 $fullname{'204'} = 'Bugzilla2.18';
-$blessed{'204'} = ['myk%mozilla.org','vladd%bugzilla.org','olav%bkor.dhs.org','ghendricks%novell.com',];
+$blessed{'204'} = [];
-$super{'204'} = ['mkanat%bugzilla.org','lpsolit%gmail.com','justdave%bugzilla.org',];
+$super{'204'} = ['justdave%bugzilla.org',];
 $mode{'191'} = 'Closed';
 $branch{'191'} = 'BUGZILLA-2_20-BRANCH';
 $fullname{'191'} = 'Bugzilla2.20';
@@ -354,118 +354,6 @@ if ($b eq 'BUGZILLA-3_4-BRANCH') {
 if (m:^mozilla/webtools/bugzilla/.*$:) {return '220';}
 }
 if ($b eq 'HEAD') {
-if (m:^mozilla/modules/libreg/.*$:) {return '84';}
-if (m:^mozilla/java/webclient/.*$:) {return '127';}
-if (m:^mozilla/content/svg/.*$:) {return '187';}
-if (m:^mozilla/layout/svg/.*$:) {return '187';}
-if (m:^db/sqlite3/.*$:) {return '216';}
-if (m:^storage/.*$:) {return '216';}
-if (m:^mozilla/java/dom/.*$:) {return '130';}
-if (m:^mozilla/extensions/help/.*$:) {return '188';}
-if (m:^mozilla/suite/.*$:) {return '188';}
-if (m:^mozilla/content/xml/.*$:) {return '88';}
-if (m:^mozilla/extensions/xmlextras/.*$:) {return '88';}
-if (m:^mozilla/parser/expat/.*$:) {return '88';}
-if (m:^mozilla/java/util/.*$:) {return '133';}
-if (m:^mozilla/startupcache/.*$:) {return '89';}
-if (m:^mozilla/tools/wizards/.*$:) {return '89';}
-if (m:^mozilla/xpcom/[^/]*$:) {return '89';}
-if (m:^mozilla/xpcom/base/.*$:) {return '89';}
-if (m:^mozilla/xpcom/build/.*$:) {return '89';}
-if (m:^mozilla/xpcom/components/.*$:) {return '89';}
-if (m:^mozilla/xpcom/ds/.*$:) {return '89';}
-if (m:^mozilla/xpcom/glue/.*$:) {return '89';}
-if (m:^mozilla/xpcom/proxy/.*$:) {return '89';}
-if (m:^mozilla/xpcom/sample/.*$:) {return '89';}
-if (m:^mozilla/xpcom/stub/.*$:) {return '89';}
-if (m:^mozilla/xpcom/tests/.*$:) {return '89';}
-if (m:^mozilla/xpcom/threads/.*$:) {return '89';}
-if (m:^mozilla/xpcom/tools/.*$:) {return '89';}
-if (m:^mozilla/xpcom/windbgdlg/.*$:) {return '89';}
-if (m:^mozilla/content/xbl/[^/]*$:) {return '199';}
-if (m:^mozilla/content/xbl/public/.*$:) {return '199';}
-if (m:^mozilla/content/xbl/src/.*$:) {return '199';}
-if (m:^mozilla/webtools/bugzilla/.*$:) {return '190';}
-if (m:^mozilla/xpcom/reflect/xptcall/.*$:) {return '206';}
-if (m:^mozilla/content/xtf/.*$:) {return '200';}
-if (m:^mozilla/layout/xtf/.*$:) {return '200';}
-if (m:^mozilla/gfx/src/xprint/.*$:) {return '179';}
-if (m:^mozilla/gfx/[^/]*$:) {return '201';}
-if (m:^mozilla/gfx/cairo/.*$:) {return '201';}
-if (m:^mozilla/gfx/public/.*$:) {return '201';}
-if (m:^mozilla/gfx/src/[^/]*$:) {return '201';}
-if (m:^mozilla/gfx/src/gtk/.*$:) {return '201';}
-if (m:^mozilla/gfx/src/mac/.*$:) {return '201';}
-if (m:^mozilla/gfx/src/shared/.*$:) {return '201';}
-if (m:^mozilla/gfx/src/thebes/.*$:) {return '201';}
-if (m:^mozilla/gfx/src/windows/.*$:) {return '201';}
-if (m:^mozilla/gfx/thebes/.*$:) {return '201';}
-if (m:^mozilla/modules/lcms/.*$:) {return '201';}
-if (m:^mozilla/view/.*$:) {return '96';}
-if (m:^mozilla/layout/[^/]*$:) {return '98';}
-if (m:^mozilla/layout/base/.*$:) {return '98';}
-if (m:^mozilla/layout/build/.*$:) {return '98';}
-if (m:^mozilla/layout/doc/.*$:) {return '98';}
-if (m:^mozilla/layout/forms/.*$:) {return '98';}
-if (m:^mozilla/layout/generic/.*$:) {return '98';}
-if (m:^mozilla/layout/html/.*$:) {return '98';}
-if (m:^mozilla/layout/macbuild/.*$:) {return '98';}
-if (m:^mozilla/layout/printing/.*$:) {return '98';}
-if (m:^mozilla/layout/tables/.*$:) {return '98';}
-if (m:^mozilla/layout/tools/.*$:) {return '98';}
-if (m:^mozilla/xpinstall/.*$:) {return '150';}
-if (m:^CVSROOT/commitcheck\.pl$:) {return '3';}
-if (m:^CVSROOT/passwd$:) {return '3';}
-if (m:^modules/libjar$:) {return '221';}
-if (m:^mozilla/security/manager/.*$:) {return '151';}
-if (m:^mozilla/layout/style/.*$:) {return '100';}
-if (m:^mozilla/webtools/addons/.*$:) {return '185';}
-if (m:^mozilla/webtools/aus/.*$:) {return '185';}
-if (m:^mozilla/webtools/update/.*$:) {return '185';}
-if (m:^mozilla/js/src/ctypes/.*$:) {return '223';}
-if (m:^mozilla/dbm/.*$:) {return '145';}
-if (m:^mozilla/security/coreconf/.*$:) {return '145';}
-if (m:^mozilla/security/dbm/.*$:) {return '145';}
-if (m:^mozilla/security/jss/.*$:) {return '145';}
-if (m:^mozilla/security/nss/.*$:) {return '145';}
-if (m:^mozilla/security/tinderbox/.*$:) {return '145';}
-if (m:^mozilla/security/tinderlight/.*$:) {return '145';}
-if (m:^mozilla/docshell/.*$:) {return '101';}
-if (m:^mozilla/uriloader/.*$:) {return '101';}
-if (m:^mozilla/webshell/.*$:) {return '101';}
-if (m:^mozilla/mailnews/local/src/nsMovemail.*$:) {return '157';}
-if (m:^mozilla/penelope/$:) {return '225';}
-if (m:^mozilla/composer/.*$:) {return '173';}
-if (m:^mozilla/parser/htmlparser$:) {return '102';}
-if (m:^mozilla/embedding/.*$:) {return '208';}
-if (m:^mozilla/[^/]*$:) {return '19';}
-if (m:^mozilla/tools/README$:) {return '19';}
-if (m:^mozilla/content/base/.*$:) {return '103';}
-if (m:^mozilla/content/events/.*$:) {return '103';}
-if (m:^mozilla/content/html/content/.*$:) {return '103';}
-if (m:^mozilla/content/html/document/.*$:) {return '103';}
-if (m:^mozilla/dom/[^/]*$:) {return '103';}
-if (m:^mozilla/dom/base/.*$:) {return '103';}
-if (m:^mozilla/dom/interfaces/.*$:) {return '103';}
-if (m:^mozilla/dom/locales/.*$:) {return '103';}
-if (m:^mozilla/dom/public/.*$:) {return '103';}
-if (m:^mozilla/dom/src/.*$:) {return '103';}
-if (m:^mozilla/dom/tests/.*$:) {return '103';}
-if (m:^extension/python$:) {return '219';}
-if (m:^mozilla/gfx/src/xlib/.*$:) {return '121';}
-if (m:^mozilla/widget/src/xlib/.*$:) {return '121';}
-if (m:^mozilla/widget/src/xlibxtbin/.*$:) {return '121';}
-if (m:^mozilla/js/rhino/.*$:) {return '138';}
-if (m:^mozilla/string/.*$:) {return '160';}
-if (m:^mozilla/xpcom/string/.*$:) {return '160';}
-if (m:^mozilla/webtools/partytool/.*$:) {return '209';}
-if (m:^mozilla/xpfe/.*$:) {return '137';}
-if (m:^mozilla/widget/src/qt/.*$:) {return '161';}
-if (m:^mozilla/widget/src/gtk/.*$:) {return '49';}
-if (m:^mozilla/widget/src/gtk2/.*$:) {return '49';}
-if (m:^mozilla/widget/src/gtksuperwin/.*$:) {return '49';}
-if (m:^mozilla/widget/src/gtkxtbin/.*$:) {return '49';}
-if (m:^mozilla/js/tests/.*$:) {return '114';}
 if (m:^mozilla/rdf/.*$:) {return '52';}
 if (m:^mozilla/extensions/p3p/.*$:) {return '162';}
 if (m:^mozilla/build/.*$:) {return '55';}
@@ -587,6 +475,118 @@ if (m:^mozilla/modules/libpref/.*$:) {return '82';}
 if (m:^mozilla/java/plugins/.*$:) {return '129';}
 if (m:^mozilla/extensions/inspector/.*$:) {return '184';}
 if (m:^mozilla/layout/inspector/.*$:) {return '184';}
+if (m:^mozilla/modules/libreg/.*$:) {return '84';}
+if (m:^mozilla/java/webclient/.*$:) {return '127';}
+if (m:^mozilla/content/svg/.*$:) {return '187';}
+if (m:^mozilla/layout/svg/.*$:) {return '187';}
+if (m:^db/sqlite3/.*$:) {return '216';}
+if (m:^storage/.*$:) {return '216';}
+if (m:^mozilla/java/dom/.*$:) {return '130';}
+if (m:^mozilla/extensions/help/.*$:) {return '188';}
+if (m:^mozilla/suite/.*$:) {return '188';}
+if (m:^mozilla/content/xml/.*$:) {return '88';}
+if (m:^mozilla/extensions/xmlextras/.*$:) {return '88';}
+if (m:^mozilla/parser/expat/.*$:) {return '88';}
+if (m:^mozilla/java/util/.*$:) {return '133';}
+if (m:^mozilla/startupcache/.*$:) {return '89';}
+if (m:^mozilla/tools/wizards/.*$:) {return '89';}
+if (m:^mozilla/xpcom/[^/]*$:) {return '89';}
+if (m:^mozilla/xpcom/base/.*$:) {return '89';}
+if (m:^mozilla/xpcom/build/.*$:) {return '89';}
+if (m:^mozilla/xpcom/components/.*$:) {return '89';}
+if (m:^mozilla/xpcom/ds/.*$:) {return '89';}
+if (m:^mozilla/xpcom/glue/.*$:) {return '89';}
+if (m:^mozilla/xpcom/proxy/.*$:) {return '89';}
+if (m:^mozilla/xpcom/sample/.*$:) {return '89';}
+if (m:^mozilla/xpcom/stub/.*$:) {return '89';}
+if (m:^mozilla/xpcom/tests/.*$:) {return '89';}
+if (m:^mozilla/xpcom/threads/.*$:) {return '89';}
+if (m:^mozilla/xpcom/tools/.*$:) {return '89';}
+if (m:^mozilla/xpcom/windbgdlg/.*$:) {return '89';}
+if (m:^mozilla/content/xbl/[^/]*$:) {return '199';}
+if (m:^mozilla/content/xbl/public/.*$:) {return '199';}
+if (m:^mozilla/content/xbl/src/.*$:) {return '199';}
+if (m:^mozilla/webtools/bugzilla/.*$:) {return '190';}
+if (m:^mozilla/xpcom/reflect/xptcall/.*$:) {return '206';}
+if (m:^mozilla/content/xtf/.*$:) {return '200';}
+if (m:^mozilla/layout/xtf/.*$:) {return '200';}
+if (m:^mozilla/gfx/src/xprint/.*$:) {return '179';}
+if (m:^mozilla/gfx/[^/]*$:) {return '201';}
+if (m:^mozilla/gfx/cairo/.*$:) {return '201';}
+if (m:^mozilla/gfx/public/.*$:) {return '201';}
+if (m:^mozilla/gfx/src/[^/]*$:) {return '201';}
+if (m:^mozilla/gfx/src/gtk/.*$:) {return '201';}
+if (m:^mozilla/gfx/src/mac/.*$:) {return '201';}
+if (m:^mozilla/gfx/src/shared/.*$:) {return '201';}
+if (m:^mozilla/gfx/src/thebes/.*$:) {return '201';}
+if (m:^mozilla/gfx/src/windows/.*$:) {return '201';}
+if (m:^mozilla/gfx/thebes/.*$:) {return '201';}
+if (m:^mozilla/modules/lcms/.*$:) {return '201';}
+if (m:^mozilla/view/.*$:) {return '96';}
+if (m:^mozilla/layout/[^/]*$:) {return '98';}
+if (m:^mozilla/layout/base/.*$:) {return '98';}
+if (m:^mozilla/layout/build/.*$:) {return '98';}
+if (m:^mozilla/layout/doc/.*$:) {return '98';}
+if (m:^mozilla/layout/forms/.*$:) {return '98';}
+if (m:^mozilla/layout/generic/.*$:) {return '98';}
+if (m:^mozilla/layout/html/.*$:) {return '98';}
+if (m:^mozilla/layout/macbuild/.*$:) {return '98';}
+if (m:^mozilla/layout/printing/.*$:) {return '98';}
+if (m:^mozilla/layout/tables/.*$:) {return '98';}
+if (m:^mozilla/layout/tools/.*$:) {return '98';}
+if (m:^mozilla/xpinstall/.*$:) {return '150';}
+if (m:^CVSROOT/commitcheck\.pl$:) {return '3';}
+if (m:^CVSROOT/passwd$:) {return '3';}
+if (m:^modules/libjar$:) {return '221';}
+if (m:^mozilla/security/manager/.*$:) {return '151';}
+if (m:^mozilla/layout/style/.*$:) {return '100';}
+if (m:^mozilla/webtools/addons/.*$:) {return '185';}
+if (m:^mozilla/webtools/aus/.*$:) {return '185';}
+if (m:^mozilla/webtools/update/.*$:) {return '185';}
+if (m:^mozilla/js/src/ctypes/.*$:) {return '223';}
+if (m:^mozilla/dbm/.*$:) {return '145';}
+if (m:^mozilla/security/coreconf/.*$:) {return '145';}
+if (m:^mozilla/security/dbm/.*$:) {return '145';}
+if (m:^mozilla/security/jss/.*$:) {return '145';}
+if (m:^mozilla/security/nss/.*$:) {return '145';}
+if (m:^mozilla/security/tinderbox/.*$:) {return '145';}
+if (m:^mozilla/security/tinderlight/.*$:) {return '145';}
+if (m:^mozilla/docshell/.*$:) {return '101';}
+if (m:^mozilla/uriloader/.*$:) {return '101';}
+if (m:^mozilla/webshell/.*$:) {return '101';}
+if (m:^mozilla/mailnews/local/src/nsMovemail.*$:) {return '157';}
+if (m:^mozilla/penelope/$:) {return '225';}
+if (m:^mozilla/composer/.*$:) {return '173';}
+if (m:^mozilla/parser/htmlparser$:) {return '102';}
+if (m:^mozilla/embedding/.*$:) {return '208';}
+if (m:^mozilla/[^/]*$:) {return '19';}
+if (m:^mozilla/tools/README$:) {return '19';}
+if (m:^mozilla/content/base/.*$:) {return '103';}
+if (m:^mozilla/content/events/.*$:) {return '103';}
+if (m:^mozilla/content/html/content/.*$:) {return '103';}
+if (m:^mozilla/content/html/document/.*$:) {return '103';}
+if (m:^mozilla/dom/[^/]*$:) {return '103';}
+if (m:^mozilla/dom/base/.*$:) {return '103';}
+if (m:^mozilla/dom/interfaces/.*$:) {return '103';}
+if (m:^mozilla/dom/locales/.*$:) {return '103';}
+if (m:^mozilla/dom/public/.*$:) {return '103';}
+if (m:^mozilla/dom/src/.*$:) {return '103';}
+if (m:^mozilla/dom/tests/.*$:) {return '103';}
+if (m:^extension/python$:) {return '219';}
+if (m:^mozilla/gfx/src/xlib/.*$:) {return '121';}
+if (m:^mozilla/widget/src/xlib/.*$:) {return '121';}
+if (m:^mozilla/widget/src/xlibxtbin/.*$:) {return '121';}
+if (m:^mozilla/js/rhino/.*$:) {return '138';}
+if (m:^mozilla/string/.*$:) {return '160';}
+if (m:^mozilla/xpcom/string/.*$:) {return '160';}
+if (m:^mozilla/webtools/partytool/.*$:) {return '209';}
+if (m:^mozilla/xpfe/.*$:) {return '137';}
+if (m:^mozilla/widget/src/qt/.*$:) {return '161';}
+if (m:^mozilla/widget/src/gtk/.*$:) {return '49';}
+if (m:^mozilla/widget/src/gtk2/.*$:) {return '49';}
+if (m:^mozilla/widget/src/gtksuperwin/.*$:) {return '49';}
+if (m:^mozilla/widget/src/gtkxtbin/.*$:) {return '49';}
+if (m:^mozilla/js/tests/.*$:) {return '114';}
 }
 if ($b eq 'NSPRPUB_PRE_4_2_CLIENT_BRANCH') {
 if (m:^mozilla/nsprpub/.*$:) {return '146';}

CVSROOT/commitinfo

@@ -13,5 +13,6 @@
 #
 # If the name "ALL" appears as a regular expression it is always used
 # in addition to the first matching regex or "DEFAULT".
-ALL		$CVSROOT/CVSROOT/commitcheck.pl
+#ALL		$CVSROOT/CVSROOT/commitcheck.pl
-ALL		$CVSROOT/CVSROOT/readonlyusers.pl
+#ALL		$CVSROOT/CVSROOT/readonlyusers.pl
+ALL		$CVSROOT/CVSROOT/readonly

CVSROOT/passwd

@@ -52,6 +52,7 @@ bugzilla%standard8.plus.com:lmzqmqShGzGYs:cvsuser
 burnus%gmx.de:RBozBY9sekJRM:cvsuser
 bz%barnson.org:hRMbA3bW5q6Ak:cvsuser
 bzbarsky%mit.edu:YySJ0ECW0UqcM:cvsuser
+bzrmirror%bugzilla.org:do0ZvZ/z.1YQM:cvsuser
 caillon%redhat.com:S5LpV7HM4OOzo:cvsuser
 callek%gmail.com:7c0ZoYCqNF3qk:cvsuser
 catlee%mozilla.com:eY4mh1o1mljjg:cvsuser
@@ -93,7 +94,7 @@ douglas%stebila.ca:FtOKWYCG./BN6:cvsuser
 dougt%meer.net:QzucPi4akyAvo:cvsuser
 driehuis%playbeing.org:BbR6IahGk6yGc:cvsuser
 dschaffe%adobe.com:IVaq/BhZhOKOc:cvsuser
-dtownsend%oxymoronical.com:azpGlFWejkYvY:cvsuser
+dtownsend%oxymoronical.com:nN8k.deZPkAY6:cvsuser
 dveditz%cruzio.com:S1X7iuOVZr0tI:cvsuser
 dwitte%mozilla.com:atobJ8YkJm/x.:cvsuser
 edburns%acm.org:z7zqfOtPH9oic:cvsuser
@@ -173,6 +174,7 @@ kherron%fmailbox.com:rRN9eQFLs3af6:cvsuser
 kieran%eternal.undonet.com:gVVzTaNHTa3HE:cvsuser
 kiko%async.com.br:Uz8pBMTzv6gpo:cvsuser
 kinmoz%netscape.net:RexUJ7MbhHOeE:cvsuser
+klibby%mozilla.com:bQPoQ04OC8s.6:cvsadm
 Kurt.Zenker%sun.com:PxXscXmcBiCWY:cvsuser
 kyle.yuan%sun.com:4pSzbqjeADpcc:cvsuser
 lars%mozilla.com:OIS1qjX2A4hPY:cvsuser

mozilla/nsprpub/configure

@@ -5621,7 +5621,7 @@ fi
 
 _SAVE_LIBS="$LIBS"
 LIBS="$LIBS $OS_LIBS"
-for ac_func in lchown strerror dladdr
+for ac_func in dladdr gettid lchown setpriority strerror syscall
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
 echo "configure:5628: checking for $ac_func" >&5

mozilla/nsprpub/configure.in

@@ -2588,7 +2588,7 @@ dnl ========================================================
 AC_PROG_GCC_TRADITIONAL
 _SAVE_LIBS="$LIBS"
 LIBS="$LIBS $OS_LIBS"
-AC_CHECK_FUNCS(lchown strerror dladdr)
+AC_CHECK_FUNCS(dladdr gettid lchown setpriority strerror syscall)
 LIBS="$_SAVE_LIBS"
 
 dnl AC_FUNC_MEMCMP

mozilla/nsprpub/pr/include/prinit.h

@@ -31,11 +31,11 @@ PR_BEGIN_EXTERN_C
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.9.6 Beta"
+#define PR_VERSION  "4.9.6"
 #define PR_VMAJOR   4
 #define PR_VMINOR   9
 #define PR_VPATCH   6
-#define PR_BETA     PR_TRUE
+#define PR_BETA     PR_FALSE
 
 /*
 ** PRVersionCheck

mozilla/nsprpub/pr/include/private/primpl.h

@@ -50,6 +50,10 @@ typedef struct PRSegment PRSegment;
 #include <sys/sem.h>
 #endif
 
+#ifdef HAVE_SYSCALL
+#include <sys/syscall.h>
+#endif
+
 /*************************************************************************
 *****  A Word about Model Dependent Function Naming Convention ***********
 *************************************************************************/
@@ -186,6 +190,17 @@ typedef struct PTDebug
 
 NSPR_API(void) PT_FPrintStats(PRFileDesc *fd, const char *msg);
 
+/*
+ * On Linux and its derivatives POSIX priority scheduling works only for
+ * real-time threads. On those platforms we set thread's nice values
+ * instead which requires us to track kernel thread IDs for each POSIX
+ * thread we create.
+ */
+#if defined(LINUX) && defined(HAVE_SETPRIORITY) && \
+    ((defined(HAVE_SYSCALL) && defined(SYS_gettid)) || defined(HAVE_GETTID))
+#define _PR_NICE_PRIORITY_SCHEDULING
+#endif
+
 #else /* defined(_PR_PTHREADS) */
 
 NSPR_API(void) PT_FPrintStats(PRFileDesc *fd, const char *msg);
@@ -1540,6 +1555,9 @@ struct PRThread {
 
 #if defined(_PR_PTHREADS)
     pthread_t id;                   /* pthread identifier for the thread */
+#ifdef _PR_NICE_PRIORITY_SCHEDULING
+    pid_t tid;                      /* Linux-specific kernel thread ID */
+#endif
     PRBool okToDelete;              /* ok to delete the PRThread struct? */
     PRCondVar *waiting;             /* where the thread is waiting | NULL */
     void *sp;                       /* recorded sp for garbage collection */

mozilla/nsprpub/pr/src/pthreads/ptthread.c

@@ -28,6 +28,14 @@
 #undef _POSIX_THREAD_PRIORITY_SCHEDULING
 #endif
 
+#ifdef _PR_NICE_PRIORITY_SCHEDULING
+#undef _POSIX_THREAD_PRIORITY_SCHEDULING
+#include <sys/resource.h>
+#ifndef HAVE_GETTID
+#define gettid() (syscall(SYS_gettid))
+#endif
+#endif
+
 /*
  * Record whether or not we have the privilege to set the scheduling
  * policy and priority of threads.  0 means that privilege is available.
@@ -54,7 +62,9 @@ static void _pt_thread_death(void *arg);
 static void _pt_thread_death_internal(void *arg, PRBool callDestructors);
 static void init_pthread_gc_support(void);
 
-#if defined(_PR_DCETHREADS) || defined(_POSIX_THREAD_PRIORITY_SCHEDULING)
+#if defined(_PR_DCETHREADS) || \
+    defined(_POSIX_THREAD_PRIORITY_SCHEDULING) || \
+    defined(_PR_NICE_PRIORITY_SCHEDULING)
 static PRIntn pt_PriorityMap(PRThreadPriority pri)
 {
 #ifdef NTO
@@ -64,6 +74,13 @@ static PRIntn pt_PriorityMap(PRThreadPriority pri)
      *     Jerry.Kirk@Nexwarecorp.com
      */
     return 10;
+#elif defined(_PR_NICE_PRIORITY_SCHEDULING)
+    /* This maps high priorities to low nice values:
+     * PR_PRIORITY_LOW     1
+     * PR_PRIORITY_NORMAL  0
+     * PR_PRIORITY_HIGH   -1
+     * PR_PRIORITY_URGENT -2 */
+    return 1 - pri;
 #else
     return pt_book.minPrio +
 	    pri * (pt_book.maxPrio - pt_book.minPrio) / PR_PRIORITY_LAST;
@@ -98,6 +115,9 @@ static void *_pt_root(void *arg)
     PRIntn rv;
     PRThread *thred = (PRThread*)arg;
     PRBool detached = (thred->state & PT_THREAD_DETACHED) ? PR_TRUE : PR_FALSE;
+#ifdef _PR_NICE_PRIORITY_SCHEDULING
+    pid_t tid;
+#endif
 
     /*
      * Both the parent thread and this new thread set thred->id.
@@ -110,6 +130,21 @@ static void *_pt_root(void *arg)
      */
     thred->id = pthread_self();
 
+#ifdef _PR_NICE_PRIORITY_SCHEDULING
+    /*
+     * We need to know the kernel thread ID of each thread in order to
+     * set its priority hence we do it here instead of at creation time.
+     */
+    tid = gettid();
+
+    rv = setpriority(PRIO_PROCESS, tid, pt_PriorityMap(thred->priority));
+
+    PR_Lock(pt_book.ml);
+    thred->tid = tid;
+    PR_NotifyAllCondVar(pt_book.cv);
+    PR_Unlock(pt_book.ml);
+#endif
+
     /*
     ** DCE Threads can't detach during creation, so do it late.
     ** I would like to do it only here, but that doesn't seem
@@ -224,6 +259,9 @@ static PRThread* pt_AttachThread(void)
 
         thred->priority = PR_PRIORITY_NORMAL;
         thred->id = pthread_self();
+#ifdef _PR_NICE_PRIORITY_SCHEDULING
+        thred->tid = gettid();
+#endif
         rv = pthread_setspecific(pt_book.key, thred);
         PR_ASSERT(0 == rv);
 
@@ -644,6 +682,21 @@ PR_IMPLEMENT(void) PR_SetThreadPriority(PRThread *thred, PRThreadPriority newPri
 		if (rv != 0)
 			rv = -1;
     }
+#elif defined(_PR_NICE_PRIORITY_SCHEDULING)
+    PR_Lock(pt_book.ml);
+    while (thred->tid == 0)
+        PR_WaitCondVar(pt_book.cv, PR_INTERVAL_NO_TIMEOUT);
+    PR_Unlock(pt_book.ml);
+
+    rv = setpriority(PRIO_PROCESS, thred->tid, pt_PriorityMap(newPri));
+
+    if (rv == -1 && errno == EPERM)
+    {
+        /* We don't set pt_schedpriv to EPERM because adjusting the nice
+         * value might be permitted for certain ranges but not others */
+        PR_LOG(_pr_thread_lm, PR_LOG_MIN,
+            ("PR_SetThreadPriority: no thread scheduling privilege"));
+    }
 #endif
 
     thred->priority = newPri;
@@ -862,6 +915,9 @@ void _PR_InitThreads(
     thred->startFunc = NULL;
     thred->priority = priority;
     thred->id = pthread_self();
+#ifdef _PR_NICE_PRIORITY_SCHEDULING
+    thred->tid = gettid();
+#endif
 
     thred->state = (PT_THREAD_DETACHED | PT_THREAD_PRIMORD);
     if (PR_SYSTEM_THREAD == type)

mozilla/security/coreconf/SunOS5.10.mk

@@ -1,12 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.10)
-	OS_DEFINES += -DSOLARIS2_10
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 

mozilla/security/coreconf/SunOS5.10_i86pc.mk

@@ -1,19 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(USE_64),1)
-    CPU_ARCH		= x86_64
-else
-    CPU_ARCH		= x86
-    OS_DEFINES		+= -Di386
-endif
-
-ifeq ($(OS_RELEASE),5.10_i86pc)
-	OS_DEFINES += -DSOLARIS2_10
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc

mozilla/security/coreconf/SunOS5.11.mk

@@ -1,12 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.11)
-	OS_DEFINES += -DSOLARIS2_11
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 

mozilla/security/coreconf/SunOS5.11_i86pc.mk

@@ -1,19 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(USE_64),1)
-    CPU_ARCH		= x86_64
-else
-    CPU_ARCH		= x86
-    OS_DEFINES		+= -Di386
-endif
-
-ifeq ($(OS_RELEASE),5.11_i86pc)
-	OS_DEFINES += -DSOLARIS2_11
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc

mozilla/security/coreconf/SunOS5.8.mk

@@ -1,12 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.8)
-	OS_DEFINES += -DSOLARIS2_8
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 

mozilla/security/coreconf/SunOS5.8_i86pc.mk

@@ -1,16 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-CPU_ARCH		= x86
-ARCHFLAG		=
-OS_DEFINES		+= -Di386
-
-ifeq ($(OS_RELEASE),5.8_i86pc)
-	OS_DEFINES += -DSOLARIS2_8
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc

mozilla/security/coreconf/SunOS5.9.mk

@@ -1,12 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.9)
-	OS_DEFINES += -DSOLARIS2_9
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 

mozilla/security/coreconf/SunOS5.9_i86pc.mk

@@ -1,16 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-CPU_ARCH		= x86
-ARCHFLAG		=
-OS_DEFINES		+= -Di386
-
-ifeq ($(OS_RELEASE),5.9_i86pc)
-	OS_DEFINES += -DSOLARIS2_9
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc

mozilla/security/coreconf/SunOS5.mk

@@ -23,9 +23,9 @@ ifeq ($(USE_64), 1)
 else
   ifneq ($(OS_TEST),i86pc)
     ifdef NS_USE_GCC
-      ARCHFLAG=-mcpu=v8
+      ARCHFLAG=-mcpu=v9
     else
-      ARCHFLAG=-xarch=v8
+      ARCHFLAG=-xarch=v8plus
     endif
   endif
 endif
@@ -67,6 +67,15 @@ RANLIB      = echo
 CPU_ARCH    = sparc
 OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT
 
+ifeq ($(OS_TEST),i86pc)
+ifeq ($(USE_64),1)
+    CPU_ARCH		= x86_64
+else
+    CPU_ARCH		= x86
+    OS_DEFINES		+= -Di386
+endif
+endif
+
 # Purify doesn't like -MDupdate
 NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
 
@@ -90,9 +99,6 @@ endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
          sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
-
-
-
 # ld options:
 # -G: produce a shared object
 # -z defs: no unresolved symbols allowed
@@ -135,3 +141,4 @@ else
 RPATH = -R '$$ORIGIN'
 endif
 
+OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc

mozilla/security/coreconf/config.mk

@@ -36,8 +36,12 @@ TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
 else
+ifeq ($(OS_TARGET),SunOS)
+include $(CORE_DEPTH)/coreconf/SunOS5.mk
+else
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
 endif
+endif
 
 #######################################################################
 # [4.0] Master "Core Components" source and release <platform> tags   #

mozilla/security/nss/Makefile

@@ -122,6 +122,12 @@ else
 	$(MAKE) -C $(CORE_DEPTH)/dbm export libs
 endif
 
+build_docs:
+	$(MAKE) -C $(CORE_DEPTH)/nss/doc
+
+clean_docs:
+	$(MAKE) -C $(CORE_DEPTH)/nss/doc clean
+
 clobber_dbm:
 	$(MAKE) -C $(CORE_DEPTH)/dbm clobber
 

mozilla/security/nss/cmd/selfserv/selfserv.c

@@ -40,6 +40,7 @@
 #include "sslproto.h"
 #include "cert.h"
 #include "certt.h"
+#include "ocsp.h"
 
 #ifndef PORT_Sprintf
 #define PORT_Sprintf sprintf
@@ -77,6 +78,21 @@ static PRUint32 loggerOps;
 static PRUint32 loggerBytes;
 static PRUint32 loggerBytesTCP;
 static PRUint32 bulkSentChunks;
+static enum ocspStaplingModeEnum {
+    osm_disabled,  /* server doesn't support stapling */
+    osm_good,      /* supply a signed good status */
+    osm_revoked,   /* supply a signed revoked status */
+    osm_unknown,   /* supply a signed unknown status */
+    osm_failure,   /* supply a unsigned failure status, "try later" */
+    osm_badsig,    /* supply a good status response with a bad signature */
+    osm_corrupted, /* supply a corrupted data block as the status */
+    osm_random,    /* use a random response for each connection */
+    osm_ocsp       /* retrieve ocsp status from external ocsp server,
+		      use empty status if server is unavailable */
+} ocspStaplingMode = osm_disabled;
+typedef enum ocspStaplingModeEnum ocspStaplingModeType;
+static char *ocspStaplingCA = NULL;
+CERTCertificate * certForStatusWeakReference = NULL;
 
 const int ssl2CipherSuites[] = {
     SSL_EN_RC4_128_WITH_MD5,			/* A */
@@ -143,6 +159,7 @@ PrintUsageHeader(const char *progName)
 "         [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n"
 "         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
 "         [-V [min-version]:[max-version]] [-a sni_name]\n"
+"         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
 #ifdef NSS_ENABLE_ECC
 "         [-C SSLCacheEntries] [-e ec_nickname]\n"
 #else
@@ -189,6 +206,16 @@ PrintParameterUsage()
 "-j means measure TCP throughput (for use with -g option)\n"
 "-C SSLCacheEntries sets the maximum number of entries in the SSL\n" 
 "    session cache\n"
+"-T <mode> enable OCSP stapling. Possible modes:\n"
+"   none: don't send cert status (default)\n"
+"   good, revoked, unknown: Include locally signed response. Requires: -A\n"
+"   failure: return a failure response (try later, unsigned)\n"
+"   badsig: use a good status but with an invalid signature\n"
+"   corrupted: stapled cert status is an invalid block of data\n"
+"   random: each connection uses a random status from this list:\n"
+"           good, revoked, unknown, failure, badsig, corrupted\n"
+"   ocsp: fetch from external OCSP server using AIA, or none\n"
+"-A <ca> Nickname of a CA used to sign a stapled cert status\n"
 "-c Restrict ciphers\n"
 "-Y prints cipher values allowed for parameter -c and exits\n"
     , stderr);
@@ -328,8 +355,11 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
 
     peerCert = SSL_PeerCertificate(fd);
     
-    PRINTF("selfserv: Subject: %s\nselfserv: Issuer : %s\n",
+    if (peerCert) {
-           peerCert->subjectName, peerCert->issuerName);
+        PRINTF("selfserv: Subject: %s\nselfserv: Issuer : %s\n",
+               peerCert->subjectName, peerCert->issuerName);
+        CERT_DestroyCertificate(peerCert);
+    }
 
     rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
 
@@ -340,7 +370,6 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
 	FPRINTF(stderr, "selfserv: -- SSL3: Certificate Invalid, err %d.\n%s\n", 
                 err, SECU_Strerror(err));
     }
-    CERT_DestroyCertificate(peerCert);
     FLUSH;
     return rv;  
 }
@@ -1036,6 +1065,130 @@ void stop_server()
     PZ_TraceFlush();
 }
 
+SECItemArray *
+makeTryLaterOCSPResponse(PRArenaPool *arena)
+{
+    SECItemArray *result = NULL;
+    SECItem *ocspResponse = NULL;
+
+    ocspResponse = CERT_CreateEncodedOCSPErrorResponse(arena,
+					SEC_ERROR_OCSP_TRY_SERVER_LATER);
+    if (!ocspResponse)
+	errExit("cannot created ocspResponse");
+
+    result = SECITEM_AllocArray(arena, NULL, 1);
+    if (!result)
+	errExit("cannot allocate multiOcspResponses");
+
+    result->items[0].data = ocspResponse->data;
+    result->items[0].len = ocspResponse->len;
+
+    return result;
+}
+
+SECItemArray *
+makeCorruptedOCSPResponse(PRArenaPool *arena)
+{
+    SECItemArray *result = NULL;
+    SECItem *ocspResponse = NULL;
+
+    ocspResponse = SECITEM_AllocItem(arena, NULL, 1);
+    if (!ocspResponse)
+	errExit("cannot created ocspResponse");
+
+    result = SECITEM_AllocArray(arena, NULL, 1);
+    if (!result)
+	errExit("cannot allocate multiOcspResponses");
+
+    result->items[0].data = ocspResponse->data;
+    result->items[0].len = ocspResponse->len;
+
+    return result;
+}
+
+SECItemArray *
+makeSignedOCSPResponse(PRArenaPool *arena, ocspStaplingModeType osm,
+		       PRFileDesc *model_sock, CERTCertificate *cert)
+{
+    SECItemArray *result = NULL;
+    SECItem *ocspResponse = NULL;
+    CERTOCSPSingleResponse **singleResponses;
+    CERTOCSPSingleResponse *sr;
+    CERTOCSPCertID *cid = NULL;
+    CERTCertificate *ca;
+    PRTime now = PR_Now();
+    PRTime nextUpdate;
+    const secuPWData *pwdata;
+
+    PORT_Assert(model_sock != NULL && cert != NULL);
+
+    ca = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), ocspStaplingCA);
+    if (!ca)
+	errExit("cannot find CA");
+
+    cid = CERT_CreateOCSPCertID(cert, now);
+    if (!cid)
+	errExit("cannot created cid");
+
+    nextUpdate = now + 60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */
+
+    switch (osm) {
+	case osm_good:
+	case osm_badsig:
+	    sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now,
+						   &nextUpdate);
+	    break;
+	case osm_unknown:
+	    sr = CERT_CreateOCSPSingleResponseUnknown(arena, cid, now,
+						      &nextUpdate);
+	    break;
+	case osm_revoked:
+	    sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now,
+		&nextUpdate,
+		now - 60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */
+		NULL);
+	    break;
+	default:
+	    PORT_Assert(0);
+	    break;
+    }
+
+    if (!sr)
+	errExit("cannot create sr");
+
+    /* meaning of value 2: one entry + one end marker */
+    singleResponses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
+    if (singleResponses == NULL)
+	errExit("cannot allocate singleResponses");
+
+    singleResponses[0] = sr;
+    singleResponses[1] = NULL;
+
+    pwdata = SSL_RevealPinArg(model_sock);
+
+    ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena,
+			(osm == osm_badsig) ? NULL : ca,
+			ocspResponderID_byName, now, singleResponses,
+			&pwdata);
+    if (!ocspResponse)
+	errExit("cannot created ocspResponse");
+
+    CERT_DestroyCertificate(ca);
+    ca = NULL;
+
+    result = SECITEM_AllocArray(arena, NULL, 1);
+    if (!result)
+	errExit("cannot allocate multiOcspResponses");
+
+    result->items[0].data = ocspResponse->data;
+    result->items[0].len = ocspResponse->len;
+
+    CERT_DestroyOCSPCertID(cid);
+    cid = NULL;
+
+    return result;
+}
+
 int
 handle_connection( 
     PRFileDesc *tcp_sock,
@@ -1063,6 +1216,8 @@ handle_connection(
     char               fileName[513];
     char               proto[128];
     PRDescIdentity     aboveLayer = PR_INVALID_IO_LAYER;
+    PRArenaPool *arena = NULL;
+    ocspStaplingModeType osm;
 
     pBuf   = buf;
     bufRem = sizeof buf;
@@ -1089,6 +1244,58 @@ handle_connection(
 	ssl_sock = tcp_sock;
     }
 
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena)
+	errExit("cannot allocate arena");
+
+    osm = ocspStaplingMode;
+    if (osm == osm_random) {
+	/* 6 different responses */
+	int r = rand() % 6;
+	switch (r) {
+	    case 0: osm = osm_good; break;
+	    case 1: osm = osm_revoked; break;
+	    case 2: osm = osm_unknown; break;
+	    case 3: osm = osm_badsig; break;
+	    case 4: osm = osm_corrupted; break;
+	    case 5: osm = osm_failure; break;
+	    default: PORT_Assert(0); break;
+	}
+    }
+    if (osm != osm_disabled) {
+	SECItemArray *multiOcspResponses = NULL;
+	switch (osm) {
+	    case osm_good:
+	    case osm_revoked:
+	    case osm_unknown:
+	    case osm_badsig:
+		multiOcspResponses =
+		    makeSignedOCSPResponse(arena, osm, ssl_sock,
+					   certForStatusWeakReference);
+		break;
+	    case osm_corrupted:
+		multiOcspResponses = makeCorruptedOCSPResponse(arena);
+		break;
+	    case osm_failure:
+		multiOcspResponses = makeTryLaterOCSPResponse(arena);
+		break;
+	    case osm_ocsp:
+		errExit("stapling mode \"ocsp\" not implemented");
+		break;
+		break;
+	    default:
+		break;
+	}
+
+	if (multiOcspResponses) {
+	    SSL_SetStapledOCSPResponses(ssl_sock, multiOcspResponses,
+					PR_FALSE /* no ownership transfer */);
+	}
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    arena = NULL;
+
     if (loggingLayer) {
         /* find the layer where our new layer is to be pushed */
         aboveLayer = PR_GetLayersIdentity(ssl_sock->lower);
@@ -1703,6 +1910,9 @@ server_main(
 
     for (kea = kt_rsa; kea < kt_kea_size; kea++) {
 	if (cert[kea] != NULL) {
+	    if (!certForStatusWeakReference)
+		certForStatusWeakReference = cert[kea];
+
 	    secStatus = SSL_ConfigSecureServer(model_sock, 
 	    		cert[kea], privKey[kea], kea);
 	    if (secStatus != SECSuccess)
@@ -1887,6 +2097,43 @@ beAGoodParent(int argc, char **argv, int maxProcs, PRFileDesc * listen_sock)
 	exit(9); \
     } 
 
+SECStatus enableOCSPStapling(const char* mode)
+{
+    if (!strcmp(mode, "good")) {
+	ocspStaplingMode = osm_good;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "unknown")) {
+	ocspStaplingMode = osm_unknown;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "revoked")) {
+	ocspStaplingMode = osm_revoked;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "badsig")) {
+	ocspStaplingMode = osm_badsig;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "corrupted")) {
+	ocspStaplingMode = osm_corrupted;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "failure")) {
+	ocspStaplingMode = osm_failure;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "random")) {
+	ocspStaplingMode = osm_random;
+	return SECSuccess;
+    }
+    if (!strcmp(mode, "ocsp")) {
+	ocspStaplingMode = osm_ocsp;
+	return SECSuccess;
+    }
+    return SECFailure;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -1938,12 +2185,14 @@ main(int argc, char **argv)
     ** numbers, then capital letters, then lower case, alphabetical. 
     */
     optstate = PL_CreateOptState(argc, argv, 
-        "2:BC:DEL:M:NP:RV:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
+        "2:A:BC:DEL:M:NP:RT:V:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	++optionsFound;
 	switch(optstate->option) {
 	case '2': fileName = optstate->value; break;
 
+	case 'A': ocspStaplingCA = PORT_Strdup(optstate->value); break;
+
 	case 'B': bypassPKCS11 = PR_TRUE; break;
 
         case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break;
@@ -1951,6 +2200,8 @@ main(int argc, char **argv)
 	case 'D': noDelay = PR_TRUE; break;
 	case 'E': disableStepDown = PR_TRUE; break;
 
+	case 'I': /* reserved for OCSP multi-stapling */ break;
+
         case 'L':
             logStats = PR_TRUE;
 	    if (optstate->value == NULL) {
@@ -1971,6 +2222,14 @@ main(int argc, char **argv)
 
 	case 'R': disableRollBack = PR_TRUE; break;
 
+	case 'T':
+	    if (enableOCSPStapling(optstate->value) != SECSuccess) {
+		fprintf(stderr, "Invalid OCSP stapling mode.\n");
+		fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+		exit(53);
+	    }
+	    break;
+
         case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
                           enabledVersions, enableSSL2,
                           &enabledVersions, &enableSSL2) != SECSuccess) {
@@ -2077,6 +2336,20 @@ main(int argc, char **argv)
 	Usage(progName);
 	exit(51);
     }
+    switch (ocspStaplingMode) {
+	case osm_good:
+	case osm_revoked:
+	case osm_unknown:
+	case osm_random:
+	    if (!ocspStaplingCA) {
+		fprintf(stderr, "Selected stapling response requires the -A parameter.\n");
+		fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+		exit(52);
+	    }
+	    break;
+	default:
+	    break;
+    }
 
     /* The -b (bindOnly) option is only used by the ssl.sh test
      * script on Linux to determine whether a previous selfserv

mozilla/security/nss/cmd/ssltap/ssltap.c

@@ -33,8 +33,10 @@
 #include "nss.h"
 #include "cert.h"
 #include "sslproto.h"
+#include "ocsp.h"
+#include "ocspti.h"     /* internals for pretty-printing routines *only* */
 
-#define VERSIONSTRING "$Revision: 1.23 $ ($Date: 2013-01-23 20:53:58 $) $Author: wtc%google.com $"
+#define VERSIONSTRING "$Revision: 1.24 $ ($Date: 2013-02-15 17:54:56 $) $Author: kaie%kuix.de $"
 
 
 struct _DataBufferList;
@@ -733,6 +735,236 @@ unsigned int print_hello_extension(unsigned char *  hsdata,
   return pos;
 }
 
+/*
+ * Note this must match (exactly) the enumeration ocspResponseStatus.
+ */
+static char *responseStatusNames[] = {
+    "successful (Response has valid confirmations)",
+    "malformedRequest (Illegal confirmation request)",
+    "internalError (Internal error in issuer)",
+    "tryLater (Try again later)",
+    "unused ((4) is not used)",
+    "sigRequired (Must sign the request)",
+    "unauthorized (Request unauthorized)",
+};
+
+static void
+print_ocsp_cert_id (FILE *out_file, CERTOCSPCertID *cert_id, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Cert ID:\n");
+    level++;
+/*
+    SECU_PrintAlgorithmID (out_file, &(cert_id->hashAlgorithm),
+                           "Hash Algorithm", level);
+    SECU_PrintAsHex (out_file, &(cert_id->issuerNameHash),
+                     "Issuer Name Hash", level);
+    SECU_PrintAsHex (out_file, &(cert_id->issuerKeyHash),
+                     "Issuer Key Hash", level);
+*/
+    SECU_PrintInteger (out_file, &(cert_id->serialNumber),
+                       "Serial Number", level);
+    /* XXX lookup the cert; if found, print something nice (nickname?) */
+}
+
+static void
+print_ocsp_version (FILE *out_file, SECItem *version, int level)
+{
+    if (version->len > 0) {
+        SECU_PrintInteger (out_file, version, "Version", level);
+    } else {
+        SECU_Indent (out_file, level);
+        fprintf (out_file, "Version: DEFAULT\n");
+    }
+}
+
+static void
+print_responder_id (FILE *out_file, ocspResponderID *responderID, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Responder ID ");
+
+    switch (responderID->responderIDType) {
+      case ocspResponderID_byName:
+        fprintf (out_file, "(byName):\n");
+        SECU_PrintName (out_file, &(responderID->responderIDValue.name),
+                        "Name", level + 1);
+        break;
+      case ocspResponderID_byKey:
+        fprintf (out_file, "(byKey):\n");
+        SECU_PrintAsHex (out_file, &(responderID->responderIDValue.keyHash),
+                         "Key Hash", level + 1);
+        break;
+      default:
+        fprintf (out_file, "Unrecognized Responder ID Type\n");
+        break;
+    }
+}
+
+static void
+print_ocsp_extensions (FILE *out_file, CERTCertExtension **extensions,
+                       char *msg, int level)
+{
+    if (extensions) {
+        SECU_PrintExtensions (out_file, extensions, msg, level);
+    } else {
+        SECU_Indent (out_file, level);
+        fprintf (out_file, "No %s\n", msg);
+    }
+}
+
+static void
+print_revoked_info (FILE *out_file, ocspRevokedInfo *revoked_info, int level)
+{
+    SECU_PrintGeneralizedTime (out_file, &(revoked_info->revocationTime),
+                               "Revocation Time", level);
+
+    if (revoked_info->revocationReason != NULL) {
+        SECU_PrintAsHex (out_file, revoked_info->revocationReason,
+                         "Revocation Reason", level);
+    } else {
+        SECU_Indent (out_file, level);
+        fprintf (out_file, "No Revocation Reason.\n");
+    }
+}
+
+static void
+print_cert_status (FILE *out_file, ocspCertStatus *status, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Status: ");
+
+    switch (status->certStatusType) {
+      case ocspCertStatus_good:
+        fprintf (out_file, "Cert is good.\n");
+        break;
+      case ocspCertStatus_revoked:
+        fprintf (out_file, "Cert has been revoked.\n");
+        print_revoked_info (out_file, status->certStatusInfo.revokedInfo,
+                            level + 1);
+        break;
+      case ocspCertStatus_unknown:
+        fprintf (out_file, "Cert is unknown to responder.\n");
+        break;
+      default:
+        fprintf (out_file, "Unrecognized status.\n");
+        break;
+    }
+}
+
+static void
+print_single_response (FILE *out_file, CERTOCSPSingleResponse *single,
+                       int level)
+{
+    print_ocsp_cert_id (out_file, single->certID, level);
+
+    print_cert_status (out_file, single->certStatus, level);
+
+    SECU_PrintGeneralizedTime (out_file, &(single->thisUpdate),
+                               "This Update", level);
+
+    if (single->nextUpdate != NULL) {
+        SECU_PrintGeneralizedTime (out_file, single->nextUpdate,
+                                   "Next Update", level);
+    } else {
+        SECU_Indent (out_file, level);
+        fprintf (out_file, "No Next Update\n");
+    }
+
+    print_ocsp_extensions (out_file, single->singleExtensions,
+                           "Single Response Extensions", level);
+}
+
+static void
+print_response_data (FILE *out_file, ocspResponseData *responseData, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Response Data:\n");
+    level++;
+
+    print_ocsp_version (out_file, &(responseData->version), level);
+
+    print_responder_id (out_file, responseData->responderID, level);
+
+    SECU_PrintGeneralizedTime (out_file, &(responseData->producedAt),
+                               "Produced At", level);
+
+    if (responseData->responses != NULL) {
+        int i;
+
+        for (i = 0; responseData->responses[i] != NULL; i++) {
+            SECU_Indent (out_file, level);
+            fprintf (out_file, "Response %d:\n", i);
+            print_single_response (out_file, responseData->responses[i],
+                                   level + 1);
+        }
+    } else {
+        fprintf (out_file, "Response list is empty.\n");
+    }
+
+    print_ocsp_extensions (out_file, responseData->responseExtensions,
+                           "Response Extensions", level);
+}
+
+static void
+print_basic_response (FILE *out_file, ocspBasicOCSPResponse *basic, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Basic OCSP Response:\n");
+    level++;
+
+    print_response_data (out_file, basic->tbsResponseData, level);
+}
+
+static void
+print_status_response(SECItem *data)
+{
+    int level = 2;
+    CERTOCSPResponse *response;
+    response = CERT_DecodeOCSPResponse (data);
+    if (!response) {
+        SECU_Indent (stdout, level);
+        fprintf(stdout,"unable to decode certificate_status\n");
+        return;
+    }
+    
+    SECU_Indent (stdout, level);
+    if (response->statusValue >= ocspResponse_min &&
+	response->statusValue <= ocspResponse_max) {
+	fprintf (stdout, "Response Status: %s\n",
+		 responseStatusNames[response->statusValue]);
+    } else {
+	fprintf (stdout,
+		 "Response Status: other (Status value %d out of defined range)\n",
+		 (int)response->statusValue);
+    }
+
+    if (response->statusValue == ocspResponse_successful) {
+        ocspResponseBytes *responseBytes = response->responseBytes;
+        PORT_Assert (responseBytes != NULL);
+
+        level++;
+        SECU_PrintObjectID (stdout, &(responseBytes->responseType),
+                            "Response Type", level);
+        switch (response->responseBytes->responseTypeTag) {
+          case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
+            print_basic_response (stdout,
+                                  responseBytes->decodedResponse.basic,
+                                  level);
+            break;
+          default:
+            SECU_Indent (stdout, level);
+            fprintf (stdout, "Unknown response syntax\n");
+            break;
+        }
+    } else {
+        SECU_Indent (stdout, level);
+        fprintf (stdout, "Unsuccessful response, no more information.\n");
+    }
+
+    CERT_DestroyOCSPResponse (response);
+}
+
 /* In the case of renegotiation, handshakes that occur in an already MAC'ed 
  * channel, by the time of this call, the caller has already removed the MAC 
  * from input recordLen. The only MAC'ed record that will get here with its 
@@ -791,6 +1023,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
     case 15: PR_FPUTS("certificate_verify)\n"          ); break;
     case 16: PR_FPUTS("client_key_exchange)\n"         ); break;
     case 20: PR_FPUTS("finished)\n"                    ); break;
+    case 22: PR_FPUTS("certificate_status_request)\n"  ); break;
     default: PR_FPUTS("unknown)\n"                     ); break;
     }
 
@@ -1088,6 +1321,37 @@ void print_ssl3_handshake(unsigned char *recordBuf,
       }
       break;
 
+    case 22: /*certificate_status_request*/
+      {
+        SECItem data;
+        PRFileDesc *ofd;
+        static int  ocspFileNumber;
+        char        ocspFileName[20];
+
+        /* skip 4 bytes with handshake numbers, as in ssl3_HandleCertificateStatus */
+        data.type = siBuffer;
+        data.data = hsdata + 4;
+        data.len = sslh.length - 4;
+        print_status_response(&data);
+
+        PR_snprintf(ocspFileName, sizeof ocspFileName, "ocsp.%03d",
+                    ++ocspFileNumber);
+        ofd = PR_Open(ocspFileName, PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE, 
+                      0664);
+        if (!ofd) {
+          PR_fprintf(PR_STDOUT,
+                      "               data = { couldn't save file '%s' }\n",
+                      ocspFileName);
+        } else {
+          PR_Write(ofd, data.data, data.len);
+          PR_fprintf(PR_STDOUT,
+                      "               data = { saved in file '%s' }\n",
+                      ocspFileName);
+          PR_Close(ofd);
+        }
+      }
+      break;
+
     default:
       {
 	PR_fprintf(PR_STDOUT,"         UNKNOWN MESSAGE TYPE %d [%d] {\n",
@@ -1137,7 +1401,6 @@ void print_ssl(DataBufferList *s, int length, unsigned char *buffer)
   /* first, create a new buffer object for this piece of data. */
 
   DataBuffer *db;
-  int i,l;
 
   if (s->size == 0 && length > 0 && buffer[0] >= 32 && buffer[0] < 128) {
     /* Not an SSL record, treat entire buffer as plaintext */
@@ -1145,12 +1408,8 @@ void print_ssl(DataBufferList *s, int length, unsigned char *buffer)
     return;
   }
 
-
   check_integrity(s);
 
-  i = 0;
-  l = length;
-
   db = PR_NEW(struct _DataBuffer);
 
   db->buffer = (unsigned char*)PORT_Alloc(length);

mozilla/security/nss/cmd/strsclnt/strsclnt.c

@@ -129,6 +129,7 @@ static PRBool ignoreErrors    = PR_FALSE;
 static PRBool enableSessionTickets = PR_FALSE;
 static PRBool enableCompression    = PR_FALSE;
 static PRBool enableFalseStart     = PR_FALSE;
+static PRBool enableCertStatus     = PR_FALSE;
 
 PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
 
@@ -166,6 +167,7 @@ Usage(const char *progName)
         "          Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
         "       -U means enable throttling up threads\n"
 	"       -B bypasses the PKCS11 layer for SSL encryption and MACing\n"
+	"       -T enable the cert_status extension (OCSP stapling)\n"
 	"       -u enable TLS Session Ticket extension\n"
 	"       -z enable compression\n"
 	"       -g enable false start\n",
@@ -226,6 +228,7 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
 {
     SECStatus rv;
     CERTCertificate *    peerCert;
+    const SECItemArray *csa;
 
     if (MakeCertOK>=2) {
         return SECSuccess;
@@ -234,6 +237,11 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
 
     PRINTF("strsclnt: Subject: %s\nstrsclnt: Issuer : %s\n", 
            peerCert->subjectName, peerCert->issuerName); 
+    csa = SSL_PeerStapledOCSPResponses(fd);
+    if (csa) {
+        PRINTF("Received %d Cert Status items (OCSP stapled data)\n",
+               csa->len);
+    }
     /* invoke the "default" AuthCert handler. */
     rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
 
@@ -1220,6 +1228,12 @@ client_main(
 	    errExit("SSL_OptionSet SSL_ENABLE_FALSE_START");
     }
 
+    if (enableCertStatus) {
+	rv = SSL_OptionSet(model_sock, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+	if (rv != SECSuccess)
+	    errExit("SSL_OptionSet SSL_ENABLE_OCSP_STAPLING");
+    }
+
     SSL_SetPKCS11PinArg(model_sock, &pwdata);
 
     SSL_SetURL(model_sock, hostName);
@@ -1332,7 +1346,7 @@ main(int argc, char **argv)
  
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "BC:DNP:UV:W:a:c:d:f:gin:op:qst:uvw:z");
+                                 "BC:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch(optstate->option) {
 	case 'B': bypassPKCS11 = PR_TRUE; break;
@@ -1341,10 +1355,14 @@ main(int argc, char **argv)
 
 	case 'D': NoDelay = PR_TRUE; break;
 
+	case 'I': /* reserved for OCSP multi-stapling */ break;
+
 	case 'N': NoReuse = 1; break;
         
 	case 'P': fullhs = PORT_Atoi(optstate->value); break;
 
+	case 'T': enableCertStatus = PR_TRUE; break;
+
 	case 'U': ThrottleUp = PR_TRUE; break;
         
         case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,

mozilla/security/nss/cmd/tstclnt/tstclnt.c

@@ -28,6 +28,7 @@
 #include "prio.h"
 #include "prnetdb.h"
 #include "nss.h"
+#include "ocsp.h"
 #include "ssl.h"
 #include "sslproto.h"
 #include "pk11func.h"
@@ -45,6 +46,13 @@
 #define MAX_WAIT_FOR_SERVER 600
 #define WAIT_INTERVAL       100
 
+#define EXIT_CODE_HANDSHAKE_FAILED 254
+
+#define EXIT_CODE_SIDECHANNELTEST_GOOD 0
+#define EXIT_CODE_SIDECHANNELTEST_BADCERT 1
+#define EXIT_CODE_SIDECHANNELTEST_NODATA 2
+#define EXIT_CODE_SIDECHANNELTEST_REVOKED 3
+
 PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
 
 int ssl2CipherSuites[] = {
@@ -99,6 +107,7 @@ secuPWData  pwdata          = { PW_NONE, 0 };
 void printSecurityInfo(PRFileDesc *fd)
 {
     CERTCertificate * cert;
+    const SECItemArray *csa;
     SSL3Statistics * ssl3stats = SSL_GetStatistics();
     SECStatus result;
     SSLChannelInfo    channel;
@@ -144,6 +153,12 @@ void printSecurityInfo(PRFileDesc *fd)
 	"%ld stateless resumes\n",
     	ssl3stats->hsh_sid_cache_hits, ssl3stats->hsh_sid_cache_misses,
 	ssl3stats->hsh_sid_cache_not_ok, ssl3stats->hsh_sid_stateless_resumes);
+
+    csa = SSL_PeerStapledOCSPResponses(fd);
+    if (csa) {
+        fprintf(stderr, "Received %d Cert Status items (OCSP stapled data)\n",
+                csa->len);
+    }
 }
 
 void
@@ -165,7 +180,7 @@ static void PrintUsageHeader(const char *progName)
     fprintf(stderr, 
 "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
                     "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-                    "[-V [min-version]:[max-version]]\n"
+                    "[-V [min-version]:[max-version]] [-T]\n"
                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
             progName);
 }
@@ -205,6 +220,19 @@ static void PrintParameterUsage(void)
     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
     fprintf(stderr, "%-20s Enable compression.\n", "-z");
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
+    fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
+    fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n"
+                    "%-20s -F once means: require for server cert only\n"
+                    "%-20s -F twice means: require for intermediates, too\n"
+                    "%-20s (Connect, handshake with server, disable dynamic download\n"
+                    "%-20s  of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.)\n"
+                    "%-20s Exit code:\n"
+                    "%-20s 0: have fresh and valid revocation data, status good\n"
+                    "%-20s 1: cert failed to verify, prior to revocation checking\n"
+                    "%-20s 2: missing, old or invalid revocation data\n"
+                    "%-20s 3: have fresh and valid revocation data, status revoked\n",
+                    "-F", "", "", "", "", "", "", "", "", "");
+    fprintf(stderr, "%-20s Test -F allows 0=any (default), 1=only OCSP, 2=only CRL\n", "-M");
     fprintf(stderr, "%-20s Restrict ciphers\n", "-c ciphers");
     fprintf(stderr, "%-20s Print cipher values allowed for parameter -c and exit\n", "-Y");
 }
@@ -294,8 +322,14 @@ typedef struct
                         * peer's certificate and restart the handshake. */
    void * dbHandle;    /* Certificate database handle to use while
                         * authenticating the peer's certificate. */
+   PRBool testFreshStatusFromSideChannel;
+   PRErrorCode sideChannelRevocationTestResultCode;
+   PRBool requireDataForIntermediates;
+   PRBool allowOCSPSideChannelData;
+   PRBool allowCRLSideChannelData;
 } ServerCertAuth;
 
+
 /*
  * Callback is called when incoming certificate is not valid.
  * Returns SECSuccess to accept the cert anyway, SECFailure to reject.
@@ -310,16 +344,208 @@ ownBadCertHandler(void * arg, PRFileDesc * socket)
     return SECSuccess;	/* override, say it's OK. */
 }
 
+
+
+#define EXIT_CODE_SIDECHANNELTEST_GOOD 0
+#define EXIT_CODE_SIDECHANNELTEST_BADCERT 1
+#define EXIT_CODE_SIDECHANNELTEST_NODATA 2
+#define EXIT_CODE_SIDECHANNELTEST_REVOKED 3
+
+static void
+verifyFromSideChannel(CERTCertificate *cert, ServerCertAuth *sca)
+{
+    PRUint64 revDoNotUse = 
+      CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
+    
+    PRUint64 revUseLocalOnlyAndSoftFail = 
+      CERT_REV_M_TEST_USING_THIS_METHOD
+      | CERT_REV_M_FORBID_NETWORK_FETCHING
+      | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
+      | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
+      | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
+      
+    PRUint64 revUseLocalOnlyAndHardFail = 
+      CERT_REV_M_TEST_USING_THIS_METHOD
+      | CERT_REV_M_FORBID_NETWORK_FETCHING
+      | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
+      | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+      | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
+      
+    PRUint64 methodFlagsDoNotUse[2];
+    PRUint64 methodFlagsCheckSoftFail[2];
+    PRUint64 methodFlagsCheckHardFail[2];
+    CERTRevocationTests revTestsDoNotCheck;
+    CERTRevocationTests revTestsOverallSoftFail;
+    CERTRevocationTests revTestsOverallHardFail;
+    CERTRevocationFlags rev;
+    CERTValInParam cvin[2];
+    CERTValOutParam cvout[1];
+    SECStatus rv;
+    
+    methodFlagsDoNotUse[cert_revocation_method_crl] = revDoNotUse;
+    methodFlagsDoNotUse[cert_revocation_method_ocsp] = revDoNotUse;
+    
+    methodFlagsCheckSoftFail[cert_revocation_method_crl] = 
+        sca->allowCRLSideChannelData ? revUseLocalOnlyAndSoftFail : revDoNotUse;
+    methodFlagsCheckSoftFail[cert_revocation_method_ocsp] = 
+        sca->allowOCSPSideChannelData ? revUseLocalOnlyAndSoftFail : revDoNotUse;
+    
+    methodFlagsCheckHardFail[cert_revocation_method_crl] = 
+        sca->allowCRLSideChannelData ? revUseLocalOnlyAndHardFail : revDoNotUse;
+    methodFlagsCheckHardFail[cert_revocation_method_ocsp] = 
+        sca->allowOCSPSideChannelData ? revUseLocalOnlyAndHardFail : revDoNotUse;
+
+    revTestsDoNotCheck.cert_rev_flags_per_method = methodFlagsDoNotUse;
+    revTestsDoNotCheck.number_of_defined_methods = 2;
+    revTestsDoNotCheck.number_of_preferred_methods = 0;
+    revTestsDoNotCheck.cert_rev_method_independent_flags =
+      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
+      | CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT;
+      
+    revTestsOverallSoftFail.cert_rev_flags_per_method = 0; /* must define later */
+    revTestsOverallSoftFail.number_of_defined_methods = 2;
+    revTestsOverallSoftFail.number_of_preferred_methods = 0;
+    revTestsOverallSoftFail.cert_rev_method_independent_flags =
+      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
+      | CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT;
+      
+    revTestsOverallHardFail.cert_rev_flags_per_method = 0; /* must define later */
+    revTestsOverallHardFail.number_of_defined_methods = 2;
+    revTestsOverallHardFail.number_of_preferred_methods = 0;
+    revTestsOverallHardFail.cert_rev_method_independent_flags =
+      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
+      | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
+
+    rev.chainTests = revTestsDoNotCheck;
+    rev.leafTests = revTestsDoNotCheck;
+      
+    cvin[0].type = cert_pi_revocationFlags;
+    cvin[0].value.pointer.revocation = &rev;
+    cvin[1].type = cert_pi_end;
+
+    cvout[0].type = cert_po_end;
+    
+    /* Strategy:
+     * 
+     * Verify with revocation checking disabled.
+     * On failure return 1.
+     *
+     * if result if "good", then continue testing.
+     *
+     * Verify with CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO.
+     * If result is good, return 0.
+     *
+     * On failure continue testing, find out why it failed.
+     *
+     * Verify with CERT_REV_M_IGNORE_MISSING_FRESH_INFO
+     *
+     * If result is "good", then our previous test failed,
+     * because we don't have fresh revocation info, return 2.
+     *
+     * If result is still bad, we do have revocation info,
+     * and it says "revoked" or something equivalent, return 3.    
+     */
+    
+    /* revocation checking disabled */
+    rv = CERT_PKIXVerifyCert(cert, certificateUsageSSLServer,
+                             cvin, cvout, NULL);
+    if (rv != SECSuccess) {
+        sca->sideChannelRevocationTestResultCode = 
+            EXIT_CODE_SIDECHANNELTEST_BADCERT;
+        return;
+    }
+    
+    /* revocation checking, hard fail */
+    if (sca->allowOCSPSideChannelData && sca->allowCRLSideChannelData) {
+        /* any method is allowed. use soft fail on individual checks,
+         * but use hard fail on the overall check
+         */
+        revTestsOverallHardFail.cert_rev_flags_per_method = methodFlagsCheckSoftFail;
+    }
+    else {
+        /* only one method is allowed. use hard fail on the individual checks.
+         * hard/soft fail is irrelevant on overall flags.
+         */
+        revTestsOverallHardFail.cert_rev_flags_per_method = methodFlagsCheckHardFail;
+    }
+    rev.leafTests = revTestsOverallHardFail;
+    rev.chainTests = 
+        sca->requireDataForIntermediates ? revTestsOverallHardFail : revTestsDoNotCheck;
+    rv = CERT_PKIXVerifyCert(cert, certificateUsageSSLServer,
+                             cvin, cvout, NULL);
+    if (rv == SECSuccess) {
+        sca->sideChannelRevocationTestResultCode = 
+            EXIT_CODE_SIDECHANNELTEST_GOOD;
+        return;
+    }
+    
+    /* revocation checking, soft fail */
+    revTestsOverallSoftFail.cert_rev_flags_per_method = methodFlagsCheckSoftFail;
+    rev.leafTests = revTestsOverallSoftFail;
+    rev.chainTests = 
+        sca->requireDataForIntermediates ? revTestsOverallSoftFail : revTestsDoNotCheck;
+    rv = CERT_PKIXVerifyCert(cert, certificateUsageSSLServer,
+                             cvin, cvout, NULL);
+    if (rv == SECSuccess) {
+        sca->sideChannelRevocationTestResultCode = 
+            EXIT_CODE_SIDECHANNELTEST_NODATA;
+        return;
+    }
+    
+    sca->sideChannelRevocationTestResultCode = 
+        EXIT_CODE_SIDECHANNELTEST_REVOKED;
+}
+
 static SECStatus 
 ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
                        PRBool isServer)
 {
     ServerCertAuth * serverCertAuth = (ServerCertAuth *) arg;
 
+    if (!serverCertAuth->shouldPause) {
+        CERTCertificate *cert;
+        int i;
+        const SECItemArray *csa;
+
+        if (!serverCertAuth->testFreshStatusFromSideChannel) {
+            return SSL_AuthCertificate(serverCertAuth->dbHandle, 
+                                       fd, checkSig, isServer);
+        }
+
+        /* No verification attempt must have happened before now,
+         * to ensure revocation data has been actively retrieved yet,
+         * or our test will produce incorrect results.
+         */
+
+        cert = SSL_RevealCert(fd);
+        if (!cert) {
+            exit(254);
+        }
+
+        csa = SSL_PeerStapledOCSPResponses(fd);
+        if (csa) {
+            for (i = 0; i < csa->len; ++i) {
+                CERT_CacheOCSPResponseFromSideChannel(
+                    serverCertAuth->dbHandle,
+                    cert,
+                    PR_Now(),
+                    &csa->items[i],
+                    arg);
+            }
+        }
+    
+        verifyFromSideChannel(cert, serverCertAuth);
+        CERT_DestroyCertificate(cert);
+        /* return success to ensure our caller will continue and we will 
+         * reach the code that handles 
+         * serverCertAuth->sideChannelRevocationTestResultCode
+         */
+        return SECSuccess;
+    }
+    
     FPRINTF(stderr, "%s: using asynchronous certificate validation\n",
 	    progName);
 
-    PORT_Assert(serverCertAuth->shouldPause);
     PORT_Assert(!serverCertAuth->isPaused);
     serverCertAuth->isPaused = PR_TRUE;
     return SECWouldBlock;
@@ -576,6 +802,7 @@ int main(int argc, char **argv)
     int                enableSessionTickets = 0;
     int                enableCompression = 0;
     int                enableFalseStart = 0;
+    int                enableCertStatus = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
@@ -597,6 +824,11 @@ int main(int argc, char **argv)
     serverCertAuth.shouldPause = PR_TRUE;
     serverCertAuth.isPaused = PR_FALSE;
     serverCertAuth.dbHandle = NULL;
+    serverCertAuth.testFreshStatusFromSideChannel = PR_FALSE;
+    serverCertAuth.sideChannelRevocationTestResultCode = EXIT_CODE_HANDSHAKE_FAILED;
+    serverCertAuth.requireDataForIntermediates = PR_FALSE;
+    serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
+    serverCertAuth.allowCRLSideChannelData = PR_TRUE;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
@@ -614,7 +846,7 @@ int main(int argc, char **argv)
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "BOSV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
+                                 "BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
@@ -622,10 +854,38 @@ int main(int argc, char **argv)
 
           case 'B': bypassPKCS11 = 1; 			break;
 
+          case 'F': if (serverCertAuth.testFreshStatusFromSideChannel) {
+                        /* parameter given twice or more */
+                        serverCertAuth.requireDataForIntermediates = PR_TRUE;
+                    }
+                    serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
+                    break;
+
+	  case 'I': /* reserved for OCSP multi-stapling */ break;
+
           case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
 
+          case 'M': switch (atoi(optstate->value)) {
+                      case 1:
+                          serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
+                          serverCertAuth.allowCRLSideChannelData = PR_FALSE;
+                          break;
+                      case 2:
+                          serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
+                          serverCertAuth.allowCRLSideChannelData = PR_TRUE;
+                          break;
+                      case 0:
+                      default:
+                          serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
+                          serverCertAuth.allowCRLSideChannelData = PR_TRUE;
+                          break;
+                    };
+                    break;
+
           case 'S': skipProtoHeader = PR_TRUE;                 break;
 
+          case 'T': enableCertStatus = 1;               break;
+
           case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
                             enabledVersions, enableSSL2,
                             &enabledVersions, &enableSSL2) != SECSuccess) {
@@ -702,6 +962,12 @@ int main(int argc, char **argv)
     if (!host || !portno) 
     	Usage(progName);
 
+    if (serverCertAuth.testFreshStatusFromSideChannel
+        && serverCertAuth.shouldPause) {
+        fprintf(stderr, "%s: -F requires the use of -O\n", progName);
+        exit(1);
+    }
+
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
@@ -816,7 +1082,10 @@ int main(int argc, char **argv)
     }
 
     opt.option = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_TRUE;
+    opt.value.non_blocking = PR_TRUE; /* default */
+    if (serverCertAuth.testFreshStatusFromSideChannel) {
+        opt.value.non_blocking = PR_FALSE;
+    }
     PR_SetSocketOption(s, &opt);
     /*PR_SetSocketOption(PR_GetSpecialFD(PR_StandardInput), &opt);*/
 
@@ -936,15 +1205,18 @@ int main(int argc, char **argv)
 	return 1;
     }
 
+    /* enable cert status (OCSP stapling). */
+    rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
+        return 1;
+    }
+
     SSL_SetPKCS11PinArg(s, &pwdata);
 
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
-    if (serverCertAuth.shouldPause) {
+    SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
-	SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
-    } else {
-	SSL_AuthCertificateHook(s, SSL_AuthCertificate, serverCertAuth.dbHandle);
-    }
     if (override) {
 	SSL_BadCertHook(s, ownBadCertHandler, NULL);
     }
@@ -1042,6 +1314,12 @@ int main(int argc, char **argv)
   }
 #endif
 
+    if (serverCertAuth.testFreshStatusFromSideChannel) {
+        SSL_ForceHandshake(s);
+        error = serverCertAuth.sideChannelRevocationTestResultCode;
+        goto done;
+    }
+    
     /*
     ** Select on stdin and on the socket. Write data from stdin to
     ** socket, read data from socket and write to stdout.
@@ -1055,7 +1333,7 @@ int main(int argc, char **argv)
 	rv = restartHandshakeAfterServerCertIfNeeded(s, &serverCertAuth,
 						     override);
 	if (rv != SECSuccess) {
-	    error = 254; /* 254 (usually) means "handshake failed" */
+	    error = EXIT_CODE_HANDSHAKE_FAILED;
 	    SECU_PrintError(progName, "authentication of server cert failed");
 	    goto done;
 	}
@@ -1122,7 +1400,7 @@ int main(int argc, char **argv)
 		    rv = restartHandshakeAfterServerCertIfNeeded(s,
 				&serverCertAuth, override);
 		    if (rv != SECSuccess) {
-			error = 254; /* 254 (usually) means "handshake failed" */
+			error = EXIT_CODE_HANDSHAKE_FAILED;
 			SECU_PrintError(progName, "authentication of server cert failed");
 			goto done;
 		    }

mozilla/security/nss/doc/Makefile

@@ -24,7 +24,7 @@ prepare: date-and-version
 	
 clean:
 	rm -f date.xml version.xml *.tar.bz2
-	rm -fr $(name) ascii html nroff
+	rm -fr $(name) ascii
 
 date-and-version: date.xml version.xml
 
@@ -55,13 +55,13 @@ tarball:
 # manpages
 #--------------------------------------------------------
 
-%.1 : %.xml prepare
+nroff/%.1 : %.xml
 	$(COMPILE.1) $<
 	
 MANPAGES = \
-certutil.1 cmsutil.1 crlutil.1 pk12util.1 \
+nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
-modutil.1 ssltap.1 derdump.1 signtool.1 signver.1 \
+nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
-pp.1 vfychain.1 vfyserv.1
+nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
 
 all-man: prepare $(MANPAGES)
 
@@ -69,14 +69,13 @@ all-man: prepare $(MANPAGES)
 # html pages
 #--------------------------------------------------------
 
-%.html : %.xml
+html/%.html : %.xml
 	$(COMPILE.html) $<
-	mv html/index.html html/$@
+	mv html/index.html $@
 
 HTMLPAGES = \
-certutil.html cmsutil.html crlutil.html pk12util.html  modutil.html \
+html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
-ssltap.html derdump.html signtool.html signver.html pp.html \
+html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
-vfychain.html vfyserv.html
+html/vfychain.html html/vfyserv.html
 
 all-html: prepare $(HTMLPAGES)
-

mozilla/security/nss/doc/html/certutil.html

@@ -0,0 +1,318 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in the the NSS database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idp225008"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that manages certs and keys in both NSS databases and other NSS tokens (such as smart cards). It can specifically list, generate, modify, or delete certificates within the database, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>The key and certificate management process generally includes certificate issuance once keys and certificates have been created in the key database. This document discusses certificate and key database management. For information security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <code class="option">-H</code> to see the arguments available for each command option.</p><p><span class="command"><strong>Command Options</strong></span></p><p>Command options are typically upper case. </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default. </p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
+<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
+</p><p>
+When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments used by the Certificate Database Tool.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
+Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file  that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
+
+Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge a source database into the target database. This is used to merge legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
+For certificate requests, ASCII output defaults to standard output unless redirected.</p></dd><dt><span class="term">-b validity-time</span></dt><dd><p>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code class="option">-V</code> option. The format of the <span class="emphasis"><em>validity-time</em></span> argument is <span class="emphasis"><em>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</em></span>, which allows offsets to be set relative to the validity end time. Specifying seconds (<span class="emphasis"><em>SS</em></span>) is optional. When specifying an explicit time, use a Z at the end of the term, <span class="emphasis"><em>YYMMDDHHMMSSZ</em></span>, to close it. When specifying an offset time, use <span class="emphasis"><em>YYMMDDHHMMSS+HHMM</em></span> or <span class="emphasis"><em>YYMMDDHHMMSS-HHMM</em></span> for adding or subtracting time, respectively.
+</p><p>
+If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity. 
+ Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
+ with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: explicitly requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: explicitly requests the older database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>extern: explicitly reserved for future use</strong></span></p></li></ul></div></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
+ unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k rsa|dsa|ec|all</span></dt><dd><p>Specify the type of a key. The valid options are RSA, DSA, ECC, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key. </p><p>
+           The valid key type options are RSA, DSA, ECC, or all. The default 
+           value is rsa. Specifying the type of key can avoid mistakes caused by
+           duplicate nicknames. Giving a key type generates a new key pair; 
+           giving the ID of an existing key reuses that key pair (which is 
+           required to renew certificates).
+          </p><p>
+           The valid key type options are RSA, DSA, ECC, or all. The default 
+           value is rsa. Specifying the type of key can avoid mistakes caused by
+           duplicate nicknames. Giving a key type generates a new key pair; 
+           giving the ID of an existing key reuses that key pair (which is 
+           required to renew certificates).
+          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is 
+           provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</p><p>
+           If NSS has been compiled with support curves outside of SUITE B:
+              sect163k1, nistk163, sect163r1, sect163r2,            
+              nistb163,  sect193r1, sect193r2, sect233k1, nistk233,            
+              sect233r1, nistb233, sect239k1, sect283k1, nistk283,            
+              sect283r1, nistb283, sect409k1, nistk409, sect409r1,            
+              nistb409,  sect571k1, nistk571, sect571r1, nistb571,            
+              secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,            
+              nistp192,  secp224k1, secp224r1, nistp224, secp256k1,            
+              secp256r1, secp384r1, secp521r1,       
+              prime192v1, prime192v2, prime192v3,          
+              prime239v1, prime239v2, prime239v3, c2pnb163v1,             
+              c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,             
+              c2tnb191v2, c2tnb191v3,              
+              c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,             
+              c2pnb272w1, c2pnb304w1,             
+              c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,             
+              secp112r2, secp128r1, secp128r2, sect113r1, sect113r2            
+              sect131r1, sect131r2    
+        </p></dd><dt><span class="term">-r </span></dt><dd><p>Display a certificate's binary DER encoding when listing information about that certificate with the -L option.</p></dd><dt><span class="term">-s subject</span></dt><dd><p>Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.</p></dd><dt><span class="term">-t trustargs</span></dt><dd><p>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <span class="emphasis"><em>SSL, email, object signing</em></span> for each trust setting. In each category position, use none, any, or all
+of the attribute codes: 
+	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		<span class="command"><strong>p</strong></span> - Valid peer
+	</p></li><li class="listitem"><p>
+		<span class="command"><strong>P</strong></span> - Trusted peer (implies p)
+	</p></li><li class="listitem"><p>
+		<span class="command"><strong>c</strong></span> - Valid CA
+	</p></li><li class="listitem"><p>
+		<span class="command"><strong>T</strong></span> - Trusted CA (implies c)
+	</p></li><li class="listitem"><p>
+		<span class="command"><strong>C</strong></span> - rusted CA for client authentication (ssl server only)
+	</p></li><li class="listitem"><p>
+		<span class="command"><strong>u</strong></span> - user
+	</p></li></ul></div><p>
+		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
+	</p><p><span class="command"><strong>-t "TCu,Cu,Tuw"</strong></span></p><p>
+	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
+ for the beginning of a certificate's validity period. Use when creating 
+ the certificate or adding it to a database. Express the offset in integers, 
+ using a minus sign (-) to indicate a negative offset. If this argument is 
+ not used, the validity period begins at the current system time. The length 
+ of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		digital signature
+	</p></li><li class="listitem"><p>
+		nonRepudiation
+	</p></li><li class="listitem"><p>
+		keyEncipherment
+	</p></li><li class="listitem"><p>
+		dataEncipherment
+	</p></li><li class="listitem"><p>
+		keyAgreement
+	</p></li><li class="listitem"><p>
+		certSigning
+	</p></li><li class="listitem"><p>
+		crlSigning
+	</p></li><li class="listitem"><p>
+		critical
+	</p></li></ul></div></dd><dt><span class="term">-2 </span></dt><dd><p>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <span class="command"><strong>certutil</strong></span> prompts for the certificate constraint extension to select.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-3 </span></dt><dd><p>Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-4 </span></dt><dd><p>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <span class="command"><strong>certutil</strong></span> prompts for the URL.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-5 | --nsCertType keyword,keyword</span></dt><dd><p>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		sslClient
+	</p></li><li class="listitem"><p>
+		sslServer
+	</p></li><li class="listitem"><p>
+		smime
+	</p></li><li class="listitem"><p>
+		objectSigning
+	</p></li><li class="listitem"><p>
+		sslCA
+	</p></li><li class="listitem"><p>
+		smimeCA
+	</p></li><li class="listitem"><p>
+		objectSigningCA
+	</p></li><li class="listitem"><p>
+		critical
+	</p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-6 | --extKeyUsage keyword,keyword</span></dt><dd><p>Add an extended key usage extension to a certificate that is being created or added to the database. Several keywords are available:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		serverAuth
+	</p></li><li class="listitem"><p>
+		clientAuth
+	</p></li><li class="listitem"><p>
+		codeSigning
+	</p></li><li class="listitem"><p>
+		emailProtection
+	</p></li><li class="listitem"><p>
+		timeStamp
+	</p></li><li class="listitem"><p>
+		ocspResponder
+	</p></li><li class="listitem"><p>
+		stepUp
+	</p></li><li class="listitem"><p>
+		msTrustListSign
+	</p></li><li class="listitem"><p>
+		critical
+	</p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--source-dir certdir</span></dt><dd><p>Identify the certificate database directory to upgrade.</p></dd><dt><span class="term">--source-prefix certdir</span></dt><dd><p>Give the prefix of the certificate and key databases to upgrade.</p></dd><dt><span class="term">--upgrade-id uniqueID</span></dt><dd><p>Give the unique ID of the database to upgrade.</p></dd><dt><span class="term">--upgrade-token-name name</span></dt><dd><p>Set the name of the token to use while it is being upgraded.</p></dd><dt><span class="term">-@ pwfile</span></dt><dd><p>Give the name of a password file to use for the database being upgraded.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
+		Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the <code class="option">-H</code> option to show the complete list of arguments for each command option.
+	</p><p><span class="command"><strong>Creating New Security Databases</strong></span></p><p>
+		Certificates, keys, and security modules related to managing certificates are stored in three related databases:
+	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		cert8.db or cert9.db
+	</p></li><li class="listitem"><p>
+		key3.db or key4.db
+	</p></li><li class="listitem"><p>
+		secmod.db or pkcs11.txt
+	</p></li></ul></div><p>
+		These databases must be created before certificates or keys can be generated.
+	</p><pre class="programlisting">certutil -N -d [sql:]directory</pre><p><span class="command"><strong>Creating a Certificate Request</strong></span></p><p>
+		A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated.
+	</p><pre class="programlisting">$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a]</pre><p>
+		The <code class="option">-R</code> command options requires four arguments:
+	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		<code class="option">-k</code> to specify either the key type to generate or, when renewing a certificate, the existing key pair to use
+	</p></li><li class="listitem"><p>
+		<code class="option">-g</code> to set the keysize of the key to generate
+	</p></li><li class="listitem"><p>
+		<code class="option">-s</code> to set the subject name of the certificate
+	</p></li><li class="listitem"><p>
+		<code class="option">-d</code> to give the security database directory
+	</p></li></ul></div><p>
+		The new certificate request can be output in ASCII format (<code class="option">-a</code>) or can be written to a specified file (<code class="option">-o</code>).
+	</p><p>
+		For example:
+	</p><pre class="programlisting">$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
+
+Generating key.  This may take a few moments...
+
+
+Certificate request generated by Netscape 
+Phone: 650-555-0123
+Common Name: John Smith
+Email: (not ed)
+Organization: Example Corp
+State: California
+Country: US
+
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
+MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
+EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
+KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
+CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
+qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
+1hP9Gg==
+-----END NEW CERTIFICATE REQUEST-----</pre><p><span class="command"><strong>Creating a Certificate</strong></span></p><p>
+		A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (<code class="option">-c</code>) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the <code class="option">-x</code> argument with the <code class="option">-S</code> command option.
+	</p><pre class="programlisting">$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</pre><p>
+		The series of numbers and <code class="option">--ext*</code> options set certificate extensions that can be added to the certificate when it is generated by the CA.
+	</p><p>
+		For example, this creates a self-signed certificate:
+	</p><pre class="programlisting">$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</pre><p>
+		From there, new certificates can reference the self-signed certificate:
+	</p><pre class="programlisting">$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</pre><p><span class="command"><strong>Generating a Certificate from a Certificate Request</strong></span></p><p>
+		When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the <span class="emphasis"><em>issuer</em></span> specified in the <code class="option">-c</code> argument). The issuing certificate must be in the certificate database in the specified directory.
+	</p><pre class="programlisting">certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</pre><p><span class="command"><strong>Generating Key Pairs</strong></span></p><p>
+		Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the <code class="option">-G</code> command option. 
+	</p><pre class="programlisting">certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</pre><p><span class="command"><strong>Listing Certificates</strong></span></p><p>
+		The <code class="option">-L</code> command option lists all of the certificates listed in the certificate database. The path to the directory (<code class="option">-d</code>) is required.
+	</p><pre class="programlisting">$ certutil -L -d sql:/home/my/sharednssdb
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
+TPS Administrator's Example Domain ID                        u,u,u
+Google Internet Authority                                    ,,   
+Certificate Authority - Example Domain                       CT,C,C</pre><p>
+		Using additional arguments with <code class="option">-L</code> can return and print the information for a single, specific certificate. For example, the <code class="option">-n</code> argument passes the certificate name, while the <code class="option">-a</code> argument prints the certificate in ASCII format:
+	</p><pre class="programlisting">$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain"
+
+-----BEGIN CERTIFICATE-----
+MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
+cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
+MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
+b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
+Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
+RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
+udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
+bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
+3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
+qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
+rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
+LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
+L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
+lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
+JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
+bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
+U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
+nI7q5n1USM3eWQlVXw==
+-----END CERTIFICATE-----</pre><p><span class="command"><strong>Listing Keys</strong></span></p><p>
+		Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. 
+	</p><p>
+		To list all keys in the database, use the <code class="option">-K</code> command option and the (required) <code class="option">-d</code> argument to give the path to the directory.
+	</p><pre class="programlisting">$ certutil -K -d sql:/home/my/sharednssdb
+certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
+&lt; 0&gt; rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+&lt; 1&gt; rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain Administrator Cert
+&lt; 2&gt; rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user cert</pre><p>
+		There are ways to narrow the keys listed in the search results:
+	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		To return a specific key, use the <code class="option">-n</code> <span class="emphasis"><em>name</em></span> argument with the name of the key.
+	</p></li><li class="listitem"><p>
+		If there are multiple security devices loaded, then the <code class="option">-h</code> <span class="emphasis"><em>tokenname</em></span> argument can search a specific token or all tokens.
+	</p></li><li class="listitem"><p>
+		If there are multiple key types available, then the <code class="option">-k</code> <span class="emphasis"><em>key-type</em></span> argument can search a specific type of key, like RSA, DSA, or ECC. 
+	</p></li></ul></div><p><span class="command"><strong>Listing Security Modules</strong></span></p><p>
+		The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The <code class="option">-U</code> command option lists all of the security modules listed in the <code class="filename">secmod.db</code> database. The path to the directory (<code class="option">-d</code>) is required.
+	</p><pre class="programlisting">$ certutil -U -d sql:/home/my/sharednssdb
+
+    slot: NSS User Private Key and Certificate Services                  
+   token: NSS Certificate DB
+
+    slot: NSS Internal Cryptographic Services                            
+   token: NSS Generic Crypto Services</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
+		Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the <code class="option">-A</code> command option.
+	</p><pre class="programlisting">certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer</pre><p>
+		A related command option, <code class="option">-E</code>, is used specifically to add email certificates to the certificate database. The <code class="option">-E</code> command has the same arguments as the <code class="option">-A</code> command. The trust arguments for certificates have the format <span class="emphasis"><em>SSL,S/MIME,Code-signing</em></span>, so the middle trust settings relate most to email certificates (though the others can be set). For example:
+	</p><pre class="programlisting">$ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer</pre><p><span class="command"><strong>Deleting Certificates to the Database</strong></span></p><p>
+		Certificates can be deleted from a database using the <code class="option">-D</code> option. The only required options are to give the security database directory and to identify the certificate nickname.
+	</p><pre class="programlisting">certutil -D -d [sql:]directory -n "nickname"</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"</pre><p><span class="command"><strong>Validating Certificates</strong></span></p><p>
+		A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the <code class="option">-V</code> command option.
+	</p><pre class="programlisting">certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory</pre><p>
+		For example, to validate an email certificate:
+	</p><pre class="programlisting">$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb</pre><p><span class="command"><strong>Modifying Certificate Trust Settings</strong></span></p><p>
+		The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate.
+	</p><pre class="programlisting">certutil -M -n certificate-name -t trust-args -d [sql:]directory</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu"</pre><p><span class="command"><strong>Printing the Certificate Chain</strong></span></p><p>
+		Certificates can be issued in <span class="emphasis"><em>chains</em></span> because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The <code class="option">-O</code> prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain:
+	</p><pre class="programlisting">$ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com"
+"Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]
+
+  "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
+
+    "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member]</pre><p><span class="command"><strong>Resetting a Token</strong></span></p><p>
+		The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (<code class="option">-h</code>) as well as any directory path. If there is no external token used, the default value is internal.
+	</p><pre class="programlisting">certutil -T -d [sql:]directory -h token-name -0 security-officer-password</pre><p>
+		Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example:
+	</p><pre class="programlisting">$ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret</pre><p><span class="command"><strong>Upgrading or Merging the Security Databases</strong></span></p><p>
+		Many networks or applications may be using older BerkeleyDB versions of the certificate database (<code class="filename">cert8.db</code>). Databases can be upgraded to the new SQLite version of the database (<code class="filename">cert9.db</code>) using the <code class="option">--upgrade-merge</code> command option or existing databases can be merged with the new <code class="filename">cert9.db</code> databases using the <code class="option">---merge</code> command.
+	</p><p>
+		The <code class="option">--upgrade-merge</code> command must give information about the original database and then use the standard arguments (like <code class="option">-d</code>) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database.
+	</p><pre class="programlisting">certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal</pre><p>
+		The <code class="option">--merge</code> command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step.
+	</p><pre class="programlisting">certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]</pre><p>
+		For example:
+	</p><pre class="programlisting">$ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp-</pre><p><span class="command"><strong>Running certutil Commands from a Batch File</strong></span></p><p>
+		A series of commands can be run sequentially from a text file with the <code class="option">-B</code> command option. The only argument for this specifies the input file.
+	</p><pre class="programlisting">$ certutil -B -i /path/to/batch-file</pre></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
+The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			cert8.db for certificates
+		</p></li><li class="listitem"><p>
+			key3.db for keys
+		</p></li><li class="listitem"><p>
+			secmod.db for PKCS #11 module information
+		</p></li></ul></div><p>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
+some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
+requires more flexibility to provide a truly shared security database.</p><p>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
+BerkleyDB. These new databases provide more accessibility and performance:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			cert9.db for certificates
+		</p></li><li class="listitem"><p>
+			key4.db for keys
+		</p></li><li class="listitem"><p>
+			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+		</p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. 
+Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting">$ certutil -L -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>pk12util (1)</p><p>modutil (1)</p><p><span class="command"><strong>certutil</strong></span> has arguments or operations that use features defined in several IETF RFCs.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		http://tools.ietf.org/html/rfc5280
+	</p></li><li class="listitem"><p>
+		http://tools.ietf.org/html/rfc1113
+	</p></li><li class="listitem"><p>
+		http://tools.ietf.org/html/rfc1485
+	</p></li></ul></div><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/cmsutil.html

@@ -0,0 +1,32 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CMSUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="CMSUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CMSUTIL</th></tr></table><hr></div><div class="refentry"><a name="cmsutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cmsutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idp187936"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>cmsutil</strong></span> command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.
+	</p><p>
+To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. 
+Each command takes one option. Each option may take zero or more arguments. 
+To see a usage string, issue the command without options. 
+	</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p>
+	</p><p><span class="command"><strong>Options</strong></span></p><p>
+Options specify an action. Option arguments modify an action. 
+The options and arguments for the cmsutil command are defined as follows:
+    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-D </span></dt><dd><p>Decode a message.</p></dd><dt><span class="term">-C</span></dt><dd><p>Encrypt a message.</p></dd><dt><span class="term">-E </span></dt><dd><p>Envelope a message.</p></dd><dt><span class="term">-O </span></dt><dd><p>Create a certificates-only message.</p></dd><dt><span class="term">-S </span></dt><dd><p>Sign a message.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action and are lowercase.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c content </span></dt><dd><p>Use this detached content (decode only).</p></dd><dt><span class="term">-d dbdir</span></dt><dd><p>Specify the key/certificate database directory (default is ".")</p></dd><dt><span class="term">-e envfile</span></dt><dd><p>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</p></dd><dt><span class="term">-G</span></dt><dd><p>Include a signing time attribute (sign only).</p></dd><dt><span class="term">-h num</span></dt><dd><p>Generate email headers with info about CMS message (decode only).</p></dd><dt><span class="term">-i infile</span></dt><dd><p>Use infile as a source of data (default is stdin).</p></dd><dt><span class="term">-N nickname</span></dt><dd><p>Specify nickname of certificate to sign with (sign only).</p></dd><dt><span class="term">-n </span></dt><dd><p>Suppress output of contents (decode only).</p></dd><dt><span class="term">-o outfile</span></dt><dd><p>Use outfile as a destination of data (default is stdout).</p></dd><dt><span class="term">-P</span></dt><dd><p>Include an S/MIME capabilities attribute.</p></dd><dt><span class="term">-p password</span></dt><dd><p>Use password as key database password.</p></dd><dt><span class="term">-r recipient1,recipient2, ...</span></dt><dd><p>
+Specify list of recipients (email addresses) for an encrypted or enveloped message. 
+For certificates-only message, list of certificates to send.
+          </p></dd><dt><span class="term">-T</span></dt><dd><p>Suppress content in CMS message (sign only).</p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Set type of cert usage (default is certUsageEmailSigner).</p></dd><dt><span class="term">-Y ekprefnick</span></dt><dd><p>Specify an encryption key preference by nickname.</p></dd></dl></div></div><div class="refsection"><a name="usage"></a><h2>Usage</h2><p>Encrypt Example</p><pre class="programlisting">
+cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile
+      </pre><p>Decode Example</p><pre class="programlisting">
+cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
+      </pre><p>Envelope Example</p><pre class="programlisting">
+cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..."
+      </pre><p>Certificate-only Example</p><pre class="programlisting">
+cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."
+      </pre><p>Sign Message Example</p><pre class="programlisting">
+cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
+      </pre></div><div class="refsection"><a name="idp95504"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p></p><p>
+	</p><p>
+	</p><p>
+	</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/crlutil.html

@@ -0,0 +1,211 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CRLUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="CRLUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CRLUTIL</th></tr></table><hr></div><div class="refentry"><a name="crlutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crlutil — 
+List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
+    </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">crlutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idp188816"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Revocation List (CRL) Management Tool, <span class="command"><strong>crlutil</strong></span>, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
+    </p><p>
+The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation.
+    </p><p>
+This document discusses certificate revocation list management. For information on security module database management, see Using the Security Module Database Tool. For information on certificate and key database management, see Using the Certificate Database Tool.
+    </p><p>
+To run the Certificate Revocation List Management Tool, type the command
+    </p><p>
+crlutil option [arguments]
+    </p><p>
+where options and arguments are combinations of the options and arguments listed in the following section. Each command takes one option. Each option may take zero or more arguments. To see a usage string, issue the command without options, or with the -H option.
+    </p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p>
+	</p><p><span class="command"><strong>Options</strong></span></p><p>
+Options specify an action. Option arguments modify an action. 
+The options and arguments for the crlutil command are defined as follows:
+    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-G </span></dt><dd><p>
+Create new Certificate Revocation List(CRL).
+          </p></dd><dt><span class="term">-D </span></dt><dd><p>
+Delete Certificate Revocation List from cert database.
+          </p></dd><dt><span class="term">-I </span></dt><dd><p>
+Import a CRL to the cert database
+          </p></dd><dt><span class="term">-E </span></dt><dd><p>
+Erase all CRLs of specified type from the cert database
+          </p></dd><dt><span class="term">-L </span></dt><dd><p>
+List existing CRL located in cert database file.
+          </p></dd><dt><span class="term">-S </span></dt><dd><p>
+Show contents of a CRL file which isn't stored in the database.
+          </p></dd><dt><span class="term">-M </span></dt><dd><p>
+Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format.
+          </p></dd><dt><span class="term">-G </span></dt><dd><p>
+
+          </p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action and are lowercase.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-B </span></dt><dd><p>
+Bypass CA signature checks.
+          </p></dd><dt><span class="term">-P dbprefix </span></dt><dd><p>
+Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
+          </p></dd><dt><span class="term">-a </span></dt><dd><p>
+Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
+          </p></dd><dt><span class="term">-c crl-gen-file </span></dt><dd><p>
+Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input.
+          </p></dd><dt><span class="term">-d directory </span></dt><dd><p>
+Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory.
+          </p><p>
+The NSS database files must reside in the same directory.
+          </p></dd><dt><span class="term">-i crl-file </span></dt><dd><p>
+Specify the file which contains the CRL to import or show.
+          </p></dd><dt><span class="term">-f password-file </span></dt><dd><p>
+Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
+          </p></dd><dt><span class="term">-l algorithm-name </span></dt><dd><p>
+Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
+          </p></dd><dt><span class="term">-n nickname </span></dt><dd><p>
+Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.
+          </p></dd><dt><span class="term">-o output-file </span></dt><dd><p>
+Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.
+          </p></dd><dt><span class="term">-t crl-type </span></dt><dd><p>
+Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete
+          </p></dd><dt><span class="term">-u url </span></dt><dd><p>
+Specify the url.
+          </p></dd></dl></div></div><div class="refsection"><a name="syntax"></a><h2>CRL Generation script syntax</h2><p>CRL generation script file has the following syntax:</p><p>
+    * Line with comments should have # as a first symbol of a line</p><p>
+    * Set "this update" or "next update" CRL fields:
+    </p><p>           
+             update=YYYYMMDDhhmmssZ
+             nextupdate=YYYYMMDDhhmmssZ
+     </p><p>
+      Field "next update" is optional. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ).
+      For example: 20050204153000Z
+    </p><p>* Add an extension to a CRL or a crl certificate entry:</p><p>addext extension-name critical/non-critical [arg1[arg2 ...]]</p><p>Where:</p><p>
+          extension-name: string value of a name of known extensions.
+          critical/non-critical: is 1 when extension is critical and 0 otherwise.
+          arg1, arg2: specific to extension type extension parameters
+    </p><p>
+      addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range.
+    </p><p>
+    * Add certificate entries(s) to CRL:
+    </p><p>
+          addcert range date
+    </p><p>
+          range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
+          date: revocation date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+    </p><p>
+    * Remove certificate entry(s) from CRL
+    </p><p>
+          rmcert range
+    </p><p>
+      Where:
+    </p><p>
+          range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
+    </p><p>
+    * Change range of certificate entry(s) in CRL
+    </p><p>
+          range new-range
+    </p><p>
+      Where:
+    </p><p>
+          new-range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
+    </p><p>
+Implemented Extensions
+     </p><p>
+      The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries. For more information see RFC #3280
+     </p><p>
+    * Add The Authority Key Identifier extension:
+     </p><p>
+      The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
+     </p><p>
+          authKeyId critical [key-id | dn cert-serial]
+     </p><p>
+      Where:
+     </p><p>
+          authKeyIdent: identifies the name of an extension
+          critical: value of 1 of 0. Should be set to 1 if this extension is critical or 0 otherwise.
+          key-id: key identifier represented in octet string. dn:: is a CA distinguished name cert-serial: authority certificate serial number. 
+     </p><p>
+    * Add Issuer Alternative Name extension:
+     </p><p>
+      The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI.
+     </p><p>
+          issuerAltNames non-critical name-list
+     </p><p>
+      Where:
+     </p><p>
+          subjAltNames: identifies the name of an extension
+          should be set to 0 since this is non-critical extension
+          name-list: comma separated list of names
+     </p><p>
+    * Add CRL Number extension:
+     </p><p>
+      The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL
+     </p><p>
+          crlNumber non-critical number
+     </p><p>
+      Where:
+     </p><p>
+          crlNumber: identifies the name of an extension
+          critical: should be set to 0 since this is non-critical extension
+          number: value of long which identifies the sequential number of a CRL.
+     </p><p>
+    * Add Revocation Reason Code extension:
+     </p><p>
+      The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation.
+     </p><p>
+          reasonCode non-critical code
+     </p><p>
+      Where:
+     </p><p>
+          reasonCode: identifies the name of an extension
+          non-critical: should be set to 0 since this is non-critical extension
+          code: the following codes are available:
+     </p><p>
+              unspecified (0),
+              keyCompromise (1),
+              cACompromise (2),
+              affiliationChanged (3),
+              superseded (4),
+              cessationOfOperation (5),
+              certificateHold (6),
+              removeFromCRL (8),
+              privilegeWithdrawn (9),
+              aACompromise (10)
+     </p><p>
+    * Add Invalidity Date extension:
+     </p><p>
+      The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid.
+     </p><p>
+          invalidityDate non-critical date
+     </p><p>
+      Where:
+     </p><p>
+          crlNumber: identifies the name of an extension
+          non-critical: should be set to 0 since this is non-critical extension date: invalidity date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+     </p></div><div class="refsection"><a name="usage"></a><h2>Usage</h2><p>
+The Certificate Revocation List Management Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required.
+    </p><p>See "Implemented extensions" for more information regarding extensions and their parameters.</p><p>
+    * Creating or modifying a CRL:
+    </p><pre class="programlisting">
+crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B] 
+      </pre><p>
+    * Listing all CRls or a named CRL:
+    </p><pre class="programlisting">
+	crlutil -L [-n crl-name] [-d krydir] 
+      </pre><p>
+    * Deleting CRL from db:
+    </p><pre class="programlisting">
+	crlutil -D -n nickname [-d keydir] [-P dbprefix] 
+      </pre><p>
+    * Erasing CRLs from db:
+    </p><pre class="programlisting">
+	crlutil -E [-d keydir] [-P dbprefix] 
+      </pre><p>
+    * Deleting CRL from db: 
+    </p><pre class="programlisting">
+          crlutil -D -n nickname [-d keydir] [-P dbprefix]
+    </pre><p>
+    * Erasing CRLs from db:
+    </p><pre class="programlisting">
+          crlutil -E [-d keydir] [-P dbprefix] 
+    </pre><p>
+    * Import CRL from file:
+    </p><pre class="programlisting">
+          crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] 
+    </pre></div><div class="refsection"><a name="idp5089136"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p></p><p>
+	</p><p>
+	</p><p>
+	</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/derdump.html

@@ -0,0 +1,7 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>DERDUMP</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="DERDUMP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">DERDUMP</th></tr></table><hr></div><div class="refentry"><a name="derdump"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>derdump  — Dumps C-sequence strings from a DER encoded certificate file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">derdump</code>  [<code class="option">-r</code>] [<code class="option">-i <em class="replaceable"><code>input-file</code></em></code>] [<code class="option">-o <em class="replaceable"><code>output-file</code></em></code>]</p></div></div><div class="refsection"><a name="idp4817536"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="idp2658976"></a><h2>Description</h2><p><span class="command"><strong>derdump </strong></span>dumps C-sequence strings from a DER encode certificate file </p></div><div class="refsection"><a name="idp4859136"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-r </code></span></dt><dd>For formatted items, dump raw bytes as well</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>DER encoded file</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>output file</code></em></span></dt><dd>Define an output file to use (default is stdout).</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape and now with Red Hat.</p><p>
+	Authors: Gerhardus Geldenhuis &lt;gerhardus.geldenhuis@gmail.com&gt;. Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/pk12util.html

@@ -0,0 +1,82 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File [-h tokenname] [-v] [common-options] ] [
+        -l p12File [-h tokenname] [-r] [common-options] ] [
+        -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] ] [
+
+common-options are:
+[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] 
+      ]</p></div></div><div class="refsection"><a name="idp189856"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
+          Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
+    </p><pre class="programlisting">pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
+
+Enter a password which will be used to encrypt your keys.
+The password should be at least 8 characters long,
+and should contain at least one non-alphabetic character.
+
+Enter new password: 
+Re-enter password: 
+Enter password for PKCS12 file: 
+pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
+    </p><pre class="programlisting">pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
+Enter password for PKCS12 file: 
+Re-enter password: </pre><p><span class="command"><strong>Listing Keys and Certificates</strong></span></p><p>The information in a <code class="filename">.p12</code> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <code class="filename">.p12</code> file.
+    </p><pre class="programlisting">pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example, this prints the default ASCII output:</p><pre class="programlisting"># pk12util -l certs.p12
+
+Enter password for PKCS12 file: 
+Key(shrouded):
+    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
+        Parameters:
+            Salt:
+                45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
+            Iteration Count: 1 (0x1)
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13 (0xd)
+        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+        Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
+            A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
+            own,ST=Western Cape,C=ZA"
+....</pre><p>Alternatively, the <code class="option">-r</code> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <code class="filename">.p12</code> files. Each certificate is written to a sequentially-number file, beginning with <code class="filename">file0001.der</code> and continuing through <code class="filename">file000N.der</code>, incrementing the number for every certificate:</p><pre class="programlisting"># pk12util -l test.p12 -r
+Enter password for PKCS12 file: 
+Key(shrouded):
+    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
+        Parameters:
+            Salt:
+                45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
+            Iteration Count: 1 (0x1)
+Certificate    Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
+
+Certificate    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><p>DES_CBC</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
+The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			cert8.db for certificates
+		</p></li><li class="listitem"><p>
+			key3.db for keys
+		</p></li><li class="listitem"><p>
+			secmod.db for PKCS #11 module information
+		</p></li></ul></div><p>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
+some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
+requires more flexibility to provide a truly shared security database.</p><p>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
+BerkleyDB. These new databases provide more accessibility and performance:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			cert9.db for certificates
+		</p></li><li class="listitem"><p>
+			key4.db for keys
+		</p></li><li class="listitem"><p>
+			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+		</p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. 
+Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil (1)</p><p>modutil (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/pp.html

@@ -0,0 +1,9 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idp2827632"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="idp4746848"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
+                     pkcs7 or crl files
+    </p></div><div class="refsection"><a name="idp2528512"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/signtool.html

@@ -0,0 +1,286 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code>  [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idp4673616"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p>
+	Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
+
+If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.
+</p></dd><dt><span class="term">-d certdir</span></dt><dd><p>
+	Specifies your certificate database directory; that is, the directory in which you placed your key3.db and cert7.db files. To specify the current directory, use "-d." (including the period).
+
+The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT version of signtool always requires the use of the -d option to specify where the database files are located.
+</p></dd><dt><span class="term">-e extension</span></dt><dd><p>
+	Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include.
+</p></dd><dt><span class="term">-f commandfile</span></dt><dd><p>
+	Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques".
+</p></dd><dt><span class="term">-i scriptname</span></dt><dd><p>
+	Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
+</p></dd><dt><span class="term">-j directory</span></dt><dd><p>
+	Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT.
+</p></dd><dt><span class="term">-k key ... directory</span></dt><dd><p>
+	Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write
+
+signtool -k MyCert -d . signdir
+
+You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform.
+
+It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate.
+</p></dd><dt><span class="term">-G nickname</span></dt><dd><p>
+	Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
+
+The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
+
+Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
+
+The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241.
+</p></dd><dt><span class="term">-l</span></dt><dd><p>
+	Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.
+
+The -l option is available in Netscape Signing Tool 1.0 and later versions only.
+</p></dd><dt><span class="term">-J</span></dt><dd><p>
+	Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
+
+The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
+
+If the -c# option is not used with the -J option, the default compression value is 6.
+
+Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
+</p></dd><dt><span class="term">-L</span></dt><dd><p>
+	Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.
+</p></dd><dt><span class="term">--leavearc</span></dt><dd><p>
+	Retains the temporary .arc (archive) directories that the -J option creates. These directories are automatically erased by default. Retaining the temporary directories can be an aid to debugging.
+</p></dd><dt><span class="term">-m metafile</span></dt><dd><p>
+	Specifies the name of a metadata control file. Metadata is signed information attached either to the JAR archive itself or to files within the archive. This metadata can be any ASCII string, but is used mainly for specifying an installer script.
+
+The metadata file contains one entry per line, each with three fields:
+
+field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive)
+field #2: the name of the data you are specifying; for example: Install-Script
+field #3: data corresponding to the name in field #2
+
+For example, the -i option uses the equivalent of this line:
+
++ Install-Script: script.js
+
+
+This example associates a MIME type with a file:
+
+movie.qt MIME-Type: video/quicktime
+
+For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge.
+</p></dd><dt><span class="term">-M</span></dt><dd><p>
+	Lists the PKCS #11 modules available to signtool, including smart cards.
+
+The -M option is available in Netscape Signing Tool 1.0 and later versions only.
+
+For information on using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with Smart Cards".
+
+For information on using the -M option to verify FIPS-140-1 validated mode, see "Netscape Signing Tool and FIPS-140-1".
+</p></dd><dt><span class="term">--norecurse</span></dt><dd><p>
+	Blocks recursion into subdirectories when signing a directory's contents or when parsing HTML.
+</p></dd><dt><span class="term">-o</span></dt><dd><p>
+	Optimizes the archive for size. Use this only if you are signing very large archives containing hundreds of files. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information.
+</p></dd><dt><span class="term">--outfile outputfile</span></dt><dd><p>
+	Specifies a file to receive redirected output from Netscape Signing Tool.
+</p></dd><dt><span class="term">-p password</span></dt><dd><p>
+	Specifies a password for the private-key database. Note that the password entered on the command line is displayed as plain text.
+</p></dd><dt><span class="term">-s keysize</span></dt><dd><p>
+	Specifies the size of the key for generated certificate. Use the -M option to find out what tokens are available.
+
+The -s option can be used with the -G option only.
+</p></dd><dt><span class="term">-t token</span></dt><dd><p>
+	Specifies which available token should generate the key and receive the certificate. Use the -M option to find out what tokens are available.
+
+The -t option can be used with the -G option only.
+</p></dd><dt><span class="term">-v archive</span></dt><dd><p>
+	Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated. This includes checking that the certificate for the issuer of the object-signing certificate is listed in the certificate database, that the CA's digital signature on the object-signing certificate is valid, that the relevant certificates have not expired, and so on.
+</p></dd><dt><span class="term">--verbosity value</span></dt><dd><p>
+	Sets the quantity of information Netscape Signing Tool generates in operation. A value of 0 (zero) is the default and gives full information. A value of -1 suppresses most messages, but not error messages.
+</p></dd><dt><span class="term">-w archive</span></dt><dd><p>
+	Displays the names of signers of any files in the archive.
+</p></dd><dt><span class="term">-x directory</span></dt><dd><p>
+	Excludes the specified directory from signing. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude.
+</p></dd><dt><span class="term">-z</span></dt><dd><p>
+	Tells signtool not to store the signing time in the digital signature. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed.
+</p></dd><dt><span class="term">-Z jarfile</span></dt><dd><p>
+	Creates a JAR file with the specified name. You must specify this option if you want signtool to create the JAR file; it does not do so automatically. If you don't specify -Z, you must use an external ZIP tool to create the JAR file.
+
+The -Z option cannot be used at the same time as the -J option.
+
+If the -c# option is not used with the -Z option, the default compression value is 6.</p></dd></dl></div></div><div class="refsection"><a name="command-file"></a><h2>The Command File Format</h2><p>Entries in a Netscape Signing Tool command file have this general format:
+keyword=value
+
+Everything before the = sign on a single line is a keyword, and everything from the = sign to the end of line is a value. The value may include = signs; only the first = sign on a line is interpreted. Blank lines are ignored, but white space on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or part of the value (if it comes after the first equal sign). Keywords are case insensitive, values are generally case sensitive. Since the = sign and newline delimit the value, it should not be quoted. </p><p><span class="command"><strong>Subsection</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">basename</span></dt><dd><p>Same as -b option.</p></dd><dt><span class="term">compression</span></dt><dd><p>
+	Same as -c option.
+</p></dd><dt><span class="term">certdir</span></dt><dd><p>
+	Same as -d option.
+</p></dd><dt><span class="term">extension</span></dt><dd><p>
+	Same as -e option.
+</p></dd><dt><span class="term">generate</span></dt><dd><p>
+	Same as -G option.
+</p></dd><dt><span class="term">installscript</span></dt><dd><p>
+	Same as -i option.
+</p></dd><dt><span class="term">javascriptdir</span></dt><dd><p>
+	Same as -j option.
+</p></dd><dt><span class="term">htmldir</span></dt><dd><p>
+	Same as -J option.
+</p></dd><dt><span class="term">certname</span></dt><dd><p>
+	Nickname of certificate, as with -k and -l -k options.
+</p></dd><dt><span class="term">signdir</span></dt><dd><p>
+	The directory to be signed, as with -k option.
+</p></dd><dt><span class="term">list</span></dt><dd><p>
+	Same as -l option. Value is ignored, but = sign must be present.
+</p></dd><dt><span class="term">listall</span></dt><dd><p>
+	Same as -L option. Value is ignored, but = sign must be present.
+</p></dd><dt><span class="term">metafile</span></dt><dd><p>
+	Same as -m option.
+</p></dd><dt><span class="term">modules</span></dt><dd><p>
+	Same as -M option. Value is ignored, but = sign must be present.
+</p></dd><dt><span class="term">optimize</span></dt><dd><p>
+	Same as -o option. Value is ignored, but = sign must be present.
+</p></dd><dt><span class="term">password</span></dt><dd><p>
+	Same as -p option.
+</p></dd><dt><span class="term">keysize</span></dt><dd><p>
+	Same as -s option.
+</p></dd><dt><span class="term">token</span></dt><dd><p>
+	Same as -t option.
+</p></dd><dt><span class="term">verify</span></dt><dd><p>
+	Same as -v option.
+</p></dd><dt><span class="term">who</span></dt><dd><p>
+	Same as -w option.
+</p></dd><dt><span class="term">exclude</span></dt><dd><p>
+	Same as -x option.
+</p></dd><dt><span class="term">notime</span></dt><dd><p>
+	Same as -z option. value is ignored, but = sign must be present.
+</p></dd><dt><span class="term">jarfile</span></dt><dd><p>
+	Same as -Z option.
+</p></dd><dt><span class="term">outfile</span></dt><dd><p>
+	Name of a file to which output and error messages will be redirected. This option has no command-line equivalent.
+	</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><p>The following example will do this and that
+    </p><p><span class="command"><strong>Listing Available Signing Certificates</strong></span></p><p>You use the -L option to list the nicknames for all available certificates and check which ones are signing certificates.</p><pre class="programlisting">signtool -L 
+
+using certificate directory: /u/jsmith/.netscape 
+S Certificates 
+- ------------ 
+  BBN Certificate Services CA Root 1 
+  IBM World Registry CA 
+  VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc. 
+  GTE CyberTrust Root CA 
+  Uptime Group Plc. Class 4 CA 
+* Verisign Object Signing Cert 
+  Integrion CA 
+  GTE CyberTrust Secure Server CA 
+  AT&amp;T Directory Services 
+* test object signing cert 
+  Uptime Group Plc. Class 1 CA 
+  VeriSign Class 1 Primary CA 
+- ------------
+
+Certificates that can be used to sign objects have *'s to their left. </pre><p>Two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert.</p><p>You use the -l option to get a list of signing certificates only, including the signing CA for each.</p><pre class="programlisting">signtool -l
+
+using certificate directory: /u/jsmith/.netscape
+Object signing certificates
+---------------------------------------
+
+Verisign Object Signing Cert
+    Issued by: VeriSign, Inc. - Verisign, Inc.
+    Expires: Tue May 19, 1998
+test object signing cert
+    Issued by: test object signing cert (Signtool 1.0 Testing 
+Certificate (960187691))
+    Expires: Sun May 17, 1998
+---------------------------------------</pre><p>For a list including CAs, use the <code class="option">-L</code> option.</p><p><span class="command"><strong>Signing a File</strong></span></p><p>1. Create an empty directory.</p><pre class="programlisting">mkdir signdir</pre><p>2. Put some file into it.</p><pre class="programlisting">echo boo &gt; signdir/test.f</pre><p>3. Specify the name of your object-signing certificate and sign the directory.</p><pre class="programlisting">signtool -k MySignCert -Z testjar.jar signdir
+
+using key "MySignCert"
+using certificate directory: /u/jsmith/.netscape
+Generating signdir/META-INF/manifest.mf file..
+--&gt; test.f
+adding signdir/test.f to testjar.jar
+Generating signtool.sf file..
+Enter Password or Pin for "Communicator Certificate DB":
+
+adding signdir/META-INF/manifest.mf to testjar.jar
+adding signdir/META-INF/signtool.sf to testjar.jar
+adding signdir/META-INF/signtool.rsa to testjar.jar
+
+tree "signdir" signed successfully</pre><p>4. Test the archive you just created.</p><pre class="programlisting">signtool -v testjar.jar
+
+using certificate directory: /u/jsmith/.netscape
+archive "testjar.jar" has passed crypto verification.
+           status   path
+     ------------   -------------------
+         verified   test.f</pre><p><span class="command"><strong>Using Netscape Signing Tool with a ZIP Utility</strong></span></p><p>To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable. You should use the zip.exe utility rather than pkzip.exe, which cannot handle long filenames. You can use a ZIP utility instead of the -Z option to package a signed archive into a JAR file after you have signed it:</p><pre class="programlisting">cd signdir 
+
+  zip -r ../myjar.jar * 
+  adding: META-INF/ (stored 0%) 
+  adding: META-INF/manifest.mf (deflated 15%) 
+  adding: META-INF/signtool.sf (deflated 28%) 
+  adding: META-INF/signtool.rsa (stored 0%) 
+  adding: text.txt (stored 0%)</pre><p><span class="command"><strong>Generating the Keys and Certificate</strong></span></p><p>The signtool option -G generates a new public-private key pair and certificate. It takes the nickname of the new certificate as an argument. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.</p><p>Certificates contain standard information about the entity they identify, such as the common name and organization name. Netscape Signing Tool prompts you for this information when you run the command with the -G option. However, all of the requested fields are optional for test certificates. If you do not enter a common name, the tool provides a default name. In the following example, the user input is in boldface:</p><pre class="programlisting">signtool -G MyTestCert
+
+using certificate directory: /u/someuser/.netscape
+Enter certificate information. All fields are optional. Acceptable
+characters are numbers, letters, spaces, and apostrophes.
+certificate common name: Test Object Signing Certificate
+organization: Netscape Communications Corp.
+organization unit: Server Products Division
+state or province: California
+country (must be exactly 2 characters): US
+username: someuser
+email address: someuser@netscape.com
+Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
+generated public/private key pair
+certificate request generated
+certificate has been signed
+certificate "MyTestCert" added to database
+Exported certificate to x509.raw and x509.cacert.</pre><p>The certificate information is read from standard input. Therefore, the information can be read from a file using the redirection operator (&lt;) in some operating systems. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line. Make sure there is a newline character at the end of the last line. Then run signtool with standard input redirected from your file as follows:</p><pre class="programlisting">signtool -G MyTestCert inputfile</pre><p>The prompts show up on the screen, but the responses will be automatically read from the file. The password will still be read from the console unless you use the -p option to give the password on the command line.</p><p><span class="command"><strong>Using the -M Option to List Smart Cards</strong></span></p><p>You can use the -M option to list the PKCS #11 modules, including smart cards, that are available to signtool:</p><pre class="programlisting">signtool -d "c:\netscape\users\jsmith" -M
+
+using certificate directory: c:\netscape\users\username
+Listing of PKCS11 modules 
+----------------------------------------------- 
+	1. Netscape Internal PKCS #11 Module 
+			  (this module is internally loaded) 
+			  slots: 2 slots attached 
+			  status: loaded 
+	  slot: Communicator Internal Cryptographic Services Version 4.0 
+	 token: Communicator Generic Crypto Svcs 
+	  slot: Communicator User Private Key and Certificate Services 
+	 token: Communicator Certificate DB 
+	2. CryptOS 
+			  (this is an external module) 
+ DLL name: core32 
+	 slots: 1 slots attached 
+	status: loaded 
+	  slot: Litronic 210 
+	 token: 
+	----------------------------------------------- </pre><p><span class="command"><strong>Using Netscape Signing Tool and a Smart Card to Sign Files</strong></span></p><p>The signtool command normally takes an argument of the -k option to specify a signing certificate. To sign with a smart card, you supply only the fully qualified name of the certificate.</p><p>To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert". You use this name with the -k argument as follows:</p><pre class="programlisting">signtool -k "MyCard:My Signing Cert" directory</pre><p><span class="command"><strong>Verifying FIPS Mode</strong></span></p><p>Use the -M option to verify that you are using the FIPS-140-1 module.</p><pre class="programlisting">signtool -d "c:\netscape\users\jsmith" -M
+
+using certificate directory: c:\netscape\users\jsmith
+Listing of PKCS11 modules
+-----------------------------------------------
+  1. Netscape Internal PKCS #11 Module
+          (this module is internally loaded)
+          slots: 2 slots attached
+          status: loaded
+    slot: Communicator Internal Cryptographic Services Version 4.0
+   token: Communicator Generic Crypto Svcs
+    slot: Communicator User Private Key and Certificate Services
+   token: Communicator Certificate DB
+-----------------------------------------------</pre><p>This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 module:</p><pre class="programlisting">signtool -d "c:\netscape\users\jsmith" -M
+using certificate directory: c:\netscape\users\jsmith
+Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
+Listing of PKCS11 modules
+-----------------------------------------------
+1. Netscape Internal FIPS PKCS #11 Module
+(this module is internally loaded)
+slots: 1 slots attached
+status: loaded
+slot: Netscape Internal FIPS-140-1 Cryptographic Services
+token: Communicator Certificate DB
+-----------------------------------------------</pre></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>signver (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+				https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>
+				https://wiki.mozilla.org/NSS_Shared_DB
+			</p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/signver.html

@@ -0,0 +1,35 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code>    -A  |   -V    -d <em class="replaceable"><code>directory</code></em>  [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idp4236688"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idp367200"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
+
+signatureValid=yes</pre></div><div class="refsection"><a name="idp370464"></a><h3>Printing Signature Data</h3><p>
+			The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout.
+		</p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
+The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			cert8.db for certificates
+		</p></li><li class="listitem"><p>
+			key3.db for keys
+		</p></li><li class="listitem"><p>
+			secmod.db for PKCS #11 module information
+		</p></li></ul></div><p>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
+some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
+requires more flexibility to provide a truly shared security database.</p><p>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
+BerkleyDB. These new databases provide more accessibility and performance:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			cert9.db for certificates
+		</p></li><li class="listitem"><p>
+			key4.db for keys
+		</p></li><li class="listitem"><p>
+			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+		</p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. 
+Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># signver -A -s <em class="replaceable"><code>signature</code></em> -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>signtool (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Setting up the shared NSS database</p><p>https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>
+				Engineering and technical information about the shared NSS database
+			</p><p>
+				https://wiki.mozilla.org/NSS_Shared_DB
+			</p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/ssltap.html

@@ -0,0 +1,422 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code>  [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idp3926848"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-h </span></dt><dd><p>
+Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots. 
+        </p></dd><dt><span class="term">-f </span></dt><dd><p>
+Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. 
+        </p></dd><dt><span class="term">-s </span></dt><dd><p>
+Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
+	  </p><p>
+If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
+	  </p><p>
+If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
+          </p></dd><dt><span class="term">-x  </span></dt><dd><p>
+Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option. 
+This option uses the same output format as the -h option.
+            </p></dd><dt><span class="term">-l  prefix</span></dt><dd><p>
+Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete.
+          </p></dd><dt><span class="term">-p  port</span></dt><dd><p>Change the default rendezvous port (1924) to another port.</p><p>The following are well-known port numbers:</p><p>
+          * HTTP   80
+          </p><p>
+	      * HTTPS  443
+	      </p><p>
+          * SMTP   25
+          </p><p>
+          * FTP    21
+          </p><p>
+          * IMAP   143
+          </p><p>
+          * IMAPS  993 (IMAP over SSL)
+          </p><p>
+          * NNTP   119
+          </p><p>
+          * NNTPS  563 (NNTP over SSL) 
+          </p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
+You can use the SSL Debugging Tool to intercept any connection information. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful. For example, assume your development machine is called intercept. The simplest way to use the debugging tool is to execute the following command from a command shell:
+      </p><pre class="programlisting">$ ssltap www.netscape.com</pre><p>
+The program waits for an incoming connection on the default port 1924. In your browser window, enter the URL http://intercept:1924. The browser retrieves the requested page from the server at www.netscape.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept. On its way to the browser, the data is printed to the command shell from which you issued the command. Data sent from the client to the server is surrounded by the following symbols: --&gt; [ data ] Data sent from the server to the client is surrounded by the following symbols: 
+"left arrow"-- [ data ] The raw data stream is sent to standard output and is not interpreted in any way. This can result in peculiar effects, such as sounds, flashes, and even crashes of the command shell window. To output a basic, printable interpretation of the data, use the -h option, or, if you are looking at an SSL connection, the -s option. You will notice that the page you retrieved looks incomplete in the browser. This is because, by default, the tool closes down after the first connection is complete, so the browser is not able to load images. To make the tool 
+continue to accept connections, switch on looping mode with the -l option. The following examples show the output from commonly used combinations of options.
+      </p><p>Example 1 </p><pre class="programlisting">$ ssltap.exe -sx -p 444 interzone.mcom.com:443 &gt; sx.txt</pre><p>Output </p><pre class="programlisting">
+Connected to interzone.mcom.com:443
+--&gt;; [
+alloclen = 66 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher-specs-length = 39 (0x27)
+            sid-length = 0 (0x00)
+            challenge-length = 16 (0x10)
+            cipher-suites = {
+
+                (0x010080) SSL2/RSA/RC4-128/MD5
+                  (0x020080) SSL2/RSA/RC4-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x040080) SSL2/RSA/RC2CBC40/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4-128/MD5
+                  (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+                  (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4-40/MD5
+                  (0x000006) SSL3/RSA/RC2CBC40/MD5
+                  }
+            session-id = { }
+            challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
+
+0x2592 }
+}
+]
+&lt;-- [
+SSLRecord {
+   0: 16 03 00 03  e5                                   |.....
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 997 (0x3e5)
+   handshake {
+   0: 02 00 00 46                                      |...F
+      type = 2 (server_hello)
+      length = 70 (0x000046)
+            ServerHello {
+            server_version = {3, 0}
+            random = {...}
+   0: 77 8c 6e 26  6c 0c ec c0  d9 58 4f 47  d3 2d 01 45  |
+wn&amp;l.ì..XOG.-.E
+   10: 5c 17 75 43  a7 4c 88 c7  88 64 3c 50  41 48 4f 7f  |
+
+\.uC§L.Ç.d&lt;PAHO.
+                  session ID = {
+                  length = 32
+
+                contents = {..}
+   0: 14 11 07 a8  2a 31 91 29  11 94 40 37  57 10 a7 32  | ...¨*1.)..@7W.§2
+   10: 56 6f 52 62  fe 3d b3 65  b1 e4 13 0f  52 a3 c8 f6  | VoRbþ=³e±...R£È.
+         }
+               cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+         }
+   0: 0b 00 02 c5                                      |...Å
+      type = 11 (certificate)
+      length = 709 (0x0002c5)
+            CertificateChain {
+            chainlength = 706 (0x02c2)
+               Certificate {
+            size = 703 (0x02bf)
+               data = { saved in file 'cert.001' }
+            }
+         }
+   0: 0c 00 00 ca                                      |....
+         type = 12 (server_key_exchange)
+         length = 202 (0x0000ca)
+   0: 0e 00 00 00                                      |....
+         type = 14 (server_hello_done)
+         length = 0 (0x000000)
+   }
+}
+]
+--&gt; [
+SSLRecord {
+   0: 16 03 00 00  44                                   |....D
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 68 (0x44)
+   handshake {
+   0: 10 00 00 40                                      |...@
+   type = 16 (client_key_exchange)
+   length = 64 (0x000040)
+         ClientKeyExchange {
+            message = {...}
+         }
+   }
+}
+]
+--&gt; [
+SSLRecord {
+   0: 14 03 00 00  01                                   |.....
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+   0: 01                                               |.
+}
+SSLRecord {
+   0: 16 03 00 00  38                                   |....8
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               &lt; encrypted &gt;
+
+}
+]
+&lt;-- [
+SSLRecord {
+   0: 14 03 00 00  01                                   |.....
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+   0: 01                                               |.
+}
+]
+&lt;-- [
+SSLRecord {
+   0: 16 03 00 00  38                                   |....8
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+                  &lt; encrypted &gt;
+
+}
+]
+--&gt; [
+SSLRecord {
+   0: 17 03 00 01  1f                                   |.....
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 287 (0x11f)
+               &lt; encrypted &gt;
+}
+]
+&lt;-- [
+SSLRecord {
+   0: 17 03 00 00  a0                                   |....
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 160 (0xa0)
+               &lt; encrypted &gt;
+
+}
+]
+&lt;-- [
+SSLRecord {
+0: 17 03 00 00  df                                   |....ß
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 223 (0xdf)
+               &lt; encrypted &gt;
+
+}
+SSLRecord {
+   0: 15 03 00 00  12                                   |.....
+   type    = 21 (alert)
+   version = { 3,0 }
+   length  = 18 (0x12)
+               &lt; encrypted &gt;
+}
+]
+Server socket closed.
+</pre><p>Example 2</p><p>
+The -s option turns on SSL parsing. Because the -x option is not used in this example, undecoded values are output as raw data. The output is routed to a text file.
+    </p><pre class="programlisting">$ ssltap -s  -p 444 interzone.mcom.com:443 &gt; s.txt</pre><p>Output </p><pre class="programlisting">
+Connected to interzone.mcom.com:443
+--&gt; [
+alloclen = 63 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher-specs-length = 36 (0x24)
+            sid-length = 0 (0x00)
+            challenge-length = 16 (0x10)
+            cipher-suites = {
+                  (0x010080) SSL2/RSA/RC4-128/MD5
+                  (0x020080) SSL2/RSA/RC4-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4-128/MD5
+                  (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+                  (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4-40/MD5
+                  }
+               session-id = { }
+            challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
+0x3fd0 }
+]
+&gt;-- [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 997 (0x3e5)
+   handshake {
+         type = 2 (server_hello)
+         length = 70 (0x000046)
+            ServerHello {
+            server_version = {3, 0}
+            random = {...}
+            session ID = {
+               length = 32
+               contents = {..}
+               }
+               cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+            }
+         type = 11 (certificate)
+         length = 709 (0x0002c5)
+            CertificateChain {
+               chainlength = 706 (0x02c2)
+               Certificate {
+                  size = 703 (0x02bf)
+                  data = { saved in file 'cert.001' }
+               }
+            }
+         type = 12 (server_key_exchange)
+         length = 202 (0x0000ca)
+         type = 14 (server_hello_done)
+         length = 0 (0x000000)
+   }
+}
+]
+--&gt; [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 68 (0x44)
+   handshake {
+         type = 16 (client_key_exchange)
+         length = 64 (0x000040)
+            ClientKeyExchange {
+               message = {...}
+            }
+   }
+}
+]
+--&gt; [
+SSLRecord {
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+}
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               &gt; encrypted &gt;
+}
+]
+&gt;-- [
+SSLRecord {
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+}
+]
+&gt;-- [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               &gt; encrypted &gt;
+}
+]
+--&gt; [
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 287 (0x11f)
+               &gt; encrypted &gt;
+}
+]
+[
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 160 (0xa0)
+               &gt; encrypted &gt;
+}
+]
+&gt;-- [
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 223 (0xdf)
+               &gt; encrypted &gt;
+}
+SSLRecord {
+   type    = 21 (alert)
+   version = { 3,0 }
+   length  = 18 (0x12)
+               &gt; encrypted &gt;
+}
+]
+Server socket closed.
+</pre><p>Example 3</p><p>
+In this example, the -h option turns hex/ASCII format. There is no SSL parsing or decoding. The output is routed to a text file.
+    </p><pre class="programlisting">$ ssltap -h  -p 444 interzone.mcom.com:443 &gt; h.txt</pre><p>Output </p><pre class="programlisting">
+Connected to interzone.mcom.com:443
+--&gt; [
+   0: 80 40 01 03  00 00 27 00  00 00 10 01  00 80 02 00  | .@....'.........
+   10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04  | .........@......
+   20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 00  | ........á.......
+   30: 00 06 9b fe  5b 56 96 49  1f 9f ca dd  d5 ba b9 52  | ..þ[V.I.\xd9 ...º¹R
+   40: 6f 2d                                            |o-
+]
+&lt;-- [
+   0: 16 03 00 03  e5 02 00 00  46 03 00 7f  e5 0d 1b 1d  | ........F.......
+   10: 68 7f 3a 79  60 d5 17 3c  1d 9c 96 b3  88 d2 69 3b  | h.:y`..&lt;..³.Òi;
+   20: 78 e2 4b 8b  a6 52 12 4b  46 e8 c2 20  14 11 89 05  | x.K.¦R.KFè. ...
+   30: 4d 52 91 fd  93 e0 51 48  91 90 08 96  c1 b6 76 77  | MR.ý..QH.....¶vw
+   40: 2a f4 00 08  a1 06 61 a2  64 1f 2e 9b  00 03 00 0b  | *ô..¡.a¢d......
+   50: 00 02 c5 00  02 c2 00 02  bf 30 82 02  bb 30 82 02  | ..Å......0...0..
+   60: 24 a0 03 02  01 02 02 02  01 36 30 0d  06 09 2a 86  | $ .......60...*.
+   70: 48 86 f7 0d  01 01 04 05  00 30 77 31  0b 30 09 06  | H.÷......0w1.0..
+   80: 03 55 04 06  13 02 55 53  31 2c 30 2a  06 03 55 04  | .U....US1,0*..U.
+   90: 0a 13 23 4e  65 74 73 63  61 70 65 20  43 6f 6d 6d  | ..#Netscape Comm
+   a0: 75 6e 69 63  61 74 69 6f  6e 73 20 43  6f 72 70 6f  | unications Corpo
+   b0: 72 61 74 69  6f 6e 31 11  30 0f 06 03  55 04 0b 13  | ration1.0...U...
+   c0: 08 48 61 72  64 63 6f 72  65 31 27 30  25 06 03 55  | .Hardcore1'0%..U
+   d0: 04 03 13 1e  48 61 72 64  63 6f 72 65  20 43 65 72  | ....Hardcore Cer
+   e0: 74 69 66 69  63 61 74 65  20 53 65 72  76 65 72 20  | tificate Server
+   f0: 49 49 30 1e  17 0d 39 38  30 35 31 36  30 31 30 33  | II0...9805160103
+&lt;additional data lines&gt;
+]
+&lt;additional records in same format&gt;
+Server socket closed.
+</pre><p>Example 4</p><p>
+In this example, the -s option turns on SSL parsing, and the -h option turns on hex/ASCII format. 
+Both formats are shown for each record. The output is routed to a text file.
+      </p><pre class="programlisting">$ ssltap -hs -p 444 interzone.mcom.com:443 &gt; hs.txt</pre><p>Output </p><pre class="programlisting">
+Connected to interzone.mcom.com:443
+--&gt; [
+   0: 80 3d 01 03  00 00 24 00  00 00 10 01  00 80 02 00  | .=....$.........
+   10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04  | .........@......
+   20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 03  | ........á.......
+   30: 55 e6 e4 99  79 c7 d7 2c  86 78 96 5d  b5 cf e9     |U..yÇ\xb0 ,.x.]µÏé
+alloclen = 63 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher-specs-length = 36 (0x24)
+            sid-length = 0 (0x00)
+            challenge-length = 16 (0x10)
+            cipher-suites = {
+                  (0x010080) SSL2/RSA/RC4-128/MD5
+                  (0x020080) SSL2/RSA/RC4-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x040080) SSL2/RSA/RC2CBC40/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4-128/MD5
+                  (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+                  (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4-40/MD5
+                  }
+            session-id = { }
+            challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
+
+0xcfe9 }
+}
+]
+&lt;additional records in same formats&gt;
+Server socket closed.
+</pre></div><div class="refsection"><a name="usage-tips"></a><h2>Usage Tips</h2><p>
+When SSL restarts a previous session, it makes use of cached information to do a partial handshake. 
+If you wish to capture a full SSL handshake, restart the browser to clear the session id cache.
+      </p><p>
+If you run the tool on a machine other than the SSL server to which you are trying to connect, 
+the browser will complain that the host name you are trying to connect to is different from the certificate. 
+If you are using the default BadCert callback, you can still connect through a dialog. If you are not using 
+the default BadCert callback, the one you supply must allow for this possibility.
+      </p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>The NSS Security Tools are also documented at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/tools" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>.</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/vfychain.html

@@ -0,0 +1,28 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain  — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idp522256"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class="term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara">	   * CERT_VerifyCertificate if specified once,</p><p class="simpara">	   * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p>
+	 	 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
+	     4=Email signer, 5=Email recipient, 6=Object signer,
+		 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
+            </p></dd><dt><span class="term"><code class="option">-T </code></span></dt><dd>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.)
+            </dd><dt><span class="term"><code class="option">-v </code></span></dt><dd>Verbose mode. Prints root cert subject(double the
+			 argument for whole root cert info)
+            </dd><dt><span class="term"><code class="option">-w </code> <em class="replaceable"><code>password</code></em></span></dt><dd>Database password</dd><dt><span class="term"><code class="option">-W </code> <em class="replaceable"><code>pwfile</code></em></span></dt><dd>Password file</dd><dt><span class="term"><code class="option"></code></span></dt><dd><p class="simpara">Revocation options for PKIX API (invoked with -pp options) is a
+	collection of the following flags:
+		[-g type [-h flags] [-m type [-s flags]] ...] ...</p><p class="simpara">Where: </p></dd><dt><span class="term"><code class="option">-g </code> <em class="replaceable"><code>test-type</code></em></span></dt><dd>Sets status checking test type. Possible values
+			are "leaf" or "chain"
+          </dd><dt><span class="term"><code class="option">-g </code> <em class="replaceable"><code>test type</code></em></span></dt><dd>Sets status checking test type. Possible values
+			are "leaf" or "chain".
+          </dd><dt><span class="term"><code class="option">-h </code> <em class="replaceable"><code>test flags</code></em></span></dt><dd>Sets revocation flags for the test type it
+			follows. Possible flags: "testLocalInfoFirst" and
+			"requireFreshInfo".
+          </dd><dt><span class="term"><code class="option">-m </code> <em class="replaceable"><code>method type</code></em></span></dt><dd>Sets method type for the test type it follows.
+			Possible types are "crl" and "ocsp".
+          </dd><dt><span class="term"><code class="option">-s </code> <em class="replaceable"><code>method flags</code></em></span></dt><dd>Sets revocation flags for the method it follows.
+			Possible types are "doNotUse", "forbidFetching",
+			"ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".
+          </dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/html/vfyserv.html

@@ -0,0 +1,7 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv  — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idp188000"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
+    </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </p></div></div><div class="navfooter"><hr></div></body></html>

mozilla/security/nss/doc/nroff/cmsutil.1

@@ -0,0 +1,251 @@
+'\" t
+.\"     Title: CMSUTIL
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "CMSUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+cmsutil \- Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages\&.
+.SH "SYNOPSIS"
+.HP \w'\fBcmsutil\fR\ 'u
+\fBcmsutil\fR [\fIoptions\fR] [[\fIarguments\fR]]
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The
+\fBcmsutil\fR
+command\-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages\&.
+.PP
+To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section\&. Each command takes one option\&. Each option may take zero or more arguments\&. To see a usage string, issue the command without options\&.
+.SH "OPTIONS AND ARGUMENTS"
+.PP
+.PP
+\fBOptions\fR
+.PP
+Options specify an action\&. Option arguments modify an action\&. The options and arguments for the cmsutil command are defined as follows:
+.PP
+\-D
+.RS 4
+Decode a message\&.
+.RE
+.PP
+\-C
+.RS 4
+Encrypt a message\&.
+.RE
+.PP
+\-E
+.RS 4
+Envelope a message\&.
+.RE
+.PP
+\-O
+.RS 4
+Create a certificates\-only message\&.
+.RE
+.PP
+\-S
+.RS 4
+Sign a message\&.
+.RE
+.PP
+\fBArguments\fR
+.PP
+Option arguments modify an action and are lowercase\&.
+.PP
+\-c content
+.RS 4
+Use this detached content (decode only)\&.
+.RE
+.PP
+\-d dbdir
+.RS 4
+Specify the key/certificate database directory (default is "\&.")
+.RE
+.PP
+\-e envfile
+.RS 4
+Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message\&. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only)\&.
+.RE
+.PP
+\-G
+.RS 4
+Include a signing time attribute (sign only)\&.
+.RE
+.PP
+\-h num
+.RS 4
+Generate email headers with info about CMS message (decode only)\&.
+.RE
+.PP
+\-i infile
+.RS 4
+Use infile as a source of data (default is stdin)\&.
+.RE
+.PP
+\-N nickname
+.RS 4
+Specify nickname of certificate to sign with (sign only)\&.
+.RE
+.PP
+\-n
+.RS 4
+Suppress output of contents (decode only)\&.
+.RE
+.PP
+\-o outfile
+.RS 4
+Use outfile as a destination of data (default is stdout)\&.
+.RE
+.PP
+\-P
+.RS 4
+Include an S/MIME capabilities attribute\&.
+.RE
+.PP
+\-p password
+.RS 4
+Use password as key database password\&.
+.RE
+.PP
+\-r recipient1,recipient2, \&.\&.\&.
+.RS 4
+Specify list of recipients (email addresses) for an encrypted or enveloped message\&. For certificates\-only message, list of certificates to send\&.
+.RE
+.PP
+\-T
+.RS 4
+Suppress content in CMS message (sign only)\&.
+.RE
+.PP
+\-u certusage
+.RS 4
+Set type of cert usage (default is certUsageEmailSigner)\&.
+.RE
+.PP
+\-Y ekprefnick
+.RS 4
+Specify an encryption key preference by nickname\&.
+.RE
+.SH "USAGE"
+.PP
+Encrypt Example
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+cmsutil \-C [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-r "recipient1,recipient2, \&. \&. \&." \-e envfile
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Decode Example
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+cmsutil \-D [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] [\-c content] [\-n] [\-h num]
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Envelope Example
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+cmsutil \-E [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-r "recipient1,recipient2, \&.\&.\&."
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Certificate\-only Example
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+cmsutil \-O [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-r "cert1,cert2, \&. \&. \&."
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Sign Message Example
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+cmsutil \-S [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-N nickname[\-TGP] [\-Y ekprefnick]
+      
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+certutil(1)
+.SH "SEE ALSO"
+.PP
+.PP
+.PP
+.PP
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE

mozilla/security/nss/doc/nroff/crlutil.1

@@ -0,0 +1,388 @@
+'\" t
+.\"     Title: CRLUTIL
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "CRLUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+crlutil \- List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL\&.
+.SH "SYNOPSIS"
+.HP \w'\fBcrlutil\fR\ 'u
+\fBcrlutil\fR [\fIoptions\fR] [[\fIarguments\fR]]
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The Certificate Revocation List (CRL) Management Tool,
+\fBcrlutil\fR, is a command\-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL\&.
+.PP
+The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation\&.
+.PP
+This document discusses certificate revocation list management\&. For information on security module database management, see Using the Security Module Database Tool\&. For information on certificate and key database management, see Using the Certificate Database Tool\&.
+.PP
+To run the Certificate Revocation List Management Tool, type the command
+.PP
+crlutil option [arguments]
+.PP
+where options and arguments are combinations of the options and arguments listed in the following section\&. Each command takes one option\&. Each option may take zero or more arguments\&. To see a usage string, issue the command without options, or with the \-H option\&.
+.SH "OPTIONS AND ARGUMENTS"
+.PP
+.PP
+\fBOptions\fR
+.PP
+Options specify an action\&. Option arguments modify an action\&. The options and arguments for the crlutil command are defined as follows:
+.PP
+\-G
+.RS 4
+Create new Certificate Revocation List(CRL)\&.
+.RE
+.PP
+\-D
+.RS 4
+Delete Certificate Revocation List from cert database\&.
+.RE
+.PP
+\-I
+.RS 4
+Import a CRL to the cert database
+.RE
+.PP
+\-E
+.RS 4
+Erase all CRLs of specified type from the cert database
+.RE
+.PP
+\-L
+.RS 4
+List existing CRL located in cert database file\&.
+.RE
+.PP
+\-S
+.RS 4
+Show contents of a CRL file which isn\*(Aqt stored in the database\&.
+.RE
+.PP
+\-M
+.RS 4
+Modify existing CRL which can be located in cert db or in arbitrary file\&. If located in file it should be encoded in ASN\&.1 encode format\&.
+.RE
+.PP
+\-G
+.RS 4
+.RE
+.PP
+\fBArguments\fR
+.PP
+Option arguments modify an action and are lowercase\&.
+.PP
+\-B
+.RS 4
+Bypass CA signature checks\&.
+.RE
+.PP
+\-P dbprefix
+.RS 4
+Specify the prefix used on the NSS security database files (for example, my_cert8\&.db and my_key3\&.db)\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
+.RE
+.PP
+\-a
+.RS 4
+Use ASCII format or allow the use of ASCII format for input and output\&. This formatting follows RFC #1113\&.
+.RE
+.PP
+\-c crl\-gen\-file
+.RS 4
+Specify script file that will be used to control crl generation/modification\&. See crl\-cript\-file format below\&. If options \-M|\-G is used and \-c crl\-script\-file is not specified, crlutil will read script data from standard input\&.
+.RE
+.PP
+\-d directory
+.RS 4
+Specify the database directory containing the certificate and key database files\&. On Unix the Certificate Database Tool defaults to $HOME/\&.netscape (that is, ~/\&.netscape)\&. On Windows NT the default is the current directory\&.
+.sp
+The NSS database files must reside in the same directory\&.
+.RE
+.PP
+\-i crl\-file
+.RS 4
+Specify the file which contains the CRL to import or show\&.
+.RE
+.PP
+\-f password\-file
+.RS 4
+Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
+.RE
+.PP
+\-l algorithm\-name
+.RS 4
+Specify a specific signature algorithm\&. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
+.RE
+.PP
+\-n nickname
+.RS 4
+Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate\&. Bracket the nickname string with quotation marks if it contains spaces\&.
+.RE
+.PP
+\-o output\-file
+.RS 4
+Specify the output file name for new CRL\&. Bracket the output\-file string with quotation marks if it contains spaces\&. If this argument is not used the output destination defaults to standard output\&.
+.RE
+.PP
+\-t crl\-type
+.RS 4
+Specify type of CRL\&. possible types are: 0 \- SEC_KRL_TYPE, 1 \- SEC_CRL_TYPE\&. This option is obsolete
+.RE
+.PP
+\-u url
+.RS 4
+Specify the url\&.
+.RE
+.SH "CRL GENERATION SCRIPT SYNTAX"
+.PP
+CRL generation script file has the following syntax:
+.PP
+* Line with comments should have # as a first symbol of a line
+.PP
+* Set "this update" or "next update" CRL fields:
+.PP
+update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ
+.PP
+Field "next update" is optional\&. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ)\&. For example: 20050204153000Z
+.PP
+* Add an extension to a CRL or a crl certificate entry:
+.PP
+addext extension\-name critical/non\-critical [arg1[arg2 \&.\&.\&.]]
+.PP
+Where:
+.PP
+extension\-name: string value of a name of known extensions\&. critical/non\-critical: is 1 when extension is critical and 0 otherwise\&. arg1, arg2: specific to extension type extension parameters
+.PP
+addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range\&.
+.PP
+* Add certificate entries(s) to CRL:
+.PP
+addcert range date
+.PP
+range: two integer values separated by dash: range of certificates that will be added by this command\&. dash is used as a delimiter\&. Only one cert will be added if there is no delimiter\&. date: revocation date of a cert\&. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ)\&.
+.PP
+* Remove certificate entry(s) from CRL
+.PP
+rmcert range
+.PP
+Where:
+.PP
+range: two integer values separated by dash: range of certificates that will be added by this command\&. dash is used as a delimiter\&. Only one cert will be added if there is no delimiter\&.
+.PP
+* Change range of certificate entry(s) in CRL
+.PP
+range new\-range
+.PP
+Where:
+.PP
+new\-range: two integer values separated by dash: range of certificates that will be added by this command\&. dash is used as a delimiter\&. Only one cert will be added if there is no delimiter\&.
+.PP
+Implemented Extensions
+.PP
+The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries\&. For more information see RFC #3280
+.PP
+* Add The Authority Key Identifier extension:
+.PP
+The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL\&.
+.PP
+authKeyId critical [key\-id | dn cert\-serial]
+.PP
+Where:
+.PP
+authKeyIdent: identifies the name of an extension critical: value of 1 of 0\&. Should be set to 1 if this extension is critical or 0 otherwise\&. key\-id: key identifier represented in octet string\&. dn:: is a CA distinguished name cert\-serial: authority certificate serial number\&.
+.PP
+* Add Issuer Alternative Name extension:
+.PP
+The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL\&. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI\&.
+.PP
+issuerAltNames non\-critical name\-list
+.PP
+Where:
+.PP
+subjAltNames: identifies the name of an extension should be set to 0 since this is non\-critical extension name\-list: comma separated list of names
+.PP
+* Add CRL Number extension:
+.PP
+The CRL number is a non\-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer\&. This extension allows users to easily determine when a particular CRL supersedes another CRL
+.PP
+crlNumber non\-critical number
+.PP
+Where:
+.PP
+crlNumber: identifies the name of an extension critical: should be set to 0 since this is non\-critical extension number: value of long which identifies the sequential number of a CRL\&.
+.PP
+* Add Revocation Reason Code extension:
+.PP
+The reasonCode is a non\-critical CRL entry extension that identifies the reason for the certificate revocation\&.
+.PP
+reasonCode non\-critical code
+.PP
+Where:
+.PP
+reasonCode: identifies the name of an extension non\-critical: should be set to 0 since this is non\-critical extension code: the following codes are available:
+.PP
+unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10)
+.PP
+* Add Invalidity Date extension:
+.PP
+The invalidity date is a non\-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid\&.
+.PP
+invalidityDate non\-critical date
+.PP
+Where:
+.PP
+crlNumber: identifies the name of an extension non\-critical: should be set to 0 since this is non\-critical extension date: invalidity date of a cert\&. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ)\&.
+.SH "USAGE"
+.PP
+The Certificate Revocation List Management Tool\*(Aqs capabilities are grouped as follows, using these combinations of options and arguments\&. Options and arguments in square brackets are optional, those without square brackets are required\&.
+.PP
+See "Implemented extensions" for more information regarding extensions and their parameters\&.
+.PP
+* Creating or modifying a CRL:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+crlutil \-G|\-M \-c crl\-gen\-file \-n nickname [\-i crl] [\-u url] [\-d keydir] [\-P dbprefix] [\-l alg] [\-a] [\-B] 
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+* Listing all CRls or a named CRL:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+	crlutil \-L [\-n crl\-name] [\-d krydir] 
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+* Deleting CRL from db:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+	crlutil \-D \-n nickname [\-d keydir] [\-P dbprefix] 
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+* Erasing CRLs from db:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+	crlutil \-E [\-d keydir] [\-P dbprefix] 
+      
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+* Deleting CRL from db:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+          crlutil \-D \-n nickname [\-d keydir] [\-P dbprefix]
+    
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+* Erasing CRLs from db:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+          crlutil \-E [\-d keydir] [\-P dbprefix] 
+    
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+* Import CRL from file:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+          crlutil \-I \-i crl [\-t crlType] [\-u url] [\-d keydir] [\-P dbprefix] [\-B] 
+    
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+certutil(1)
+.SH "SEE ALSO"
+.PP
+.PP
+.PP
+.PP
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE

mozilla/security/nss/doc/nroff/derdump.1

@@ -0,0 +1,92 @@
+'\" t
+.\"     Title: DERDUMP
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "DERDUMP" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+derdump_ \- Dumps C\-sequence strings from a DER encoded certificate file
+.SH "SYNOPSIS"
+.HP \w'\fBderdump\fR\ 'u
+\fBderdump\fR [\fB\-r\fR] [\fB\-i\ \fR\fB\fIinput\-file\fR\fR] [\fB\-o\ \fR\fB\fIoutput\-file\fR\fR]
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+\fBderdump \fRdumps C\-sequence strings from a DER encode certificate file
+.SH "OPTIONS"
+.PP
+\fB\-r \fR
+.RS 4
+For formatted items, dump raw bytes as well
+.RE
+.PP
+\fB\-i \fR \fIDER encoded file\fR
+.RS 4
+Define an input file to use (default is stdin)
+.RE
+.PP
+\fB\-o \fR \fIoutput file\fR
+.RS 4
+Define an output file to use (default is stdout)\&.
+.RE
+.SH "ADDITIONAL RESOURCES"
+.PP
+NSS is maintained in conjunction with PKI and security\-related projects through Mozilla dn Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at
+\m[blue]\fBPKI Wiki\fR\m[]\&\s-2\u[2]\d\s+2\&.
+.PP
+For information specifically about NSS, the NSS project wiki is located at
+\m[blue]\fBMozilla NSS site\fR\m[]\&\s-2\u[3]\d\s+2\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: pki\-devel@redhat\&.com and pki\-users@redhat\&.com
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape and now with Red Hat\&.
+.PP
+Authors: Gerhardus Geldenhuis <gerhardus\&.geldenhuis@gmail\&.com>\&. Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE
+.IP " 2." 4
+PKI Wiki
+.RS 4
+\%http://pki.fedoraproject.org/wiki/
+.RE
+.IP " 3." 4
+Mozilla NSS site
+.RS 4
+\%http://www.mozilla.org/projects/security/pki/nss/
+.RE

mozilla/security/nss/doc/nroff/pp.1

@@ -0,0 +1,98 @@
+'\" t
+.\"     Title: PP
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "PP" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pp \- Prints certificates, keys, crls, and pkcs7 files
+.SH "SYNOPSIS"
+.HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\fR\ 'u
+\fBpp \-t type [\-a] [\-i input] [\-o output]\fR
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+\fBpp \fRpretty\-prints private and public key, certificate, certificate\-request, pkcs7 or crl files
+.SH "OPTIONS"
+.PP
+\fB\-t \fR \fItype\fR
+.RS 4
+specify the input, one of {private\-key | public\-key | certificate | certificate\-request | pkcs7 | crl}
+.sp
+.RE
+.PP
+\fB\-a \fR
+.RS 4
+Input is in ascii encoded form (RFC1113)
+.RE
+.PP
+\fB\-i \fR \fIinputfile\fR
+.RS 4
+Define an input file to use (default is stdin)
+.RE
+.PP
+\fB\-u \fR \fIoutputfile\fR
+.RS 4
+Define an output file to use (default is stdout)
+.RE
+.SH "ADDITIONAL RESOURCES"
+.PP
+NSS is maintained in conjunction with PKI and security\-related projects through Mozilla dn Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at
+\m[blue]\fBPKI Wiki\fR\m[]\&\s-2\u[2]\d\s+2\&.
+.PP
+For information specifically about NSS, the NSS project wiki is located at
+\m[blue]\fBMozilla NSS site\fR\m[]\&\s-2\u[3]\d\s+2\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: pki\-devel@redhat\&.com and pki\-users@redhat\&.com
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE
+.IP " 2." 4
+PKI Wiki
+.RS 4
+\%http://pki.fedoraproject.org/wiki/
+.RE
+.IP " 3." 4
+Mozilla NSS site
+.RS 4
+\%http://www.mozilla.org/projects/security/pki/nss/
+.RE

mozilla/security/nss/doc/nroff/signtool.1

@@ -0,0 +1,681 @@
+'\" t
+.\"     Title: signtool
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "SIGNTOOL" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+signtool \- Digitally sign objects and files\&.
+.SH "SYNOPSIS"
+.HP \w'\fBsigntool\fR\ 'u
+\fBsigntool\fR [\-k\ keyName] [[\-h]] [[\-H]] [[\-l]] [[\-L]] [[\-M]] [[\-v]] [[\-w]] [[\-G\ nickname]] [[\-\-keysize\ |\ \-s\ size]] [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]] [[\-i\ installer\ script]] [[\-m\ metafile]] [[\-x\ name]] [[\-f\ filename]] [[\-t|\-\-token\ tokenname]] [[\-e\ extension]] [[\-o]] [[\-z]] [[\-X]] [[\-\-outfile]] [[\-\-verbose\ value]] [[\-\-norecurse]] [[\-\-leavearc]] [[\-j\ directory]] [[\-Z\ jarfile]] [[\-O]] [[\-p\ password]] [directory\-tree] [archive]
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The Signing Tool,
+\fBsigntool\fR, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory\&. Electronic software distribution over any network involves potential security problems\&. To help address some of these problems, you can associate digital signatures with the files in a JAR archive\&. Digital signatures allow SSL\-enabled clients to perform two important operations:
+.PP
+* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files
+.PP
+* Check whether the files have been tampered with since being signed
+.PP
+If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file\&. An object\-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files\&.
+.PP
+An individual file can potentially be signed with multiple digital signatures\&. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company\&. A network administrator manager might sign the same files with an additional digital signature based on a company\-generated certificate to indicate that the product is approved for use within the company\&.
+.PP
+The significance of a digital signature is comparable to the significance of a handwritten signature\&. Once you have signed a file, it is difficult to claim later that you didn\*(Aqt sign it\&. In some situations, a digital signature may be considered as legally binding as a handwritten signature\&. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute\&.
+.PP
+For example, if you are a software developer, you should test your code to make sure it is virus\-free before signing it\&. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it\&.
+.PP
+Before you can use Netscape Signing Tool to sign files, you must have an object\-signing certificate, which is a special certificate whose associated private key is used to create digital signatures\&. For testing purposes only, you can create an object\-signing certificate with Netscape Signing Tool 1\&.3\&. When testing is finished and you are ready to disitribute your software, you should obtain an object\-signing certificate from one of two kinds of sources:
+.PP
+* An independent certificate authority (CA) that authenticates your identity and charges you a fee\&. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet\&.
+.PP
+* CA server software running on your corporate intranet or extranet\&. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object\-signing certificates\&.
+.PP
+You must also have a certificate for the CA that issues your signing certificate before you can sign files\&. If the certificate authority\*(Aqs certificate isn\*(Aqt already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority\*(Aqs web site, for example on the page from which you initiated enrollment for your signing certificate\&. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate\&. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database\&.
+.PP
+When you receive an object\-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software\&. Communicator supports the public\-key cryptography standard known as PKCS #12, which governs key portability\&. You can, for example, move an object\-signing certificate and its associated private key from one computer to another on a credit\-card\-sized device called a smart card\&.
+.SH "OPTIONS"
+.PP
+\-b basename
+.RS 4
+Specifies the base filename for the \&.rsa and \&.sf files in the META\-INF directory to conform with the JAR format\&. For example,
+\fI\-b signatures\fR
+causes the files to be named signatures\&.rsa and signatures\&.sf\&. The default is signtool\&.
+.RE
+.PP
+\-c#
+.RS 4
+Specifies the compression level for the \-J or \-Z option\&. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression\&. The higher the level of compression, the smaller the output but the longer the operation takes\&. If the \-c# option is not used with either the \-J or the \-Z option, the default compression value used by both the \-J and \-Z options is 6\&.
+.RE
+.PP
+\-d certdir
+.RS 4
+Specifies your certificate database directory; that is, the directory in which you placed your key3\&.db and cert7\&.db files\&. To specify the current directory, use "\-d\&." (including the period)\&. The Unix version of signtool assumes ~/\&.netscape unless told otherwise\&. The NT version of signtool always requires the use of the \-d option to specify where the database files are located\&.
+.RE
+.PP
+\-e extension
+.RS 4
+Tells signtool to sign only files with the given extension; for example, use \-e"\&.class" to sign only Java class files\&. Note that with Netscape Signing Tool version 1\&.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include\&.
+.RE
+.PP
+\-f commandfile
+.RS 4
+Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format\&. All options and arguments can be expressed through this file\&. For more information about the syntax used with this file, see "Tips and Techniques"\&.
+.RE
+.PP
+\-i scriptname
+.RS 4
+Specifies the name of an installer script for SmartUpdate\&. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature\&. For more details, see the description of \-m that follows\&. The \-i option provides a straightforward way to provide this information if you don\*(Aqt need to specify any metadata other than an installer script\&.
+.RE
+.PP
+\-j directory
+.RS 4
+Specifies a special JavaScript directory\&. This option causes the specified directory to be signed and tags its entries as inline JavaScript\&. This special type of entry does not have to appear in the JAR file itself\&. Instead, it is located in the HTML page containing the inline scripts\&. When you use signtool \-v, these entries are displayed with the string NOT PRESENT\&.
+.RE
+.PP
+\-k key \&.\&.\&. directory
+.RS 4
+Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory\&. The directory to sign is always specified as the last command\-line argument\&. Thus, it is possible to write signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname contains a single quotation mark\&. To avoid problems, escape the quotation mark using the escape conventions for your platform\&. It\*(Aqs also possible to use the \-k option without signing any files or specifying a directory\&. For example, you can use it with the \-l option to get detailed information about a particular signing certificate\&.
+.RE
+.PP
+\-G nickname
+.RS 4
+Generates a new private\-public key pair and corresponding object\-signing certificate with the given nickname\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with \-G is not signed by a recognized certificate authority\&. Instead, it is self\-signed\&. In addition, a single test signing certificate functions as both an object\-signing certificate and a CA\&. When you are using it to sign objects, it behaves like an object\-signing certificate\&. When it is imported into browser software such as Communicator, it behaves like an object\-signing CA and cannot be used to sign objects\&. The \-G option is available in Netscape Signing Tool 1\&.0 and later versions only\&. By default, it produces only RSA certificates with 1024\-byte keys in the internal token\&. However, you can use the \-s option specify the required key size and the \-t option to specify the token\&. For more information about the use of the \-G option, see "Generating Test Object\-Signing Certificates""Generating Test Object\-Signing Certificates" on page 1241\&.
+.RE
+.PP
+\-l
+.RS 4
+Lists signing certificates, including issuing CAs\&. If any of your certificates are expired or invalid, the list will so specify\&. This option can be used with the \-k option to list detailed information about a particular signing certificate\&. The \-l option is available in Netscape Signing Tool 1\&.0 and later versions only\&.
+.RE
+.PP
+\-J
+.RS 4
+Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags\&. Even if signtool creates more than one archive file, you need to supply the key database password only once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and later versions\&. The \-J option cannot be used at the same time as the \-Z option\&. If the \-c# option is not used with the \-J option, the default compression value is 6\&. Note that versions 1\&.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages\&.
+.RE
+.PP
+\-L
+.RS 4
+Lists the certificates in your database\&. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool\&.
+.RE
+.PP
+\-\-leavearc
+.RS 4
+Retains the temporary \&.arc (archive) directories that the \-J option creates\&. These directories are automatically erased by default\&. Retaining the temporary directories can be an aid to debugging\&.
+.RE
+.PP
+\-m metafile
+.RS 4
+Specifies the name of a metadata control file\&. Metadata is signed information attached either to the JAR archive itself or to files within the archive\&. This metadata can be any ASCII string, but is used mainly for specifying an installer script\&. The metadata file contains one entry per line, each with three fields: field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive) field #2: the name of the data you are specifying; for example: Install\-Script field #3: data corresponding to the name in field #2 For example, the \-i option uses the equivalent of this line: + Install\-Script: script\&.js This example associates a MIME type with a file: movie\&.qt MIME\-Type: video/quicktime For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge\&.
+.RE
+.PP
+\-M
+.RS 4
+Lists the PKCS #11 modules available to signtool, including smart cards\&. The \-M option is available in Netscape Signing Tool 1\&.0 and later versions only\&. For information on using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with Smart Cards"\&. For information on using the \-M option to verify FIPS\-140\-1 validated mode, see "Netscape Signing Tool and FIPS\-140\-1"\&.
+.RE
+.PP
+\-\-norecurse
+.RS 4
+Blocks recursion into subdirectories when signing a directory\*(Aqs contents or when parsing HTML\&.
+.RE
+.PP
+\-o
+.RS 4
+Optimizes the archive for size\&. Use this only if you are signing very large archives containing hundreds of files\&. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information\&.
+.RE
+.PP
+\-\-outfile outputfile
+.RS 4
+Specifies a file to receive redirected output from Netscape Signing Tool\&.
+.RE
+.PP
+\-p password
+.RS 4
+Specifies a password for the private\-key database\&. Note that the password entered on the command line is displayed as plain text\&.
+.RE
+.PP
+\-s keysize
+.RS 4
+Specifies the size of the key for generated certificate\&. Use the \-M option to find out what tokens are available\&. The \-s option can be used with the \-G option only\&.
+.RE
+.PP
+\-t token
+.RS 4
+Specifies which available token should generate the key and receive the certificate\&. Use the \-M option to find out what tokens are available\&. The \-t option can be used with the \-G option only\&.
+.RE
+.PP
+\-v archive
+.RS 4
+Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated\&. This includes checking that the certificate for the issuer of the object\-signing certificate is listed in the certificate database, that the CA\*(Aqs digital signature on the object\-signing certificate is valid, that the relevant certificates have not expired, and so on\&.
+.RE
+.PP
+\-\-verbosity value
+.RS 4
+Sets the quantity of information Netscape Signing Tool generates in operation\&. A value of 0 (zero) is the default and gives full information\&. A value of \-1 suppresses most messages, but not error messages\&.
+.RE
+.PP
+\-w archive
+.RS 4
+Displays the names of signers of any files in the archive\&.
+.RE
+.PP
+\-x directory
+.RS 4
+Excludes the specified directory from signing\&. Note that with Netscape Signing Tool version 1\&.1 and later this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude\&.
+.RE
+.PP
+\-z
+.RS 4
+Tells signtool not to store the signing time in the digital signature\&. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed\&.
+.RE
+.PP
+\-Z jarfile
+.RS 4
+Creates a JAR file with the specified name\&. You must specify this option if you want signtool to create the JAR file; it does not do so automatically\&. If you don\*(Aqt specify \-Z, you must use an external ZIP tool to create the JAR file\&. The \-Z option cannot be used at the same time as the \-J option\&. If the \-c# option is not used with the \-Z option, the default compression value is 6\&.
+.RE
+.SH "THE COMMAND FILE FORMAT"
+.PP
+Entries in a Netscape Signing Tool command file have this general format: keyword=value Everything before the = sign on a single line is a keyword, and everything from the = sign to the end of line is a value\&. The value may include = signs; only the first = sign on a line is interpreted\&. Blank lines are ignored, but white space on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or part of the value (if it comes after the first equal sign)\&. Keywords are case insensitive, values are generally case sensitive\&. Since the = sign and newline delimit the value, it should not be quoted\&.
+.PP
+\fBSubsection\fR
+.PP
+basename
+.RS 4
+Same as \-b option\&.
+.RE
+.PP
+compression
+.RS 4
+Same as \-c option\&.
+.RE
+.PP
+certdir
+.RS 4
+Same as \-d option\&.
+.RE
+.PP
+extension
+.RS 4
+Same as \-e option\&.
+.RE
+.PP
+generate
+.RS 4
+Same as \-G option\&.
+.RE
+.PP
+installscript
+.RS 4
+Same as \-i option\&.
+.RE
+.PP
+javascriptdir
+.RS 4
+Same as \-j option\&.
+.RE
+.PP
+htmldir
+.RS 4
+Same as \-J option\&.
+.RE
+.PP
+certname
+.RS 4
+Nickname of certificate, as with \-k and \-l \-k options\&.
+.RE
+.PP
+signdir
+.RS 4
+The directory to be signed, as with \-k option\&.
+.RE
+.PP
+list
+.RS 4
+Same as \-l option\&. Value is ignored, but = sign must be present\&.
+.RE
+.PP
+listall
+.RS 4
+Same as \-L option\&. Value is ignored, but = sign must be present\&.
+.RE
+.PP
+metafile
+.RS 4
+Same as \-m option\&.
+.RE
+.PP
+modules
+.RS 4
+Same as \-M option\&. Value is ignored, but = sign must be present\&.
+.RE
+.PP
+optimize
+.RS 4
+Same as \-o option\&. Value is ignored, but = sign must be present\&.
+.RE
+.PP
+password
+.RS 4
+Same as \-p option\&.
+.RE
+.PP
+keysize
+.RS 4
+Same as \-s option\&.
+.RE
+.PP
+token
+.RS 4
+Same as \-t option\&.
+.RE
+.PP
+verify
+.RS 4
+Same as \-v option\&.
+.RE
+.PP
+who
+.RS 4
+Same as \-w option\&.
+.RE
+.PP
+exclude
+.RS 4
+Same as \-x option\&.
+.RE
+.PP
+notime
+.RS 4
+Same as \-z option\&. value is ignored, but = sign must be present\&.
+.RE
+.PP
+jarfile
+.RS 4
+Same as \-Z option\&.
+.RE
+.PP
+outfile
+.RS 4
+Name of a file to which output and error messages will be redirected\&. This option has no command\-line equivalent\&.
+.RE
+.SH "EXTENDED EXAMPLES"
+.PP
+The following example will do this and that
+.PP
+\fBListing Available Signing Certificates\fR
+.PP
+You use the \-L option to list the nicknames for all available certificates and check which ones are signing certificates\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-L 
+
+using certificate directory: /u/jsmith/\&.netscape 
+S Certificates 
+\- \-\-\-\-\-\-\-\-\-\-\-\- 
+  BBN Certificate Services CA Root 1 
+  IBM World Registry CA 
+  VeriSign Class 1 CA \- Individual Subscriber \- VeriSign, Inc\&. 
+  GTE CyberTrust Root CA 
+  Uptime Group Plc\&. Class 4 CA 
+* Verisign Object Signing Cert 
+  Integrion CA 
+  GTE CyberTrust Secure Server CA 
+  AT&T Directory Services 
+* test object signing cert 
+  Uptime Group Plc\&. Class 1 CA 
+  VeriSign Class 1 Primary CA 
+\- \-\-\-\-\-\-\-\-\-\-\-\-
+
+Certificates that can be used to sign objects have *\*(Aqs to their left\&. 
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert\&.
+.PP
+You use the \-l option to get a list of signing certificates only, including the signing CA for each\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-l
+
+using certificate directory: /u/jsmith/\&.netscape
+Object signing certificates
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+
+Verisign Object Signing Cert
+    Issued by: VeriSign, Inc\&. \- Verisign, Inc\&.
+    Expires: Tue May 19, 1998
+test object signing cert
+    Issued by: test object signing cert (Signtool 1\&.0 Testing 
+Certificate (960187691))
+    Expires: Sun May 17, 1998
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+For a list including CAs, use the
+\fB\-L\fR
+option\&.
+.PP
+\fBSigning a File\fR
+.PP
+1\&. Create an empty directory\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+mkdir signdir
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+2\&. Put some file into it\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+echo boo > signdir/test\&.f
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+3\&. Specify the name of your object\-signing certificate and sign the directory\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-k MySignCert \-Z testjar\&.jar signdir
+
+using key "MySignCert"
+using certificate directory: /u/jsmith/\&.netscape
+Generating signdir/META\-INF/manifest\&.mf file\&.\&.
+\-\-> test\&.f
+adding signdir/test\&.f to testjar\&.jar
+Generating signtool\&.sf file\&.\&.
+Enter Password or Pin for "Communicator Certificate DB":
+
+adding signdir/META\-INF/manifest\&.mf to testjar\&.jar
+adding signdir/META\-INF/signtool\&.sf to testjar\&.jar
+adding signdir/META\-INF/signtool\&.rsa to testjar\&.jar
+
+tree "signdir" signed successfully
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+4\&. Test the archive you just created\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-v testjar\&.jar
+
+using certificate directory: /u/jsmith/\&.netscape
+archive "testjar\&.jar" has passed crypto verification\&.
+           status   path
+     \-\-\-\-\-\-\-\-\-\-\-\-   \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+         verified   test\&.f
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBUsing Netscape Signing Tool with a ZIP Utility\fR
+.PP
+To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable\&. You should use the zip\&.exe utility rather than pkzip\&.exe, which cannot handle long filenames\&. You can use a ZIP utility instead of the \-Z option to package a signed archive into a JAR file after you have signed it:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+cd signdir 
+
+  zip \-r \&.\&./myjar\&.jar * 
+  adding: META\-INF/ (stored 0%) 
+  adding: META\-INF/manifest\&.mf (deflated 15%) 
+  adding: META\-INF/signtool\&.sf (deflated 28%) 
+  adding: META\-INF/signtool\&.rsa (stored 0%) 
+  adding: text\&.txt (stored 0%)
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBGenerating the Keys and Certificate\fR
+.PP
+The signtool option \-G generates a new public\-private key pair and certificate\&. It takes the nickname of the new certificate as an argument\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&.
+.PP
+Certificates contain standard information about the entity they identify, such as the common name and organization name\&. Netscape Signing Tool prompts you for this information when you run the command with the \-G option\&. However, all of the requested fields are optional for test certificates\&. If you do not enter a common name, the tool provides a default name\&. In the following example, the user input is in boldface:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-G MyTestCert
+
+using certificate directory: /u/someuser/\&.netscape
+Enter certificate information\&. All fields are optional\&. Acceptable
+characters are numbers, letters, spaces, and apostrophes\&.
+certificate common name: Test Object Signing Certificate
+organization: Netscape Communications Corp\&.
+organization unit: Server Products Division
+state or province: California
+country (must be exactly 2 characters): US
+username: someuser
+email address: someuser@netscape\&.com
+Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
+generated public/private key pair
+certificate request generated
+certificate has been signed
+certificate "MyTestCert" added to database
+Exported certificate to x509\&.raw and x509\&.cacert\&.
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The certificate information is read from standard input\&. Therefore, the information can be read from a file using the redirection operator (<) in some operating systems\&. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line\&. Make sure there is a newline character at the end of the last line\&. Then run signtool with standard input redirected from your file as follows:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-G MyTestCert inputfile
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The prompts show up on the screen, but the responses will be automatically read from the file\&. The password will still be read from the console unless you use the \-p option to give the password on the command line\&.
+.PP
+\fBUsing the \-M Option to List Smart Cards\fR
+.PP
+You can use the \-M option to list the PKCS #11 modules, including smart cards, that are available to signtool:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-d "c:\enetscape\eusers\ejsmith" \-M
+
+using certificate directory: c:\enetscape\eusers\eusername
+Listing of PKCS11 modules 
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- 
+	1\&. Netscape Internal PKCS #11 Module 
+			  (this module is internally loaded) 
+			  slots: 2 slots attached 
+			  status: loaded 
+	  slot: Communicator Internal Cryptographic Services Version 4\&.0 
+	 token: Communicator Generic Crypto Svcs 
+	  slot: Communicator User Private Key and Certificate Services 
+	 token: Communicator Certificate DB 
+	2\&. CryptOS 
+			  (this is an external module) 
+ DLL name: core32 
+	 slots: 1 slots attached 
+	status: loaded 
+	  slot: Litronic 210 
+	 token: 
+	\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- 
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBUsing Netscape Signing Tool and a Smart Card to Sign Files\fR
+.PP
+The signtool command normally takes an argument of the \-k option to specify a signing certificate\&. To sign with a smart card, you supply only the fully qualified name of the certificate\&.
+.PP
+To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame\&. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert"\&. You use this name with the \-k argument as follows:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-k "MyCard:My Signing Cert" directory
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBVerifying FIPS Mode\fR
+.PP
+Use the \-M option to verify that you are using the FIPS\-140\-1 module\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-d "c:\enetscape\eusers\ejsmith" \-M
+
+using certificate directory: c:\enetscape\eusers\ejsmith
+Listing of PKCS11 modules
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+  1\&. Netscape Internal PKCS #11 Module
+          (this module is internally loaded)
+          slots: 2 slots attached
+          status: loaded
+    slot: Communicator Internal Cryptographic Services Version 4\&.0
+   token: Communicator Generic Crypto Svcs
+    slot: Communicator User Private Key and Certificate Services
+   token: Communicator Certificate DB
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This Unix example shows that Netscape Signing Tool is using a FIPS\-140\-1 module:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signtool \-d "c:\enetscape\eusers\ejsmith" \-M
+using certificate directory: c:\enetscape\eusers\ejsmith
+Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
+Listing of PKCS11 modules
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+1\&. Netscape Internal FIPS PKCS #11 Module
+(this module is internally loaded)
+slots: 1 slots attached
+status: loaded
+slot: Netscape Internal FIPS\-140\-1 Cryptographic Services
+token: Communicator Certificate DB
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+signver (1)
+.PP
+The NSS wiki has information on the new database design and how to configure applications to use it\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+https://wiki\&.mozilla\&.org/NSS_Shared_DB
+.RE
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE

mozilla/security/nss/doc/nroff/signver.1

@@ -0,0 +1,320 @@
+'\" t
+.\"     Title: SIGNVER
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "SIGNVER" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+signver \- Verify a detached PKCS#7 signature for a file\&.
+.SH "SYNOPSIS"
+.HP \w'\fBsigntool\fR\ 'u
+\fBsigntool\fR \-A | \-V  \-d\ \fIdirectory\fR [\-a] [\-i\ \fIinput_file\fR] [\-o\ \fIoutput_file\fR] [\-s\ \fIsignature_file\fR] [\-v]
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The Signature Verification Tool,
+\fBsignver\fR, is a simple command\-line utility that unpacks a base\-64\-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques\&. The Signature Verification Tool can also display the contents of the signed object\&.
+.SH "OPTIONS"
+.PP
+\-A
+.RS 4
+Displays all of the information in the PKCS#7 signature\&.
+.RE
+.PP
+\-V
+.RS 4
+Verifies the digital signature\&.
+.RE
+.PP
+\-d [sql:]\fIdirectory\fR
+.RS 4
+Specify the database directory which contains the certificates and keys\&.
+.sp
+\fBsignver\fR
+supports two types of databases: the legacy security databases (cert8\&.db,
+key3\&.db, and
+secmod\&.db) and new SQLite databases (cert9\&.db,
+key4\&.db, and
+pkcs11\&.txt)\&. If the prefix
+\fBsql:\fR
+is not used, then the tool assumes that the given databases are in the old format\&.
+.RE
+.PP
+\-a
+.RS 4
+Sets that the given signature file is in ASCII format\&.
+.RE
+.PP
+\-i \fIinput_file\fR
+.RS 4
+Gives the input file for the object with signed data\&.
+.RE
+.PP
+\-o \fIoutput_file\fR
+.RS 4
+Gives the output file to which to write the results\&.
+.RE
+.PP
+\-s \fIsignature_file\fR
+.RS 4
+Gives the input file for the digital signature\&.
+.RE
+.PP
+\-v
+.RS 4
+Enables verbose output\&.
+.RE
+.SH "EXTENDED EXAMPLES"
+.SS "Verifying a Signature"
+.PP
+The
+\fB\-V\fR
+option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file)\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signver \-V \-s \fIsignature_file\fR \-i \fIsigned_file\fR \-d sql:/home/my/sharednssdb
+
+signatureValid=yes
+.fi
+.if n \{\
+.RE
+.\}
+.SS "Printing Signature Data"
+.PP
+The
+\fB\-A\fR
+option prints all of the information contained in a signature file\&. Using the
+\fB\-o\fR
+option prints the signature file information to the given output file rather than stdout\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+signver \-A \-s \fIsignature_file\fR \-o \fIoutput_file\fR
+.fi
+.if n \{\
+.RE
+.\}
+.SH "NSS DATABASE TYPES"
+.PP
+NSS originally used BerkeleyDB databases to store security information\&. The last versions of these
+\fIlegacy\fR
+databases are:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+cert8\&.db for certificates
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+key3\&.db for keys
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+secmod\&.db for PKCS #11 module information
+.RE
+.PP
+BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&.
+.PP
+In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+cert9\&.db for certificates
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+key4\&.db for keys
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+.RE
+.PP
+Because the SQLite databases are designed to be shared, these are the
+\fIshared\fR
+database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&.
+.PP
+By default, the tools (\fBcertutil\fR,
+\fBpk12util\fR,
+\fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the
+\fBsql:\fR
+prefix with the given security directory\&. For example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# signver \-A \-s \fIsignature\fR \-d sql:/home/my/sharednssdb
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+To set the shared database type as the default type for the tools, set the
+\fBNSS_DEFAULT_DB_TYPE\fR
+environment variable to
+\fBsql\fR:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+export NSS_DEFAULT_DB_TYPE="sql"
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This line can be set added to the
+~/\&.bashrc
+file to make the change permanent\&.
+.PP
+Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
+.RE
+.PP
+For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+https://wiki\&.mozilla\&.org/NSS_Shared_DB
+.RE
+.SH "SEE ALSO"
+.PP
+signtool (1)
+.PP
+The NSS wiki has information on the new database design and how to configure applications to use it\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting up the shared NSS database
+.sp
+https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Engineering and technical information about the shared NSS database
+.sp
+https://wiki\&.mozilla\&.org/NSS_Shared_DB
+.RE
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE

mozilla/security/nss/doc/nroff/ssltap.1

@@ -0,0 +1,609 @@
+'\" t
+.\"     Title: SSLTAP
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "SSLTAP" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+ssltap \- Tap into SSL connections and display the data going by
+.SH "SYNOPSIS"
+.HP \w'\fBlibssltap\fR\ 'u
+\fBlibssltap\fR [\-vhfsxl] [\-p\ port] [hostname:port]
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The SSL Debugging Tool
+\fBssltap\fR
+is an SSL\-aware command\-line proxy\&. It watches TCP connections and displays the data going by\&. If a connection is SSL, the data display includes interpreted SSL records and handshaking
+.SH "OPTIONS"
+.PP
+\-v
+.RS 4
+Print a version string for the tool\&.
+.RE
+.PP
+\-h
+.RS 4
+Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&.
+.RE
+.PP
+\-f
+.RS 4
+Turn on fancy printing\&. Output is printed in colored HTML\&. Data sent from the client to the server is in blue; the server\*(Aqs reply is in red\&. When used with looping mode, the different connections are separated with horizontal lines\&. You can use this option to upload the output into a browser\&.
+.RE
+.PP
+\-s
+.RS 4
+Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&.
+.sp
+If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&.
+.sp
+If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&.
+.RE
+.PP
+\-x
+.RS 4
+Turn on hex/ASCII printing of undecoded data inside parsed SSL records\&. Used only with the \-s option\&. This option uses the same output format as the \-h option\&.
+.RE
+.PP
+\-l prefix
+.RS 4
+Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete\&.
+.RE
+.PP
+\-p port
+.RS 4
+Change the default rendezvous port (1924) to another port\&.
+.sp
+The following are well\-known port numbers:
+.sp
+* HTTP 80
+.sp
+* HTTPS 443
+.sp
+* SMTP 25
+.sp
+* FTP 21
+.sp
+* IMAP 143
+.sp
+* IMAPS 993 (IMAP over SSL)
+.sp
+* NNTP 119
+.sp
+* NNTPS 563 (NNTP over SSL)
+.RE
+.SH "USAGE AND EXAMPLES"
+.PP
+You can use the SSL Debugging Tool to intercept any connection information\&. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful\&. For example, assume your development machine is called intercept\&. The simplest way to use the debugging tool is to execute the following command from a command shell:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ ssltap www\&.netscape\&.com
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The program waits for an incoming connection on the default port 1924\&. In your browser window, enter the URL http://intercept:1924\&. The browser retrieves the requested page from the server at www\&.netscape\&.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept\&. On its way to the browser, the data is printed to the command shell from which you issued the command\&. Data sent from the client to the server is surrounded by the following symbols: \-\-> [ data ] Data sent from the server to the client is surrounded by the following symbols: "left arrow"\-\- [ data ] The raw data stream is sent to standard output and is not interpreted in any way\&. This can result in peculiar effects, such as sounds, flashes, and even crashes of the command shell window\&. To output a basic, printable interpretation of the data, use the \-h option, or, if you are looking at an SSL connection, the \-s option\&. You will notice that the page you retrieved looks incomplete in the browser\&. This is because, by default, the tool closes down after the first connection is complete, so the browser is not able to load images\&. To make the tool continue to accept connections, switch on looping mode with the \-l option\&. The following examples show the output from commonly used combinations of options\&.
+.PP
+Example 1
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ ssltap\&.exe \-sx \-p 444 interzone\&.mcom\&.com:443 > sx\&.txt
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Output
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+Connected to interzone\&.mcom\&.com:443
+\-\->; [
+alloclen = 66 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher\-specs\-length = 39 (0x27)
+            sid\-length = 0 (0x00)
+            challenge\-length = 16 (0x10)
+            cipher\-suites = {
+
+                (0x010080) SSL2/RSA/RC4\-128/MD5
+                  (0x020080) SSL2/RSA/RC4\-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x040080) SSL2/RSA/RC2CBC40/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4\-128/MD5
+                  (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA
+                  (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4\-40/MD5
+                  (0x000006) SSL3/RSA/RC2CBC40/MD5
+                  }
+            session\-id = { }
+            challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
+
+0x2592 }
+}
+]
+<\-\- [
+SSLRecord {
+   0: 16 03 00 03  e5                                   |\&.\&.\&.\&.\&.
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 997 (0x3e5)
+   handshake {
+   0: 02 00 00 46                                      |\&.\&.\&.F
+      type = 2 (server_hello)
+      length = 70 (0x000046)
+            ServerHello {
+            server_version = {3, 0}
+            random = {\&.\&.\&.}
+   0: 77 8c 6e 26  6c 0c ec c0  d9 58 4f 47  d3 2d 01 45  |
+wn&l\&.\(`i\&.\&.XOG\&.\-\&.E
+   10: 5c 17 75 43  a7 4c 88 c7  88 64 3c 50  41 48 4f 7f  |
+
+\e\&.uC\(scL\&.\(,C\&.d<PAHO\&.
+                  session ID = {
+                  length = 32
+
+                contents = {\&.\&.}
+   0: 14 11 07 a8  2a 31 91 29  11 94 40 37  57 10 a7 32  | \&.\&.\&.\(ad*1\&.)\&.\&.@7W\&.\(sc2
+   10: 56 6f 52 62  fe 3d b3 65  b1 e4 13 0f  52 a3 c8 f6  | VoRb\(Tp=\(S3e\(+-\&.\&.\&.R\(Po\(`E\&.
+         }
+               cipher_suite = (0x0003) SSL3/RSA/RC4\-40/MD5
+         }
+   0: 0b 00 02 c5                                      |\&.\&.\&.\(oA
+      type = 11 (certificate)
+      length = 709 (0x0002c5)
+            CertificateChain {
+            chainlength = 706 (0x02c2)
+               Certificate {
+            size = 703 (0x02bf)
+               data = { saved in file \*(Aqcert\&.001\*(Aq }
+            }
+         }
+   0: 0c 00 00 ca                                      |\&.\&.\&.\&.
+         type = 12 (server_key_exchange)
+         length = 202 (0x0000ca)
+   0: 0e 00 00 00                                      |\&.\&.\&.\&.
+         type = 14 (server_hello_done)
+         length = 0 (0x000000)
+   }
+}
+]
+\-\-> [
+SSLRecord {
+   0: 16 03 00 00  44                                   |\&.\&.\&.\&.D
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 68 (0x44)
+   handshake {
+   0: 10 00 00 40                                      |\&.\&.\&.@
+   type = 16 (client_key_exchange)
+   length = 64 (0x000040)
+         ClientKeyExchange {
+            message = {\&.\&.\&.}
+         }
+   }
+}
+]
+\-\-> [
+SSLRecord {
+   0: 14 03 00 00  01                                   |\&.\&.\&.\&.\&.
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+   0: 01                                               |\&.
+}
+SSLRecord {
+   0: 16 03 00 00  38                                   |\&.\&.\&.\&.8
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               < encrypted >
+
+}
+]
+<\-\- [
+SSLRecord {
+   0: 14 03 00 00  01                                   |\&.\&.\&.\&.\&.
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+   0: 01                                               |\&.
+}
+]
+<\-\- [
+SSLRecord {
+   0: 16 03 00 00  38                                   |\&.\&.\&.\&.8
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+                  < encrypted >
+
+}
+]
+\-\-> [
+SSLRecord {
+   0: 17 03 00 01  1f                                   |\&.\&.\&.\&.\&.
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 287 (0x11f)
+               < encrypted >
+}
+]
+<\-\- [
+SSLRecord {
+   0: 17 03 00 00  a0                                   |\&.\&.\&.\&.
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 160 (0xa0)
+               < encrypted >
+
+}
+]
+<\-\- [
+SSLRecord {
+0: 17 03 00 00  df                                   |\&.\&.\&.\&.\(ss
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 223 (0xdf)
+               < encrypted >
+
+}
+SSLRecord {
+   0: 15 03 00 00  12                                   |\&.\&.\&.\&.\&.
+   type    = 21 (alert)
+   version = { 3,0 }
+   length  = 18 (0x12)
+               < encrypted >
+}
+]
+Server socket closed\&.
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Example 2
+.PP
+The \-s option turns on SSL parsing\&. Because the \-x option is not used in this example, undecoded values are output as raw data\&. The output is routed to a text file\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ ssltap \-s  \-p 444 interzone\&.mcom\&.com:443 > s\&.txt
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Output
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+Connected to interzone\&.mcom\&.com:443
+\-\-> [
+alloclen = 63 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher\-specs\-length = 36 (0x24)
+            sid\-length = 0 (0x00)
+            challenge\-length = 16 (0x10)
+            cipher\-suites = {
+                  (0x010080) SSL2/RSA/RC4\-128/MD5
+                  (0x020080) SSL2/RSA/RC4\-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4\-128/MD5
+                  (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA
+                  (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4\-40/MD5
+                  }
+               session\-id = { }
+            challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
+0x3fd0 }
+]
+>\-\- [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 997 (0x3e5)
+   handshake {
+         type = 2 (server_hello)
+         length = 70 (0x000046)
+            ServerHello {
+            server_version = {3, 0}
+            random = {\&.\&.\&.}
+            session ID = {
+               length = 32
+               contents = {\&.\&.}
+               }
+               cipher_suite = (0x0003) SSL3/RSA/RC4\-40/MD5
+            }
+         type = 11 (certificate)
+         length = 709 (0x0002c5)
+            CertificateChain {
+               chainlength = 706 (0x02c2)
+               Certificate {
+                  size = 703 (0x02bf)
+                  data = { saved in file \*(Aqcert\&.001\*(Aq }
+               }
+            }
+         type = 12 (server_key_exchange)
+         length = 202 (0x0000ca)
+         type = 14 (server_hello_done)
+         length = 0 (0x000000)
+   }
+}
+]
+\-\-> [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 68 (0x44)
+   handshake {
+         type = 16 (client_key_exchange)
+         length = 64 (0x000040)
+            ClientKeyExchange {
+               message = {\&.\&.\&.}
+            }
+   }
+}
+]
+\-\-> [
+SSLRecord {
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+}
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               > encrypted >
+}
+]
+>\-\- [
+SSLRecord {
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+}
+]
+>\-\- [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               > encrypted >
+}
+]
+\-\-> [
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 287 (0x11f)
+               > encrypted >
+}
+]
+[
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 160 (0xa0)
+               > encrypted >
+}
+]
+>\-\- [
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 223 (0xdf)
+               > encrypted >
+}
+SSLRecord {
+   type    = 21 (alert)
+   version = { 3,0 }
+   length  = 18 (0x12)
+               > encrypted >
+}
+]
+Server socket closed\&.
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Example 3
+.PP
+In this example, the \-h option turns hex/ASCII format\&. There is no SSL parsing or decoding\&. The output is routed to a text file\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ ssltap \-h  \-p 444 interzone\&.mcom\&.com:443 > h\&.txt
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Output
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+Connected to interzone\&.mcom\&.com:443
+\-\-> [
+   0: 80 40 01 03  00 00 27 00  00 00 10 01  00 80 02 00  | \&.@\&.\&.\&.\&.\*(Aq\&.\&.\&.\&.\&.\&.\&.\&.\&.
+   10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04  | \&.\&.\&.\&.\&.\&.\&.\&.\&.@\&.\&.\&.\&.\&.\&.
+   20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 00  | \&.\&.\&.\&.\&.\&.\&.\&.\('a\&.\&.\&.\&.\&.\&.\&.
+   30: 00 06 9b fe  5b 56 96 49  1f 9f ca dd  d5 ba b9 52  | \&.\&.\(Tp[V\&.I\&.\exd9 \&.\&.\&.\(Om\(S1R
+   40: 6f 2d                                            |o\-
+]
+<\-\- [
+   0: 16 03 00 03  e5 02 00 00  46 03 00 7f  e5 0d 1b 1d  | \&.\&.\&.\&.\&.\&.\&.\&.F\&.\&.\&.\&.\&.\&.\&.
+   10: 68 7f 3a 79  60 d5 17 3c  1d 9c 96 b3  88 d2 69 3b  | h\&.:y`\&.\&.<\&.\&.\(S3\&.\(`Oi;
+   20: 78 e2 4b 8b  a6 52 12 4b  46 e8 c2 20  14 11 89 05  | x\&.K\&.\(bbR\&.KF\(`e\&. \&.\&.\&.
+   30: 4d 52 91 fd  93 e0 51 48  91 90 08 96  c1 b6 76 77  | MR\&.\('y\&.\&.QH\&.\&.\&.\&.\&.\(psvw
+   40: 2a f4 00 08  a1 06 61 a2  64 1f 2e 9b  00 03 00 0b  | *\(^o\&.\&.\(r!\&.a\(ctd\&.\&.\&.\&.\&.\&.
+   50: 00 02 c5 00  02 c2 00 02  bf 30 82 02  bb 30 82 02  | \&.\&.\(oA\&.\&.\&.\&.\&.\&.0\&.\&.\&.0\&.\&.
+   60: 24 a0 03 02  01 02 02 02  01 36 30 0d  06 09 2a 86  | $ \&.\&.\&.\&.\&.\&.\&.60\&.\&.\&.*\&.
+   70: 48 86 f7 0d  01 01 04 05  00 30 77 31  0b 30 09 06  | H\&.\(di\&.\&.\&.\&.\&.\&.0w1\&.0\&.\&.
+   80: 03 55 04 06  13 02 55 53  31 2c 30 2a  06 03 55 04  | \&.U\&.\&.\&.\&.US1,0*\&.\&.U\&.
+   90: 0a 13 23 4e  65 74 73 63  61 70 65 20  43 6f 6d 6d  | \&.\&.#Netscape Comm
+   a0: 75 6e 69 63  61 74 69 6f  6e 73 20 43  6f 72 70 6f  | unications Corpo
+   b0: 72 61 74 69  6f 6e 31 11  30 0f 06 03  55 04 0b 13  | ration1\&.0\&.\&.\&.U\&.\&.\&.
+   c0: 08 48 61 72  64 63 6f 72  65 31 27 30  25 06 03 55  | \&.Hardcore1\*(Aq0%\&.\&.U
+   d0: 04 03 13 1e  48 61 72 64  63 6f 72 65  20 43 65 72  | \&.\&.\&.\&.Hardcore Cer
+   e0: 74 69 66 69  63 61 74 65  20 53 65 72  76 65 72 20  | tificate Server
+   f0: 49 49 30 1e  17 0d 39 38  30 35 31 36  30 31 30 33  | II0\&.\&.\&.9805160103
+<additional data lines>
+]
+<additional records in same format>
+Server socket closed\&.
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Example 4
+.PP
+In this example, the \-s option turns on SSL parsing, and the \-h option turns on hex/ASCII format\&. Both formats are shown for each record\&. The output is routed to a text file\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ ssltap \-hs \-p 444 interzone\&.mcom\&.com:443 > hs\&.txt
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Output
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+Connected to interzone\&.mcom\&.com:443
+\-\-> [
+   0: 80 3d 01 03  00 00 24 00  00 00 10 01  00 80 02 00  | \&.=\&.\&.\&.\&.$\&.\&.\&.\&.\&.\&.\&.\&.\&.
+   10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04  | \&.\&.\&.\&.\&.\&.\&.\&.\&.@\&.\&.\&.\&.\&.\&.
+   20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 03  | \&.\&.\&.\&.\&.\&.\&.\&.\('a\&.\&.\&.\&.\&.\&.\&.
+   30: 55 e6 e4 99  79 c7 d7 2c  86 78 96 5d  b5 cf e9     |U\&.\&.y\(,C\exb0 ,\&.x\&.]\(mc\(:I\('e
+alloclen = 63 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher\-specs\-length = 36 (0x24)
+            sid\-length = 0 (0x00)
+            challenge\-length = 16 (0x10)
+            cipher\-suites = {
+                  (0x010080) SSL2/RSA/RC4\-128/MD5
+                  (0x020080) SSL2/RSA/RC4\-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x040080) SSL2/RSA/RC2CBC40/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4\-128/MD5
+                  (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA
+                  (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4\-40/MD5
+                  }
+            session\-id = { }
+            challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
+
+0xcfe9 }
+}
+]
+<additional records in same formats>
+Server socket closed\&.
+.fi
+.if n \{\
+.RE
+.\}
+.SH "USAGE TIPS"
+.PP
+When SSL restarts a previous session, it makes use of cached information to do a partial handshake\&. If you wish to capture a full SSL handshake, restart the browser to clear the session id cache\&.
+.PP
+If you run the tool on a machine other than the SSL server to which you are trying to connect, the browser will complain that the host name you are trying to connect to is different from the certificate\&. If you are using the default BadCert callback, you can still connect through a dialog\&. If you are not using the default BadCert callback, the one you supply must allow for this possibility\&.
+.SH "SEE ALSO"
+.PP
+The NSS Security Tools are also documented at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&\s-2\u[2]\d\s+2\&.
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE
+.IP " 2." 4
+http://www.mozilla.org/projects/security/pki/nss/
+.RS 4
+\%http://www.mozilla.org/projects/security/pki/nss/tools
+.RE

mozilla/security/nss/doc/nroff/vfychain.1

@@ -0,0 +1,169 @@
+'\" t
+.\"     Title: VFYCHAIN
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "VFYCHAIN" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+vfychain_ \- vfychain [options] [revocation options] certfile [[options] certfile] \&.\&.\&.
+.SH "SYNOPSIS"
+.HP \w'\fBvfychain\fR\ 'u
+\fBvfychain\fR
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The verification Tool,
+\fBvfychain\fR, verifies certificate chains\&.
+\fBmodutil\fR
+can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140\-2 compliance, and assign default providers for cryptographic operations\&. This tool can also create certificate, key, and module security database files\&.
+.PP
+The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases\&.
+.SH "OPTIONS"
+.PP
+\fB\-a\fR
+.RS 4
+the following certfile is base64 encoded
+.RE
+.PP
+\fB\-b \fR \fIYYMMDDHHMMZ\fR
+.RS 4
+Validate date (default: now)
+.RE
+.PP
+\fB\-d \fR \fIdirectory\fR
+.RS 4
+database directory
+.RE
+.PP
+\fB\-f \fR
+.RS 4
+Enable cert fetching from AIA URL
+.RE
+.PP
+\fB\-o \fR \fIoid\fR
+.RS 4
+Set policy OID for cert validation(Format OID\&.1\&.2\&.3)
+.RE
+.PP
+\fB\-p \fR
+.RS 4
+Use PKIX Library to validate certificate by calling:
+.sp
+* CERT_VerifyCertificate if specified once,
+.sp
+* CERT_PKIXVerifyCert if specified twice and more\&.
+.RE
+.PP
+\fB\-r \fR
+.RS 4
+Following certfile is raw binary DER (default)
+.RE
+.PP
+\fB\-t\fR
+.RS 4
+Following cert is explicitly trusted (overrides db trust)
+.RE
+.PP
+\fB\-u \fR \fIusage\fR
+.RS 4
+0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object signer, 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
+.RE
+.PP
+\fB\-T \fR
+.RS 4
+Trust both explicit trust anchors (\-t) and the database\&. (Without this option, the default is to only trust certificates marked \-t, if there are any, or to trust the database if there are certificates marked \-t\&.)
+.RE
+.PP
+\fB\-v \fR
+.RS 4
+Verbose mode\&. Prints root cert subject(double the argument for whole root cert info)
+.RE
+.PP
+\fB\-w \fR \fIpassword\fR
+.RS 4
+Database password
+.RE
+.PP
+\fB\-W \fR \fIpwfile\fR
+.RS 4
+Password file
+.RE
+.PP
+.RS 4
+Revocation options for PKIX API (invoked with \-pp options) is a collection of the following flags: [\-g type [\-h flags] [\-m type [\-s flags]] \&.\&.\&.] \&.\&.\&.
+.sp
+Where:
+.RE
+.PP
+\fB\-g \fR \fItest\-type\fR
+.RS 4
+Sets status checking test type\&. Possible values are "leaf" or "chain"
+.RE
+.PP
+\fB\-g \fR \fItest type\fR
+.RS 4
+Sets status checking test type\&. Possible values are "leaf" or "chain"\&.
+.RE
+.PP
+\fB\-h \fR \fItest flags\fR
+.RS 4
+Sets revocation flags for the test type it follows\&. Possible flags: "testLocalInfoFirst" and "requireFreshInfo"\&.
+.RE
+.PP
+\fB\-m \fR \fImethod type\fR
+.RS 4
+Sets method type for the test type it follows\&. Possible types are "crl" and "ocsp"\&.
+.RE
+.PP
+\fB\-s \fR \fImethod flags\fR
+.RS 4
+Sets revocation flags for the method it follows\&. Possible types are "doNotUse", "forbidFetching", "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo"\&.
+.RE
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE

mozilla/security/nss/doc/nroff/vfyserv.1

@@ -0,0 +1,70 @@
+'\" t
+.\"     Title: VFYSERV
+.\"    Author: [see the "Authors" section]
+.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
+.\"      Date: 15 February 2013
+.\"    Manual: NSS Security Tools
+.\"    Source: nss-tools
+.\"  Language: English
+.\"
+.TH "VFYSERV" "1" "15 February 2013" "nss-tools" "NSS Security Tools"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+vfyserv_ \- TBD
+.SH "SYNOPSIS"
+.HP \w'\fBvfyserv\fR\ 'u
+\fBvfyserv\fR
+.SH "STATUS"
+.PP
+This documentation is still work in progress\&. Please contribute to the initial review in
+\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "DESCRIPTION"
+.PP
+The
+\fBvfyserv \fR
+tool verifies a certificate chain
+.SH "OPTIONS"
+.PP
+.RS 4
+.sp
+.RE
+.SH "ADDITIONAL RESOURCES"
+.PP
+For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
+\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
+.PP
+Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
+.PP
+IRC: Freenode at #dogtag\-pki
+.SH "AUTHORS"
+.PP
+The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&.
+.PP
+Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
+.SH "LICENSE"
+.PP
+Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&.
+.SH "NOTES"
+.IP " 1." 4
+Mozilla NSS bug 836477
+.RS 4
+\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+.RE

mozilla/security/nss/lib/certhigh/ocsp.c

@@ -6,7 +6,7 @@
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.77 2013-01-23 23:05:50 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.79 2013-02-15 17:56:18 kaie%kuix.de Exp $
  */
 
 #include "prerror.h"
@@ -124,9 +124,9 @@ ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
 			      CERTCertificate *cert,
 			      int64 time,
 			      void *pwArg,
-			      SECItem *encodedResponse,
+			      const SECItem *encodedResponse,
+			      PRBool cacheInvalid,
 			      PRBool *certIDWasConsumed,
-			      PRBool cacheNegative,
 			      SECStatus *rv_ocsp);
 
 static SECStatus
@@ -140,6 +140,9 @@ ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
 static SECStatus
 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, int64 time);
 
+static CERTOCSPCertID *
+cert_DupOCSPCertID(CERTOCSPCertID *src);
+
 #ifndef DEBUG
 #define OCSP_TRACE(msg)
 #define OCSP_TRACE_TIME(msg, time)
@@ -766,6 +769,9 @@ ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
 /*
  * Status in *certIDWasConsumed will always be correct, regardless of 
  * return value.
+ * If the caller is unable to transfer ownership of certID,
+ * then the caller must set certIDWasConsumed to NULL,
+ * and this function will potentially duplicate the certID object.
  */
 static SECStatus
 ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, 
@@ -777,10 +783,7 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
     OCSPCacheItem *cacheItem;
     OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n"));
   
-    if (!certIDWasConsumed) {
+    if (certIDWasConsumed)
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
     *certIDWasConsumed = PR_FALSE;
   
     PR_EnterMonitor(OCSP_Global.monitor);
@@ -788,23 +791,47 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
   
     cacheItem = ocsp_FindCacheEntry(cache, certID);
     if (!cacheItem) {
-        rv = ocsp_CreateCacheItemAndConsumeCertID(cache, certID, 
+        CERTOCSPCertID *myCertID;
+        if (certIDWasConsumed) {
+            myCertID = certID;
+            *certIDWasConsumed = PR_TRUE;
+        } else {
+            myCertID = cert_DupOCSPCertID(certID);
+            if (!myCertID) {
+                PR_ExitMonitor(OCSP_Global.monitor);
+                PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+                return SECFailure;
+            }
+        }
+
+        rv = ocsp_CreateCacheItemAndConsumeCertID(cache, myCertID,
                                                   &cacheItem);
         if (rv != SECSuccess) {
             PR_ExitMonitor(OCSP_Global.monitor);
             return rv;
         }
-        *certIDWasConsumed = PR_TRUE;
     }
     if (single) {
-        rv = ocsp_SetCacheItemResponse(cacheItem, single);
+        PRTime thisUpdate;
-        if (rv != SECSuccess) {
+        rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
-            ocsp_RemoveCacheItem(cache, cacheItem);
+
-            PR_ExitMonitor(OCSP_Global.monitor);
+        if (!cacheItem->haveThisUpdate ||
-            return rv;
+            (rv == SECSuccess && cacheItem->thisUpdate < thisUpdate)) {
+            rv = ocsp_SetCacheItemResponse(cacheItem, single);
+            if (rv != SECSuccess) {
+                ocsp_RemoveCacheItem(cache, cacheItem);
+                PR_ExitMonitor(OCSP_Global.monitor);
+                return rv;
+            }
+        } else {
+            OCSP_TRACE(("Not caching response because the response is not newer than the cache"));
         }
     } else {
         cacheItem->missingResponseError = PORT_GetError();
+        if (cacheItem->certStatusArena) {
+            PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE);
+            cacheItem->certStatusArena = NULL;
+        }
     }
     ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem);
     ocsp_CheckCacheSize(cache);
@@ -1545,7 +1572,7 @@ CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
  * results in a NULL being returned (and an appropriate error set).
  */
 
-static SECItem *
+SECItem *
 ocsp_DigestValue(PRArenaPool *arena, SECOidTag digestAlg, 
                  SECItem *fill, const SECItem *src)
 {
@@ -1752,6 +1779,54 @@ CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time)
     return certID;
 }
 
+static CERTOCSPCertID *
+cert_DupOCSPCertID(CERTOCSPCertID *src)
+{
+    CERTOCSPCertID *dest;
+    PRArenaPool *arena = NULL;
+
+    if (!src) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena)
+        goto loser;
+
+    dest = PORT_ArenaZNew(arena, CERTOCSPCertID);
+      if (!dest)
+        goto loser;
+
+#define DUPHELP(element) \
+    if (src->element.data) {  \
+        if (SECITEM_CopyItem(arena, &dest->element, &src->element) \
+            != SECSuccess) \
+            goto loser;     \
+    }
+
+    DUPHELP(hashAlgorithm.algorithm)
+    DUPHELP(hashAlgorithm.parameters)
+    DUPHELP(issuerNameHash)
+    DUPHELP(issuerKeyHash)
+    DUPHELP(serialNumber)
+    DUPHELP(issuerSHA1NameHash)
+    DUPHELP(issuerMD5NameHash)
+    DUPHELP(issuerMD2NameHash)
+    DUPHELP(issuerSHA1KeyHash)
+    DUPHELP(issuerMD5KeyHash)
+    DUPHELP(issuerMD2KeyHash)
+
+    dest->poolp = arena;
+    return dest;
+
+loser:
+    if (arena)
+        PORT_FreeArena(arena, PR_FALSE);
+    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+    return NULL;
+}
+
 /*
  * Callback to set Extensions in request object
  */
@@ -2535,7 +2610,7 @@ ocsp_DecodeResponseBytes(PRArenaPool *arena, ocspResponseBytes *rbytes)
  *   or a low-level or internal error occurred).
  */
 CERTOCSPResponse *
-CERT_DecodeOCSPResponse(SECItem *src)
+CERT_DecodeOCSPResponse(const SECItem *src)
 {
     PRArenaPool *arena = NULL;
     CERTOCSPResponse *response = NULL;
@@ -4817,15 +4892,58 @@ SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 				      CERTCertificate *cert,
 				      int64 time,
-				      SECItem *encodedResponse,
+				      const SECItem *encodedResponse,
 				      void *pwArg)
 {
-    CERTOCSPCertID *certID;
+    CERTOCSPCertID *certID = NULL;
     PRBool certIDWasConsumed = PR_FALSE;
     SECStatus rv = SECFailure;
     SECStatus rvOcsp;
     SECErrorCodes dummy_error_code; /* we ignore this */
 
+    /* The OCSP cache can be in three states regarding this certificate:
+     *    + Good (cached, timely, 'good' response, or revoked in the future)
+     *    + Revoked (cached, timely, but doesn't fit in the last category)
+     *    + Miss (no knowledge)
+     *
+     * Likewise, the side-channel information can be
+     *    + Good (timely, 'good' response, or revoked in the future)
+     *    + Revoked (timely, but doesn't fit in the last category)
+     *    + Invalid (bad syntax, bad signature, not timely etc)
+     *
+     * The common case is that the cache result is Good and so is the
+     * side-channel information. We want to save processing time in this case
+     * so we say that any time we see a Good result from the cache we return
+     * early.
+     *
+     *                       Cache result
+     *      | Good             Revoked               Miss
+     *   ---+--------------------------------------------
+     *    G |  noop           Cache more           Cache it
+     * S    |                 recent result
+     * i    |
+     * d    |
+     * e    |
+     *    R |  noop           Cache more           Cache it
+     * C    |                 recent result
+     * h    |
+     * a    |
+     * n    |
+     * n  I |  noop           Noop                  Noop
+     * e    |
+     * l    |
+     *
+     * When we fetch from the network we might choose to cache a negative
+     * result when the response is invalid. This saves us hammering, uselessly,
+     * at a broken responder. However, side channels are commonly attacker
+     * controlled and so we must not cache a negative result for an Invalid
+     * side channel.
+     */
+
+    if (!cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
     certID = CERT_CreateOCSPCertID(cert, time);
     if (!certID)
         return SECFailure;
@@ -4833,22 +4951,18 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
         certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
         &rvOcsp, &dummy_error_code);
     if (rv == SECSuccess && rvOcsp == SECSuccess) {
-	/* The cached value is good. We don't want to waste time validating
+        /* The cached value is good. We don't want to waste time validating
-	 * this OCSP response. */
+         * this OCSP response. This is the first column in the table above. */
         CERT_DestroyOCSPCertID(certID);
         return rv;
     }
 
-    /* Since the OCSP response came from a side channel it is attacker
+    /* The logic for caching the more recent response is handled in
-     * controlled. The attacker can have chosen any valid OCSP response,
+     * ocsp_CreateOrUpdateCacheEntry, which is called by this function. */
-     * including responses from the past. In this case,
+    rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time,
-     * ocsp_GetVerifiedSingleResponseForCertID will fail. If we recorded a
+                                       pwArg, encodedResponse,
-     * negative cache entry in this case, then the attacker would have
+                                       PR_FALSE /* don't cache if invalid */,
-     * 'poisoned' our cache (denial of service), so we don't record negative
+                                       &certIDWasConsumed,
-     * results. */
-    rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time, pwArg,
-                                       encodedResponse, &certIDWasConsumed,
-                                       PR_FALSE /* don't cache failures */,
                                        &rvOcsp);
     if (!certIDWasConsumed) {
         CERT_DestroyOCSPCertID(certID);
@@ -4936,8 +5050,9 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
     }
 
     rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time, pwArg,
-	                               encodedResponse, certIDWasConsumed,
+                                       encodedResponse,
-	                               PR_TRUE /* cache failures */, rv_ocsp);
+                                       PR_TRUE /* cache if invalid */,
+                                       certIDWasConsumed, rv_ocsp);
 
 loser:
     if (request != NULL)
@@ -4975,6 +5090,9 @@ loser:
  *     the opaque argument to the password prompting function.
  *   SECItem *encodedResponse
  *     the DER encoded bytes of the OCSP response
+ *   PRBool cacheInvalid
+ *     If true then invalid responses will cause a negative cache entry to be
+ *     created. (Invalid means bad syntax, bad signature etc)
  *   PRBool *certIDWasConsumed
  *     (output) on return, this is true iff |certID| was consumed by this
  *     function.
@@ -4990,9 +5108,9 @@ ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
 			      CERTCertificate *cert,
 			      int64 time,
 			      void *pwArg,
-			      SECItem *encodedResponse,
+			      const SECItem *encodedResponse,
+                              PRBool cacheInvalid,
 			      PRBool *certIDWasConsumed,
-			      PRBool cacheNegative,
 			      SECStatus *rv_ocsp)
 {
     CERTOCSPResponse *response = NULL;
@@ -5051,7 +5169,8 @@ ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
     *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(single, time);
 
 loser:
-    if (cacheNegative || *rv_ocsp == SECSuccess) {
+    /* If single == NULL here then the response was invalid. */
+    if (single != NULL || cacheInvalid) {
 	PR_EnterMonitor(OCSP_Global.monitor);
 	if (OCSP_Global.maxCacheEntries >= 0) {
 	    /* single == NULL means: remember response failure */

mozilla/security/nss/lib/certhigh/ocsp.h

@@ -5,7 +5,7 @@
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.24 2012-12-12 16:03:44 wtc%google.com Exp $
+ * $Id: ocsp.h,v 1.25 2013-02-15 17:53:24 kaie%kuix.de Exp $
  */
 
 #ifndef _OCSP_H_
@@ -300,7 +300,7 @@ CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
  *   or a low-level or internal error occurred).
  */
 extern CERTOCSPResponse *
-CERT_DecodeOCSPResponse(SECItem *src);
+CERT_DecodeOCSPResponse(const SECItem *src);
 
 /*
  * FUNCTION: CERT_DestroyOCSPResponse
@@ -551,7 +551,7 @@ extern SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 				      CERTCertificate *cert,
 				      PRTime time,
-				      SECItem *encodedResponse,
+				      const SECItem *encodedResponse,
 				      void *pwArg);
 
 /*

mozilla/security/nss/lib/certhigh/ocspi.h

@@ -4,7 +4,7 @@
 /*
  * ocspi.h - NSS internal interfaces to OCSP code
  *
- * $Id: ocspi.h,v 1.13 2012-12-12 19:29:40 wtc%google.com Exp $
+ * $Id: ocspi.h,v 1.14 2013-02-15 17:56:18 kaie%kuix.de Exp $
  */
 
 #ifndef _OCSPI_H_
@@ -19,6 +19,10 @@ ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
 ocspSignature *
 ocsp_GetResponseSignature(CERTOCSPResponse *response);
 
+SECItem *
+ocsp_DigestValue(PRArenaPool *arena, SECOidTag digestAlg,
+                 SECItem *fill, const SECItem *src);
+
 PRBool
 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
 

mozilla/security/nss/lib/certhigh/ocspsig.c

@@ -355,6 +355,8 @@ CERT_CreateOCSPSingleResponseRevoked(
     return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
 }
 
+/* responderCert == 0 means:
+ * create a response with an invalid signature (for testing purposes) */
 SECItem*
 CERT_CreateEncodedOCSPSuccessResponse(
     PLArenaPool *arena,
@@ -377,7 +379,7 @@ CERT_CreateEncodedOCSPSuccessResponse(
     SECKEYPrivateKey *privKey = NULL;
     SECItem *result = NULL;
   
-    if (!arena || !responderCert || !responses) {
+    if (!arena || !responses) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
@@ -414,58 +416,106 @@ CERT_CreateEncodedOCSPSuccessResponse(
     if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt)
             != SECSuccess)
         goto done;
-    rid->responderIDType = responderIDType;
+
-    if (responderIDType == ocspResponderID_byName) {
+    if (!responderCert) {
-        responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+	/* use invalid signature for testing purposes */
-        if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
+	char dummyChar = 'd';
-                           &responderCert->subject) != SECSuccess)
+	SECItem dummy;
-            goto done;
+
+	dummy.len = 1;
+	dummy.data = &dummyChar;
+
+	/* it's easier to produdce a keyHash out of nowhere,
+	 * than to produce an encoded subject,
+	 * so for our dummy response we always use byKey
+	 */
+	
+	rid->responderIDType = ocspResponderID_byKey;
+	if (!ocsp_DigestValue(tmpArena, SEC_OID_SHA1, &rid->responderIDValue.keyHash,
+			      &dummy))
+	    goto done;
+
+	if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
+				ocsp_ResponderIDByKeyTemplate))
+	    goto done;
+
+	br->tbsResponseData = rd;
+
+	if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
+				ocsp_myResponseDataTemplate))
+	    goto done;
+
+	br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1);
+	if (!br->responseSignature.derCerts)
+	    goto done;
+	br->responseSignature.derCerts[0] = NULL;
+
+	algID = SEC_GetSignatureAlgorithmOidTag(rsaKey, SEC_OID_SHA1);
+	if (algID == SEC_OID_UNKNOWN)
+	    goto done;
+
+	/* match the regular signature code, which doesn't use the arena */
+	if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1))
+	    goto done;
+	PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1);
+
+	/* convert len-in-bytes to len-in-bits */
+	br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
     }
     else {
-        responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+	rid->responderIDType = responderIDType;
-        if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
+	if (responderIDType == ocspResponderID_byName) {
-                                      &rid->responderIDValue.keyHash))
+	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
-            goto done;
+	    if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
+			    &responderCert->subject) != SECSuccess)
+		goto done;
+	}
+	else {
+	    responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+	    if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
+					&rid->responderIDValue.keyHash))
+		goto done;
+	}
+
+	if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
+		responderIDTemplate))
+	    goto done;
+
+	br->tbsResponseData = rd;
+
+	if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
+		ocsp_myResponseDataTemplate))
+	    goto done;
+
+	br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1);
+	if (!br->responseSignature.derCerts)
+	    goto done;
+	br->responseSignature.derCerts[0] = NULL;
+
+	privKey = PK11_FindKeyByAnyCert(responderCert, wincx);
+	if (!privKey)
+	    goto done;
+
+	algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1);
+	if (algID == SEC_OID_UNKNOWN)
+	    goto done;
+
+	if (SEC_SignData(&br->responseSignature.signature,
+			    br->tbsResponseDataDER.data, br->tbsResponseDataDER.len,
+			    privKey, algID)
+		!= SECSuccess)
+	    goto done;
+
+	/* convert len-in-bytes to len-in-bits */
+	br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
+
+	/* br->responseSignature.signature wasn't allocated from arena,
+	* we must free it when done. */
     }
 
-    if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
-            responderIDTemplate))
-        goto done;
-
-    br->tbsResponseData = rd;
-    
-    if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
-            ocsp_myResponseDataTemplate))
-        goto done;
-
-    br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1);
-    if (!br->responseSignature.derCerts)
-        goto done;
-    br->responseSignature.derCerts[0] = NULL;
-
-    privKey = PK11_FindKeyByAnyCert(responderCert, wincx);
-    if (!privKey)
-        goto done;
-
-    algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1);
-    if (algID == SEC_OID_UNKNOWN)
-        goto done;
-
-    if (SEC_SignData(&br->responseSignature.signature,
-                        br->tbsResponseDataDER.data, br->tbsResponseDataDER.len,
-                        privKey, algID)
-            != SECSuccess)
-        goto done;
-
-    /* convert len-in-bytes to len-in-bits */
-    br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
-
-    /* br->responseSignature.signature wasn't allocated from arena,
-     * we must free it when done. */
-
     if (SECOID_SetAlgorithmID(tmpArena, &br->responseSignature.signatureAlgorithm, algID, 0)
-            != SECSuccess)
+	    != SECSuccess)
-        goto done;
+	goto done;
 
     if (!SEC_ASN1EncodeItem(tmpArena, &rb->response, br,
                             ocsp_EncodeBasicOCSPResponseTemplate))

mozilla/security/nss/lib/freebl/Makefile

@@ -284,7 +284,6 @@ ifeq ($(CPU_ARCH),sparc)
         HAVE_ABI64_INT = 1
         HAVE_ABI64_FPU = 1
     else
-        HAVE_ABI32_INT32 = 1
         HAVE_ABI32_FPU = 1
         HAVE_ABI32_INT64 = 1
     endif
@@ -292,9 +291,6 @@ ifeq ($(CPU_ARCH),sparc)
     SOLARIS_AS = /usr/ccs/bin/as
     #### set arch, asm, c flags
     ifdef NS_USE_GCC
-	ifdef USE_ABI32_INT32
-	    # default ARCHFLAG=-mcpu=v8 set by coreconf/sunOS5.mk
-	endif
 	ifdef USE_ABI32_INT64
 	    ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plus
 	    SOLARIS_AS_FLAGS = -xarch=v8plus -K PIC
@@ -327,9 +323,6 @@ ifeq ($(CPU_ARCH),sparc)
 	    # to what we used in NSS 3.10.
 	    FPU_TARGET_OPTIMIZER = -xchip=ultra2
 	endif
-	ifdef USE_ABI32_INT32
-	    #ARCHFLAG=-xarch=v8 set in coreconf/sunOS5.mk
-	endif
 	ifdef USE_ABI32_INT64
 	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
 	    # 32-bit ABI, it uses 64-bit words, integer arithmetic,
@@ -385,12 +378,6 @@ ifeq ($(CPU_ARCH),sparc)
     endif # NS_USE_GCC
 
     ### set flags for both GCC and Sun cc
-    ifdef USE_ABI32_INT32
-	# this builds for Sparc v8 pure 32-bit architecture
-	DEFINES += -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
-	ASFILES  = mpv_sparcv8x.s
-	DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
-    endif
     ifdef USE_ABI32_INT64
 	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
 	# 32-bit ABI, it uses 64-bit words, integer arithmetic, no FPU

mozilla/security/nss/lib/freebl/arcfour.c

@@ -4,8 +4,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-/* See NOTES ON UMRs, Unititialized Memory Reads, below. */
-
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
@@ -18,7 +16,7 @@
 
 /* Architecture-dependent defines */
 
-#if defined(SOLARIS) || defined(HPUX) || defined(i386) || defined(IRIX) || \
+#if defined(SOLARIS) || defined(HPUX) || defined(NSS_X86) || \
     defined(_WIN64)
 /* Convert the byte-stream to a word-stream */
 #define CONVERT_TO_WORDS
@@ -119,7 +117,7 @@ RC4_InitContext(RC4Context *cx, const unsigned char *key, unsigned int len,
 	        const unsigned char * unused1, int unused2, 
 		unsigned int unused3, unsigned int unused4)
 {
-	int i;
+	unsigned int i;
 	PRUint8 j, tmp;
 	PRUint8 K[256];
 	PRUint8 *L;
@@ -127,7 +125,7 @@ RC4_InitContext(RC4Context *cx, const unsigned char *key, unsigned int len,
 	/* verify the key length. */
 	PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
 	if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		PORT_SetError(SEC_ERROR_BAD_KEY);
 		return SECFailure;
 	}
 	if (cx == NULL) {
@@ -215,7 +213,7 @@ rc4_no_opt(RC4Context *cx, unsigned char *output,
 	unsigned int index;
 	PORT_Assert(maxOutputLen >= inputLen);
 	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 		return SECFailure;
 	}
 	for (index=0; index < inputLen; index++) {
@@ -248,7 +246,7 @@ rc4_unrolled(RC4Context *cx, unsigned char *output,
 	int index;
 	PORT_Assert(maxOutputLen >= inputLen);
 	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 		return SECFailure;
 	}
 	for (index = inputLen / 8; index-- > 0; input += 8, output += 8) {
@@ -349,40 +347,26 @@ rc4_unrolled(RC4Context *cx, unsigned char *output,
 #define LSH <<
 #endif
 
+#ifdef IS_LITTLE_ENDIAN
+#define LEFTMOST_BYTE_SHIFT 0
+#define NEXT_BYTE_SHIFT(shift) shift + 8
+#else
+#define LEFTMOST_BYTE_SHIFT 8*(WORDSIZE - 1)
+#define NEXT_BYTE_SHIFT(shift) shift - 8
+#endif
+
 #ifdef CONVERT_TO_WORDS
-/* NOTE about UMRs, Uninitialized Memory Reads.
- *
- * This code reads all input data a WORD at a time, rather than byte at 
- * a time, and writes all output data a WORD at a time.  Shifting and 
- * masking is used to remove unwanted data and realign bytes when 
- * needed.  The first and last words of output are read, modified, and
- * written when needed to preserve any unchanged bytes.  This is a huge
- * win on machines with high memory latency.  
- *
- * However, when the input and output buffers do not begin and end on WORD 
- * boundaries, and the WORDS in memory that contain the first and last 
- * bytes of those buffers contain uninitialized data, then this code will 
- * read those uninitialized bytes, causing a UMR error to be reported by 
- * some tools.  
- *
- * These UMRs are NOT a problem, NOT errors, and do NOT need to be "fixed".
- * 
- * All the words read and written contain at least one byte that is 
- * part of the input data or output data.  No words are read or written
- * that do not contain data that is part of the buffer.  Therefore, 
- * these UMRs cannot cause page faults or other problems unless the 
- * buffers have been assigned to improper addresses that would cause
- * page faults with or without UMRs.  
- */
 static SECStatus 
 rc4_wordconv(RC4Context *cx, unsigned char *output,
              unsigned int *outputLen, unsigned int maxOutputLen,
              const unsigned char *input, unsigned int inputLen)
 {
-	ptrdiff_t inOffset = (ptrdiff_t)input % WORDSIZE;
+	PR_STATIC_ASSERT(sizeof(PRUword) == sizeof(ptrdiff_t));
-	ptrdiff_t outOffset = (ptrdiff_t)output % WORDSIZE;
+	unsigned int inOffset = (PRUword)input % WORDSIZE;
-	register WORD streamWord, mask;
+	unsigned int outOffset = (PRUword)output % WORDSIZE;
-	register WORD *pInWord, *pOutWord;
+	register WORD streamWord;
+	register const WORD *pInWord;
+	register WORD *pOutWord;
 	register WORD inWord, nextInWord;
 	PRUint8 t;
 	register Stype tmpSi, tmpSj;
@@ -390,11 +374,13 @@ rc4_wordconv(RC4Context *cx, unsigned char *output,
 	register PRUint8 tmpj = cx->j;
 	unsigned int byteCount;
 	unsigned int bufShift, invBufShift;
-	int i;
+	unsigned int i;
+	const unsigned char *finalIn;
+	unsigned char *finalOut;
 
 	PORT_Assert(maxOutputLen >= inputLen);
 	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 		return SECFailure;
 	}
 	if (inputLen < 2*WORDSIZE) {
@@ -402,7 +388,8 @@ rc4_wordconv(RC4Context *cx, unsigned char *output,
 		return rc4_no_opt(cx, output, outputLen, maxOutputLen, input, inputLen);
 	}
 	*outputLen = inputLen;
-	pInWord = (WORD *)(input - inOffset);
+	pInWord = (const WORD *)(input - inOffset);
+	pOutWord = (WORD *)(output - outOffset);
 	if (inOffset < outOffset) {
 		bufShift = 8*(outOffset - inOffset);
 		invBufShift = 8*WORDSIZE - bufShift;
@@ -419,52 +406,42 @@ rc4_wordconv(RC4Context *cx, unsigned char *output,
 	/* least one partial word of input should ALWAYS be loaded.      */
 	/*****************************************************************/
 	if (outOffset) {
-		/* Generate input and stream words aligned relative to the
-		 * partial output buffer.
-		 */
 		byteCount = WORDSIZE - outOffset; 
-		pOutWord = (WORD *)(output - outOffset);
+		for (i = 0; i < byteCount; i++) {
-		mask = streamWord = 0;
-#ifdef IS_LITTLE_ENDIAN
-		for (i = WORDSIZE - byteCount; i < WORDSIZE; i++) {
-#else
-		for (i = byteCount - 1; i >= 0; --i) {
-#endif
 			ARCFOUR_NEXT_BYTE();
-			streamWord |= (WORD)(cx->S[t]) << 8*i;
+			output[i] = cx->S[t] ^ input[i];
-			mask |= MASK1BYTE << 8*i;
+		}
-		} /* } */
+		/* Consumed byteCount bytes of input */
-		inWord = *pInWord++; /* UMR? see comments above. */
+		inputLen -= byteCount;
+		pInWord++;
+
+		/* move to next word of output */
+		pOutWord++;
+
 		/* If buffers are relatively misaligned, shift the bytes in inWord
 		 * to be aligned to the output buffer.
 		 */
-		nextInWord = 0;
 		if (inOffset < outOffset) {
-			/* Have more bytes than needed, shift remainder into nextInWord */
+			/* The first input word (which may be partial) has more bytes
-			nextInWord = inWord LSH 8*(inOffset + byteCount);
+			 * than needed.  Copy the remainder to inWord.
-			inWord = inWord RSH bufShift;
-		} else if (inOffset > outOffset) {
-			/* Didn't get enough bytes from current input word, load another
-			 * word and then shift remainder into nextInWord.
 			 */
-			nextInWord = *pInWord++;
+			unsigned int shift = LEFTMOST_BYTE_SHIFT;
-			inWord = (inWord LSH invBufShift) | 
+			inWord = 0;
-			         (nextInWord RSH bufShift);
+			for (i = 0; i < outOffset - inOffset; i++) {
-			nextInWord = nextInWord LSH invBufShift;
+				inWord |= (WORD)input[byteCount + i] << shift;
+				shift = NEXT_BYTE_SHIFT(shift);
+			}
+		} else if (inOffset > outOffset) {
+			/* Consumed some bytes in the second input word.  Copy the
+			 * remainder to inWord.
+			 */
+			inWord = *pInWord++;
+			inWord = inWord LSH invBufShift;
+		} else {
+			inWord = 0;
 		}
-		/* Store output of first partial word */
-		*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
-		/* UMR?  See comments above. */
-
-		/* Consumed byteCount bytes of input */
-		inputLen -= byteCount;
-		/* move to next word of output */
-		pOutWord++;
-		/* inWord has been consumed, but there may be bytes in nextInWord */
-		inWord = nextInWord;
 	} else {
 		/* output is word-aligned */
-		pOutWord = (WORD *)output;
 		if (inOffset) {
 			/* Input is not word-aligned.  The first word load of input 
 			 * will not produce a full word of input bytes, so one word
@@ -474,8 +451,13 @@ rc4_wordconv(RC4Context *cx, unsigned char *output,
 			 * loop must execute at least once because the input must
 			 * be at least two words.
 			 */
-			inWord = *pInWord++; /* UMR? see comments above. */
+			unsigned int shift = LEFTMOST_BYTE_SHIFT;
-			inWord = inWord LSH invBufShift;
+			inWord = 0;
+			for (i = 0; i < WORDSIZE - inOffset; i++) {
+				inWord |= (WORD)input[i] << shift;
+				shift = NEXT_BYTE_SHIFT(shift);
+			}
+			pInWord++;
 		} else {
 			/* Input is word-aligned.  The first word load of input 
 			 * will produce a full word of input bytes, so nothing
@@ -510,12 +492,7 @@ rc4_wordconv(RC4Context *cx, unsigned char *output,
 			cx->j = tmpj;
 			return SECSuccess;
 		}
-		/* If the amount of remaining input is greater than the amount
+		finalIn = (const unsigned char *)pInWord - WORDSIZE + inOffset;
-		 * bytes pulled from the current input word, need to do another
-		 * word load.  What's left in inWord will be consumed in step 3.
-		 */
-		if (inputLen > WORDSIZE - inOffset)
-			inWord |= *pInWord RSH bufShift; /* UMR?  See above. */
 	} else {
 		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
 			inWord = *pInWord++;
@@ -527,31 +504,18 @@ rc4_wordconv(RC4Context *cx, unsigned char *output,
 			cx->i = tmpi;
 			cx->j = tmpj;
 			return SECSuccess;
-		} else {
-			/* A partial input word remains at the tail.  Load it. 
-			 * The relevant bytes will be consumed in step 3.
-			 */
-			inWord = *pInWord; /* UMR?  See comments above */
 		}
+		finalIn = (const unsigned char *)pInWord;
 	}
 	/*****************************************************************/
 	/* Step 3:                                                       */
-	/* A partial word of input remains, and it is already loaded     */
+	/* Do the remaining partial word of input one byte at a time.    */
-	/* into nextInWord.  Shift appropriately and consume the bytes   */
-	/* used in the partial word.                                     */
 	/*****************************************************************/
-	mask = streamWord = 0;
+	finalOut = (unsigned char *)pOutWord;
-#ifdef IS_LITTLE_ENDIAN
+	for (i = 0; i < inputLen; i++) {
-	for (i = 0; i < inputLen; ++i) {
-#else
-	for (i = WORDSIZE - 1; i >= WORDSIZE - inputLen; --i) {
-#endif
 		ARCFOUR_NEXT_BYTE();
-		streamWord |= (WORD)(cx->S[t]) << 8*i;
+		finalOut[i] = cx->S[t] ^ finalIn[i];
-		mask |= MASK1BYTE << 8*i;
+	}
-	} /* } */
-	/* UMR?  See comments above. */
-	*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
 	cx->i = tmpi;
 	cx->j = tmpj;
 	return SECSuccess;
@@ -566,7 +530,7 @@ RC4_Encrypt(RC4Context *cx, unsigned char *output,
 {
 	PORT_Assert(maxOutputLen >= inputLen);
 	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 		return SECFailure;
 	}
 #if defined(NSS_BEVAND_ARCFOUR)
@@ -588,7 +552,7 @@ SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
 {
 	PORT_Assert(maxOutputLen >= inputLen);
 	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 		return SECFailure;
 	}
 	/* decrypt and encrypt are same operation. */

mozilla/security/nss/lib/freebl/ecl/ecp_256.c

@@ -6,12 +6,11 @@
 #include "mpi.h"
 #include "mplogic.h"
 #include "mpi-priv.h"
-#include <stdlib.h>
 
 /* Fast modular reduction for p256 = 2^256 - 2^224 + 2^192+ 2^96 - 1.  a can be r. 
  * Uses algorithm 2.29 from Hankerson, Menezes, Vanstone. Guide to 
  * Elliptic Curve Cryptography. */
-mp_err
+static mp_err
 ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
@@ -159,10 +158,10 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 			MP_ADD_CARRY(r0, r8_d,         r0, 0,     carry);
 			MP_ADD_CARRY(r1, 0,            r1, carry, carry);
 			MP_ADD_CARRY(r2, 0,            r2, carry, carry);
-			MP_ADD_CARRY(r3, -r8_d,        r3, carry, carry);
+			MP_ADD_CARRY(r3, 0-r8_d,       r3, carry, carry);
 			MP_ADD_CARRY(r4, MP_DIGIT_MAX, r4, carry, carry);
 			MP_ADD_CARRY(r5, MP_DIGIT_MAX, r5, carry, carry);
-			MP_ADD_CARRY(r6, -(r8_d+1),    r6, carry, carry);
+			MP_ADD_CARRY(r6, 0-(r8_d+1),   r6, carry, carry);
 			MP_ADD_CARRY(r7, (r8_d-1),     r7, carry, carry);
 			r8 = carry;
 		}
@@ -173,12 +172,12 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 			MP_SUB_BORROW(r0, r8_d,         r0, 0,     carry);
 			MP_SUB_BORROW(r1, 0,            r1, carry, carry);
 			MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-			MP_SUB_BORROW(r3, -r8_d,        r3, carry, carry);
+			MP_SUB_BORROW(r3, 0-r8_d,       r3, carry, carry);
 			MP_SUB_BORROW(r4, MP_DIGIT_MAX, r4, carry, carry);
 			MP_SUB_BORROW(r5, MP_DIGIT_MAX, r5, carry, carry);
-			MP_SUB_BORROW(r6, -(r8_d+1),    r6, carry, carry);
+			MP_SUB_BORROW(r6, 0-(r8_d+1),   r6, carry, carry);
 			MP_SUB_BORROW(r7, (r8_d-1),     r7, carry, carry);
-			r8 = -carry;
+			r8 = 0-carry;
 		}
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r,8));
@@ -203,24 +202,7 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 				  && (r0 == MP_DIGIT_MAX)))))) {
 			MP_CHECKOK(mp_sub(r, &meth->irr, r));
 		}
-#ifdef notdef
 
-
-		/* smooth the negatives */
-		while (MP_SIGN(r) != MP_ZPOS) {
-			MP_CHECKOK(mp_add(r, &meth->irr, r));
-		}
-		while (MP_USED(r) > 8) {
-			MP_CHECKOK(mp_sub(r, &meth->irr, r));
-		}
-
-		/* final reduction if necessary */
-		if (MP_DIGIT(r,7) >= MP_DIGIT(&meth->irr,7)) {
-		    if (mp_cmp(r,&meth->irr) != MP_LT) {
-			MP_CHECKOK(mp_sub(r, &meth->irr, r));
-		    }
-		}
-#endif
 		s_mp_clamp(r);
 #else
 		switch (a_used) {
@@ -307,7 +289,7 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 			mp_digit r4_long = r4;
 			mp_digit r4l = (r4_long << 32);
 			MP_ADD_CARRY(r0, r4_long,      r0, 0,     carry);
-			MP_ADD_CARRY(r1, -r4l,         r1, carry, carry);
+			MP_ADD_CARRY(r1, 0-r4l,        r1, carry, carry);
 			MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry, carry);
 			MP_ADD_CARRY(r3, r4l-r4_long-1,r3, carry, carry);
 			r4 = carry;
@@ -318,10 +300,10 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 			mp_digit r4_long = -r4;
 			mp_digit r4l = (r4_long << 32);
 			MP_SUB_BORROW(r0, r4_long,      r0, 0,     carry);
-			MP_SUB_BORROW(r1, -r4l,         r1, carry, carry);
+			MP_SUB_BORROW(r1, 0-r4l,        r1, carry, carry);
 			MP_SUB_BORROW(r2, MP_DIGIT_MAX, r2, carry, carry);
 			MP_SUB_BORROW(r3, r4l-r4_long-1,r3, carry, carry);
-			r4 = -carry;
+			r4 = 0-carry;
 		}
 
 		if (a != r) {
@@ -355,7 +337,7 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 /* Compute the square of polynomial a, reduce modulo p256. Store the
  * result in r.  r could be a.  Uses optimized modular reduction for p256. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp256_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
@@ -369,7 +351,7 @@ ec_GFp_nistp256_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
 /* Compute the product of two polynomials a and b, reduce modulo p256.
  * Store the result in r.  r could be a or b; a could be b.  Uses
  * optimized modular reduction for p256. */
-mp_err
+static mp_err
 ec_GFp_nistp256_mul(const mp_int *a, const mp_int *b, mp_int *r,
 					const GFMethod *meth)
 {

mozilla/security/nss/lib/freebl/loader.c

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: loader.c,v 1.60 2013-02-06 22:20:22 wtc%google.com Exp $ */
+/* $Id: loader.c,v 1.61 2013-02-15 18:48:42 wtc%google.com Exp $ */
 
 #include "loader.h"
 #include "prmem.h"
@@ -36,7 +36,8 @@ const static char fpu_hybrid_isa[] = "sparcv9+vis";
 
 const static char fpu_hybrid_shared_lib[] = "libfreebl_32fpu_3.so";
 const static char int_hybrid_shared_lib[] = "libfreebl_32int64_3.so";
-const static char non_hybrid_shared_lib[] = "libfreebl_32int_3.so";
+/* This was for SPARC V8, now obsolete. */
+const static char *const non_hybrid_shared_lib = NULL;
 
 const static char int_hybrid_isa[] = "sparcv8plus";
 const static char fpu_hybrid_isa[] = "sparcv8plus+vis";

mozilla/security/nss/lib/freebl/mpi/mpv_sparcv8x.s

@@ -1,144 +0,0 @@
-! Inner multiply loop functions for pure 32-bit Sparc v8 CPUs.
-! This Source Code Form is subject to the terms of the Mozilla Public
-! License, v. 2.0. If a copy of the MPL was not distributed with this
-! file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-! $Id: mpv_sparcv8x.s,v 1.3 2012-04-25 14:49:50 gerv%gerv.net Exp $
-
-	.file	"mpv_sparcv8x.s"
-	.align	8
-
-	.section     ".text",#alloc,#execinstr
-	.global      s_mpv_mul_d
- s_mpv_mul_d:
-	save         %sp, -0x60, %sp
-	mov          %i0, %o0
-	clr          %g4
-	cmp          %i1, 0x0
-	be           .L103
-	sub          %i1, 0x1, %o5
-	ld           [%o0], %g1
-.L101:
-	umul         %g1, %i2, %g2
-	rd           %y, %g1
-	add          %g2, %g4, %g3
-	mov          %g1, %o4
-	add          %o0, 0x4, %o0
-	cmp          %g3, %g4
-	blu,a        .L102
-	add          %g1, 0x1, %o4
-.L102:
-	st           %g3, [%i3]
-	mov          %o5, %g1
-	add          %i3, 0x4, %i3
-	cmp          %g1, 0x0
-	mov          %o4, %g4
-	sub          %o5, 0x1, %o5
-	bne,a        .L101
-	ld           [%o0], %g1
-.L103:
-	st           %g4, [%i3]
-	ret
-	restore
-
-	.type	s_mpv_mul_d,2
-	.size	s_mpv_mul_d,(.-s_mpv_mul_d)
-
-	.align	16
-	.global      s_mpv_mul_d_add
- s_mpv_mul_d_add:
-
-	save         %sp, -0x60, %sp
-	mov          %i0, %o0
-	clr          %g4
-	cmp          %i1, 0x0
-	be           .L204
-	sub          %i1, 0x1, %o5
-	ld           [%o0], %g1
-.L201:
-	umul         %g1, %i2, %g2
-	rd           %y, %g1
-	add          %g2, %g4, %g3
-	mov          %g1, %o4
-	add          %o0, 0x4, %o0
-	cmp          %g3, %g4
-	blu,a        .L202
-	add          %g1, 0x1, %o4
-.L202:
-	ld           [%i3], %g2
-	add          %g3, %g2, %g1
-	cmp          %g1, %g2
-	blu,a        .L203
-	add          %o4, 0x1, %o4
-.L203:
-	st           %g1, [%i3]
-	mov          %o5, %g1
-	add          %i3, 0x4, %i3
-	cmp          %g1, 0x0
-	mov          %o4, %g4
-	sub          %o5, 0x1, %o5
-	bne,a        .L201
-	ld           [%o0], %g1
-.L204:
-	st           %g4, [%i3]
-	ret
-	restore
-
-	.type	s_mpv_mul_d_add,2
-	.size	s_mpv_mul_d_add,(.-s_mpv_mul_d_add)
-
-	.align	16
-	.global      s_mpv_mul_d_add_prop
- s_mpv_mul_d_add_prop:
-
-	save         %sp, -0x60, %sp
-	mov          %i0, %o0
-	clr          %o5
-	cmp          %i1, 0x0
-	be           .L30x70
-	sub          %i1, 0x1, %g4
-	ld           [%o0], %g1
-.L30x1c:
-	umul         %g1, %i2, %g2
-	rd           %y, %g1
-	add          %g2, %o5, %g3
-	mov          %g1, %o4
-	add          %o0, 0x4, %o0
-	cmp          %g3, %o5
-	blu,a        .L30x3c
-	add          %g1, 0x1, %o4
-.L30x3c:
-	ld           [%i3], %g2
-	add          %g3, %g2, %g1
-	cmp          %g1, %g2
-	blu,a        .L30x50
-	add          %o4, 0x1, %o4
-.L30x50:
-	st           %g1, [%i3]
-	mov          %g4, %g1
-	add          %i3, 0x4, %i3
-	cmp          %g1, 0x0
-	mov          %o4, %o5
-	sub          %g4, 0x1, %g4
-	bne,a        .L30x1c
-	ld           [%o0], %g1
-.L30x70:
-	cmp          %o5, 0x0
-	be           .L30xa0
-	nop
-	ld           [%i3], %g1
-.L30x80:
-	add          %o5, %g1, %g2
-	st           %g2, [%i3]
-	add          %i3, 0x4, %i3
-	cmp          %g2, %g1
-	addx         %g0, 0x0, %o5
-	cmp          %o5, 0x0
-	bne,a        .L30x80
-	ld           [%i3], %g1
-.L30xa0:
-	ret
-	restore
-
-	.type	s_mpv_mul_d_add_prop,2
-	.size	s_mpv_mul_d_add_prop,(.-s_mpv_mul_d_add_prop)

mozilla/security/nss/lib/nss/nss.h

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: nss.h,v 1.104 2013-02-14 19:16:13 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.105 2013-02-15 17:41:55 kaie%kuix.de Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
@@ -34,12 +34,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.14.3.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.14.4.0" _NSS_ECC_STRING _NSS_CUSTOMIZED "Beta"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   14
-#define NSS_VPATCH   3
+#define NSS_VPATCH   4
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_FALSE
+#define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 

mozilla/security/nss/lib/softoken/softkver.h

@@ -25,11 +25,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.14.3.0" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.14.4.0" SOFTOKEN_ECC_STRING "Beta"
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   14
-#define SOFTOKEN_VPATCH   3
+#define SOFTOKEN_VPATCH   4
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_FALSE
+#define SOFTOKEN_BETA     PR_TRUE
 
 #endif /* _SOFTKVER_H_ */

mozilla/security/nss/lib/ssl/SSLerrs.h

@@ -400,3 +400,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123),
 
 ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124),
 "SSL feature not supported for the protocol version.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS,       (SSL_ERROR_BASE + 125),
+"SSL received an unexpected Certificate Status handshake message.")

mozilla/security/nss/lib/ssl/ssl.def

@@ -156,3 +156,10 @@ SSL_SetSRTPCiphers;
 ;+    local:
 ;+*;
 ;+};
+;+NSS_3.14.2 {      # NSS 3.14.2 release
+;+    global:
+SSL_PeerStapledOCSPResponses;
+SSL_SetStapledOCSPResponses;
+;+    local:
+;+*;
+;+};

mozilla/security/nss/lib/ssl/ssl.h

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl.h,v 1.59 2012-09-21 21:58:43 wtc%google.com Exp $ */
+/* $Id: ssl.h,v 1.62 2013-02-15 17:56:19 kaie%kuix.de Exp $ */
 
 #ifndef __ssl_h_
 #define __ssl_h_
@@ -158,6 +158,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  * accept fragmented alerts).
  */
 #define SSL_CBC_RANDOM_IV 23
+#define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
 
 #ifdef SSL_DEPRECATED_FUNCTION 
 /* Old deprecated function names */
@@ -397,6 +398,35 @@ SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher,
 */
 SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
 
+/* SSL_PeerStapledOCSPResponses returns the OCSP responses that were provided
+ * by the TLS server. The return value is a pointer to an internal SECItemArray
+ * that contains the returned OCSP responses; it is only valid until the
+ * callback function that calls SSL_PeerStapledOCSPResponses returns.
+ *
+ * If no OCSP responses were given by the server then the result will be empty.
+ * If there was an error, then the result will be NULL.
+ *
+ * You must set the SSL_ENABLE_OCSP_STAPLING option to enable OCSP stapling.
+ * to be provided by a server.
+ *
+ * libssl does not do any validation of the OCSP response itself; the
+ * authenticate certificate hook is responsible for doing so. The default
+ * authenticate certificate hook, SSL_AuthCertificate, does not implement
+ * any OCSP stapling funtionality, but this may change in future versions.
+ */
+SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
+
+/* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
+ * in the fd's data, which may be sent as part of a server side cert_status
+ * handshake message.
+ * If takeOwnership is false, the function will duplicate the responses.
+ * If takeOwnership is true, the ownership of responses is transfered into the
+ * SSL library, and the caller must stop using it.
+ */
+SSL_IMPORT SECStatus
+SSL_SetStapledOCSPResponses(PRFileDesc *fd, SECItemArray *responses,
+			    PRBool takeOwnership);
+
 /*
 ** Authenticate certificate hook. Called when a certificate comes in
 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
@@ -417,6 +447,16 @@ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
 ** See the documentation for SSL_AuthCertificateComplete for more information
 ** about the asynchronous behavior that occurs when the authenticate
 ** certificate hook returns SECWouldBlock.
+**
+** RFC 6066 says that clients should send the bad_certificate_status_response
+** alert when they encounter an error processing the stapled OCSP response.
+** libssl does not provide a way for the authenticate certificate hook to
+** indicate that an OCSP error (SEC_ERROR_OCSP_*) that it returns is an error
+** in the stapled OCSP response or an error in some other OCSP response.
+** Further, NSS does not provide a convenient way to control or determine
+** which OCSP response(s) were used to validate a certificate chain.
+** Consequently, the current version of libssl does not ever send the
+** bad_certificate_status_response alert. This may change in future releases.
 */
 typedef SECStatus (PR_CALLBACK *SSLAuthCertificate)(void *arg, PRFileDesc *fd, 
                                                     PRBool checkSig,

mozilla/security/nss/lib/ssl/ssl3con.c

@@ -5,7 +5,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl3con.c,v 1.201 2013-02-07 01:29:19 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.207 2013-02-19 16:16:22 wtc%google.com Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ -49,6 +49,7 @@ static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
 static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
 static SECStatus ssl3_InitState(             sslSocket *ss);
 static SECStatus ssl3_SendCertificate(       sslSocket *ss);
+static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
 static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
@@ -4381,7 +4382,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
 	    total_exten_len += 2;
     }
 
-#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+#if defined(NSS_ENABLE_ECC)
     if (!total_exten_len || !isTLS) {
 	/* not sending the elliptic_curves and ec_point_formats extensions */
     	ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
@@ -6491,6 +6492,10 @@ ssl3_SendServerHelloSequence(sslSocket *ss)
     if (rv != SECSuccess) {
 	return rv;	/* error code is set. */
     }
+    rv = ssl3_SendCertificateStatus(ss);
+    if (rv != SECSuccess) {
+	return rv;	/* error code is set. */
+    }
     /* We have to do this after the call to ssl3_SendServerHello,
      * because kea_def is set up by ssl3_SendServerHello().
      */
@@ -8433,6 +8438,52 @@ ssl3_SendCertificate(sslSocket *ss)
     return SECSuccess;
 }
 
+/*
+ * Used by server only.
+ * single-stapling, send only a single cert status
+ */
+static SECStatus
+ssl3_SendCertificateStatus(sslSocket *ss)
+{
+    SECStatus            rv;
+    CERTCertificateList *certChain;
+    int                  len 		= 0;
+    int                  i;
+    SSL3KEAType          certIndex;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn))
+	return SECSuccess;
+
+    if (!ss->certStatusArray)
+	return SECSuccess;
+
+    /* Use the array's first item only (single stapling) */
+    len = 1 + ss->certStatusArray->items[0].len + 3;
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
+    if (rv != SECSuccess)
+	return rv; 		/* err set by AppendHandshake. */
+
+    rv = ssl3_AppendHandshakeVariable(ss,
+				      ss->certStatusArray->items[0].data,
+				      ss->certStatusArray->items[0].len,
+				      3);
+    if (rv != SECSuccess)
+	return rv; 		/* err set by AppendHandshake. */
+
+    return SECSuccess;
+}
+
 /* This is used to delete the CA certificates in the peer certificate chain
  * from the cert database after they've been validated.
  */
@@ -8450,6 +8501,57 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
     ss->ssl3.peerCertChain = NULL;
 }
 
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 CertificateStatus message.
+ * Caller must hold Handshake and RecvBuf locks.
+ * This is always called before ssl3_HandleCertificate, even if the Certificate
+ * message is sent first.
+ */
+static SECStatus
+ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    PRInt32 status, len;
+    PORT_Assert(ss->ssl3.hs.ws == wait_certificate_status);
+
+    /* Consume the CertificateStatusType enum */
+    status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
+    if (status != 1 /* ocsp */) {
+       goto format_loser;
+    }
+
+    len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+    if (len != length) {
+       goto format_loser;
+    }
+
+#define MAX_CERTSTATUS_LEN 0x1ffff   /* 128k - 1 */
+    if (length > MAX_CERTSTATUS_LEN)
+       goto format_loser;
+#undef MAX_CERTSTATUS_LEN
+
+    /* Array size 1, because we currently implement single-stapling only*/
+    SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1);
+    if (!ss->sec.ci.sid->peerCertStatus.items)
+       return SECFailure;
+
+    ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length);
+
+    if (!ss->sec.ci.sid->peerCertStatus.items[0].data) {
+        SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE);
+        return SECFailure;
+    }
+
+    PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length);
+    ss->sec.ci.sid->peerCertStatus.items[0].len = length;
+    ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer;
+    return SECSuccess;
+
+format_loser:
+    return ssl3_DecodeError(ss);
+}
+
+static SECStatus ssl3_AuthCertificate(sslSocket *ss);
+
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Certificate message.
  * Caller must hold Handshake and RecvBuf locks.
@@ -8516,7 +8618,8 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	    errCode = PORT_GetError();
 	    goto loser;
 	}
-	goto server_no_cert;
+       ss->ssl3.hs.ws = wait_client_key;
+       return SECSuccess;
     }
 
     ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
@@ -8595,6 +8698,48 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 
     SECKEY_UpdateCertPQG(ss->sec.peerCert);
 
+    if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
+       ss->ssl3.hs.ws = wait_certificate_status;
+       rv = SECSuccess;
+    } else {
+       rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
+    }
+
+    return rv;
+
+ambiguous_err:
+    errCode = PORT_GetError();
+    switch (errCode) {
+    case PR_OUT_OF_MEMORY_ERROR:
+    case SEC_ERROR_BAD_DATABASE:
+    case SEC_ERROR_NO_MEMORY:
+       if (isTLS) {
+           desc = internal_error;
+           goto alert_loser;
+       }
+       goto loser;
+    }
+    ssl3_SendAlertForCertError(ss, errCode);
+    goto loser;
+
+decode_loser:
+    desc = isTLS ? decode_error : bad_certificate;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+
+loser:
+    (void)ssl_MapLowLevelError(errCode);
+    return SECFailure;
+}
+
+static SECStatus
+ssl3_AuthCertificate(sslSocket *ss)
+{
+    SECStatus        rv;
+    PRBool           isServer   = (PRBool)(!!ss->sec.isServer);
+    int              errCode;
+
     ss->ssl3.hs.authCertificatePending = PR_FALSE;
 
     /*
@@ -8691,7 +8836,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	    ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
 	}
     } else {
-server_no_cert:
 	ss->ssl3.hs.ws = wait_client_key;
     }
 
@@ -8704,34 +8848,7 @@ server_no_cert:
 
     return rv;
 
-ambiguous_err:
-    errCode = PORT_GetError();
-    switch (errCode) {
-    case PR_OUT_OF_MEMORY_ERROR:
-    case SEC_ERROR_BAD_DATABASE:
-    case SEC_ERROR_NO_MEMORY:
-	if (isTLS) {
-	    desc = internal_error;
-	    goto alert_loser;
-	}
-	goto loser;
-    }
-    ssl3_SendAlertForCertError(ss, errCode);
-    goto loser;
-
-decode_loser:
-    desc = isTLS ? decode_error : bad_certificate;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-
 loser:
-    ssl3_CleanupPeerCerts(ss);
-
-    if (ss->sec.peerCert != NULL) {
-	CERT_DestroyCertificate(ss->sec.peerCert);
-	ss->sec.peerCert = NULL;
-    }
     (void)ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
@@ -9420,7 +9537,26 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     }
 
     PORT_SetError(0);	/* each message starts with no error. */
-    switch (ss->ssl3.hs.msg_type) {
+
+    /* The CertificateStatus message is optional. We process the message if we
+     * get one when it is allowed, but otherwise we just carry on.
+     */
+    if (ss->ssl3.hs.ws == wait_certificate_status) {
+       /* We must process any CertificateStatus message before we call
+        * ssl3_AuthCertificate, as ssl3_AuthCertificate needs any stapled OCSP
+        * response we get.
+        */
+       if (ss->ssl3.hs.msg_type == certificate_status) {
+           rv = ssl3_HandleCertificateStatus(ss, b, length);
+           if (rv != SECSuccess)
+               return rv;
+       }
+
+       /* Regardless of whether we got a CertificateStatus message, we must
+        * authenticate the cert before we handle any more handshake messages.
+        */
+       rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
+    } else switch (ss->ssl3.hs.msg_type) {
     case hello_request:
 	if (length != 0) {
 	    (void)ssl3_DecodeError(ss);
@@ -9461,6 +9597,11 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     case certificate:
 	rv = ssl3_HandleCertificate(ss, b, length);
 	break;
+    case certificate_status:
+       /* The good case is handled above */
+       PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS);
+       rv = SECFailure;
+       break;
     case server_key_exchange:
 	if (ss->sec.isServer) {
 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);

mozilla/security/nss/lib/ssl/ssl3ext.c

@@ -6,7 +6,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TLS extension code moved here from ssl3ecc.c */
-/* $Id: ssl3ext.c,v 1.30 2012-11-13 01:26:40 wtc%google.com Exp $ */
+/* $Id: ssl3ext.c,v 1.32 2013-02-15 17:56:19 kaie%kuix.de Exp $ */
 
 #include "nssrenam.h"
 #include "nss.h"
@@ -61,6 +61,15 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
     PRUint32 maxBytes);
 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
     SECItem *data);
+static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
+    PRBool      append, PRUint32    maxBytes);
+static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
+    PRUint16 ex_type, SECItem *data);
+static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
+                                                  PRUint16 ex_type,
+                                                  SECItem *data);
+static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
+                                              PRUint32 maxBytes);
 
 /*
  * Write bytes.  Using this function means the SECItem structure
@@ -222,6 +231,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
+    { ssl_cert_status_xtn,        &ssl3_ServerHandleStatusRequestXtn },
     { -1, NULL }
 };
 
@@ -234,6 +244,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
+    { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
     { -1, NULL }
 };
 
@@ -258,7 +269,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
 #endif
     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
-    { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn }
+    { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
+    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
@@ -648,6 +660,101 @@ loser:
     return -1;
 }
 
+static SECStatus
+ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
+                                 SECItem *data)
+{
+    /* The echoed extension must be empty. */
+    if (data->len != 0)
+       return SECFailure;
+
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
+    return SECSuccess;
+}
+
+static PRInt32
+ssl3_ServerSendStatusRequestXtn(
+			sslSocket * ss,
+			PRBool      append,
+			PRUint32    maxBytes)
+{
+    PRInt32 extension_length;
+    SECStatus rv;
+
+    if (!ss->certStatusArray)
+	return 0;
+
+    extension_length = 2 + 2;
+    if (append && maxBytes >= extension_length) {
+	/* extension_type */
+	rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
+	if (rv != SECSuccess)
+	    return -1;
+	/* length of extension_data */
+	rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+	if (rv != SECSuccess)
+	    return -1;
+    }
+
+    return extension_length;
+}
+
+/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
+ * client side. See RFC 4366 section 3.6. */
+static PRInt32
+ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
+                               PRUint32 maxBytes)
+{
+    PRInt32 extension_length;
+
+    if (!ss->opt.enableOCSPStapling)
+       return 0;
+
+    /* extension_type (2-bytes) +
+     * length(extension_data) (2-bytes) +
+     * status_type (1) +
+     * responder_id_list length (2) +
+     * request_extensions length (2)
+     */
+    extension_length = 9;
+
+    if (append && maxBytes >= extension_length) {
+       SECStatus rv;
+       TLSExtensionData *xtnData;
+
+       /* extension_type */
+       rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
+       if (rv != SECSuccess)
+           return -1;
+       rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
+       if (rv != SECSuccess)
+           return -1;
+       rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
+       if (rv != SECSuccess)
+           return -1;
+       /* A zero length responder_id_list means that the responders are
+        * implicitly known to the server. */
+       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+       if (rv != SECSuccess)
+           return -1;
+       /* A zero length request_extensions means that there are no extensions.
+        * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
+        * means that the server can replay a cached OCSP response to us. */
+       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+       if (rv != SECSuccess)
+           return -1;
+
+       xtnData = &ss->xtnData;
+       xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
+    } else if (maxBytes < extension_length) {
+       PORT_Assert(0);
+       return 0;
+    }
+    return extension_length;
+}
+
 /*
  * NewSessionTicket
  * Called from ssl3_HandleFinished
@@ -1630,6 +1737,22 @@ ssl3_SendRenegotiationInfoXtn(
     return needed;
 }
 
+static SECStatus
+ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
+				  SECItem *data)
+{
+    SECStatus rv = SECSuccess;
+    PRUint32 len = 0;
+
+    /* remember that we got this extension. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+    PORT_Assert(ss->sec.isServer);
+    /* prepare to send back the appropriate response */
+    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
+					    ssl3_ServerSendStatusRequestXtn);
+    return rv;
+}
+
 /* This function runs in both the client and server.  */
 static SECStatus
 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)

mozilla/security/nss/lib/ssl/ssl3prot.h

@@ -5,7 +5,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl3prot.h,v 1.22 2012-04-25 14:50:12 gerv%gerv.net Exp $ */
+/* $Id: ssl3prot.h,v 1.23 2013-02-15 17:52:45 kaie%kuix.de Exp $ */
 
 #ifndef __ssl3proto_h_
 #define __ssl3proto_h_
@@ -129,6 +129,7 @@ typedef enum {
     certificate_verify	= 15, 
     client_key_exchange	= 16, 
     finished		= 20,
+    certificate_status  = 22,
     next_proto		= 67
 } SSL3HandshakeType;
 

mozilla/security/nss/lib/ssl/sslauth.c

@@ -1,13 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslauth.c,v 1.18 2012-04-25 14:50:12 gerv%gerv.net Exp $ */
+/* $Id: sslauth.c,v 1.20 2013-02-15 17:55:41 kaie%kuix.de Exp $ */
 #include "cert.h"
 #include "secitem.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "pk11func.h"
+#include "ocsp.h"
 
 /* NEED LOCKS IN HERE.  */
 CERTCertificate *
@@ -214,6 +215,9 @@ SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
     sslSocket *        ss;
     SECCertUsage       certUsage;
     const char *             hostname    = NULL;
+    PRTime             now = PR_Now();
+    SECItemArray *certStatusArray;
+    unsigned int i;
     
     ss = ssl_FindSocket(fd);
     PORT_Assert(ss != NULL);
@@ -222,12 +226,18 @@ SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
     }
 
     handle = (CERTCertDBHandle *)arg;
+    certStatusArray = &ss->sec.ci.sid->peerCertStatus;
+
+    for (i = 0; i < certStatusArray->len; ++i) {
+        CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert,
+					now, &certStatusArray->items[i], arg);
+    }
 
     /* this may seem backwards, but isn't. */
     certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
 
-    rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage,
+    rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
-			    ss->pkcs11PinArg);
+			 now, ss->pkcs11PinArg, NULL);
 
     if ( rv != SECSuccess || isServer )
 	return rv;

mozilla/security/nss/lib/ssl/sslcon.c

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslcon.c,v 1.52 2012-07-17 14:43:11 kaie%kuix.de Exp $ */
+/* $Id: sslcon.c,v 1.55 2013-02-19 16:16:22 wtc%google.com Exp $ */
 
 #include "nssrenam.h"
 #include "cert.h"
@@ -3102,7 +3102,7 @@ ssl2_BeginClientHandshake(sslSocket *ss)
 
 	return rv;
     }
-#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+#if defined(NSS_ENABLE_ECC)
     /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
     ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     if (ss->cipherSpecs != NULL) {

mozilla/security/nss/lib/ssl/sslerr.h

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslerr.h,v 1.25 2012-07-13 00:51:57 wtc%google.com Exp $ */
+/* $Id: sslerr.h,v 1.26 2013-02-15 17:52:45 kaie%kuix.de Exp $ */
 #ifndef __SSL_ERR_H_
 #define __SSL_ERR_H_
 
@@ -188,6 +188,8 @@ SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
 
 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124),
 
+SSL_ERROR_RX_UNEXPECTED_CERT_STATUS     = (SSL_ERROR_BASE + 125),
+
 SSL_ERROR_END_OF_LIST	/* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */

mozilla/security/nss/lib/ssl/sslimpl.h

@@ -5,7 +5,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslimpl.h,v 1.109 2012-11-14 01:14:12 wtc%google.com Exp $ */
+/* $Id: sslimpl.h,v 1.112 2013-02-15 17:56:19 kaie%kuix.de Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
@@ -316,6 +316,7 @@ typedef struct sslOptionsStr {
     unsigned int requireSafeNegotiation : 1;  /* 22 */
     unsigned int enableFalseStart       : 1;  /* 23 */
     unsigned int cbcRandomIV            : 1;  /* 24 */
+    unsigned int enableOCSPStapling     : 1;  /* 25 */
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -575,6 +576,7 @@ struct sslSessionIDStr {
     sslSessionID *        next;   /* chain used for client sockets, only */
 
     CERTCertificate *     peerCert;
+    SECItemArray          peerCertStatus; /* client only */
     const char *          peerID;     /* client only */
     const char *          urlSvrName; /* client only */
     CERTCertificate *     localCert;
@@ -717,6 +719,7 @@ typedef enum {
     wait_change_cipher, 
     wait_finished,
     wait_server_hello, 
+    wait_certificate_status,
     wait_server_cert, 
     wait_server_key,
     wait_cert_request, 
@@ -1175,6 +1178,7 @@ const unsigned char *  preferredCipher;
     /* Configuration state for server sockets */
     /* server cert and key for each KEA type */
     sslServerCerts        serverCerts[kt_kea_size];
+    SECItemArray *        certStatusArray;
 
     ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
     ssl3KeyPair *         ephemeralECDHKeyPair; /* for ECDHE-* handshake */

mozilla/security/nss/lib/ssl/sslnonce.c

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslnonce.c,v 1.28 2012-11-14 01:14:12 wtc%google.com Exp $ */
+/* $Id: sslnonce.c,v 1.30 2013-02-15 17:55:41 kaie%kuix.de Exp $ */
 
 #include "cert.h"
 #include "pk11pub.h"
@@ -184,6 +184,12 @@ ssl_DestroySID(sslSessionID *sid)
     if ( sid->peerCert ) {
 	CERT_DestroyCertificate(sid->peerCert);
     }
+    if (sid->peerCertStatus.len) {
+        SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE);
+        sid->peerCertStatus.items = NULL;
+        sid->peerCertStatus.len = 0;
+    }
+
     if ( sid->localCert ) {
 	CERT_DestroyCertificate(sid->localCert);
     }

mozilla/security/nss/lib/ssl/sslsock.c

@@ -6,7 +6,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslsock.c,v 1.99 2012-12-20 20:29:36 bsmith%mozilla.com Exp $ */
+/* $Id: sslsock.c,v 1.102 2013-02-15 17:56:19 kaie%kuix.de Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
@@ -153,7 +153,8 @@ static sslOptions ssl_defaults = {
     2,          /* enableRenegotiation (default: requires extension) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
-    PR_TRUE     /* cbcRandomIV        */
+    PR_TRUE,    /* cbcRandomIV        */
+    PR_FALSE    /* enableOCSPStapling */
 };
 
 /*
@@ -326,6 +327,8 @@ ssl_DupSocket(sslSocket *os)
 		                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
 	    ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
 		                  ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
+	    ss->certStatusArray = !os->certStatusArray ? NULL :
+				  SECITEM_DupArray(NULL, os->certStatusArray);
 /*
  * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
  * XXX We should detect this, and not just march on with NULL pointers.
@@ -437,6 +440,10 @@ ssl_DestroySocketContents(sslSocket *ss)
 	ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
 	ss->ephemeralECDHKeyPair = NULL;
     }
+    if (ss->certStatusArray) {
+	SECITEM_FreeArray(ss->certStatusArray, PR_TRUE);
+	ss->certStatusArray = NULL;
+    }
     SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
     PORT_Assert(!ss->xtnData.sniNameArr);
     if (ss->xtnData.sniNameArr) {
@@ -827,6 +834,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
 	ss->opt.cbcRandomIV = on;
 	break;
 
+      case SSL_ENABLE_OCSP_STAPLING:
+       ss->opt.enableOCSPStapling = on;
+       break;
+
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
@@ -896,6 +907,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
                                   on = ss->opt.requireSafeNegotiation; break;
     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
+    case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -954,6 +966,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
 				  break;
     case SSL_ENABLE_FALSE_START:  on = ssl_defaults.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ssl_defaults.cbcRandomIV;        break;
+    case SSL_ENABLE_OCSP_STAPLING:
+       on = ssl_defaults.enableOCSPStapling;
+       break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1117,6 +1132,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
 	ssl_defaults.cbcRandomIV = on;
 	break;
 
+      case SSL_ENABLE_OCSP_STAPLING:
+       ssl_defaults.enableOCSPStapling = on;
+       break;
+
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
@@ -1675,6 +1694,13 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
         ss->ephemeralECDHKeyPair =
             ssl3_GetKeyPairRef(sm->ephemeralECDHKeyPair);
     }
+    if (sm->certStatusArray) {
+	if (ss->certStatusArray) {
+	    SECITEM_FreeArray(ss->certStatusArray, PR_TRUE);
+	    ss->certStatusArray = NULL;
+	}
+	ss->certStatusArray = SECITEM_DupArray(NULL, sm->certStatusArray);
+    }
     /* copy trust anchor names */
     if (sm->ssl3.ca_list) {
         if (ss->ssl3.ca_list) {
@@ -1853,6 +1879,25 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
     return SECSuccess;
 }
 
+const SECItemArray *
+SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
+{
+    sslSocket *ss = ssl_FindSocket(fd);
+
+    if (!ss) {
+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses",
+                SSL_GETPID(), fd));
+       return NULL;
+    }
+
+    if (!ss->sec.ci.sid) {
+       PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+       return NULL;
+    }
+    
+    return &ss->sec.ci.sid->peerCertStatus;
+}
+
 /************************************************************************/
 /* The following functions are the TOP LEVEL SSL functions.
 ** They all get called through the NSPRIOMethods table below.
@@ -2190,6 +2235,34 @@ ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
     return (PRStatus)(*ss->ops->getsockname)(ss, name);
 }
 
+SECStatus
+SSL_SetStapledOCSPResponses(PRFileDesc *fd, SECItemArray *responses,
+			    PRBool takeOwnership)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (ss->certStatusArray) {
+        SECITEM_FreeArray(ss->certStatusArray, PR_TRUE);
+        ss->certStatusArray = NULL;
+    }
+    if (responses) {
+	if (takeOwnership) {
+	    ss->certStatusArray = responses;
+	}
+	else {
+	    ss->certStatusArray = SECITEM_DupArray(NULL, responses);
+	}
+    }
+    return (ss->certStatusArray || !responses) ? SECSuccess : SECFailure;
+}
+
 SECStatus
 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID)
 {
@@ -2197,7 +2270,7 @@ SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID)
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }
@@ -2890,6 +2963,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
 	}
 	ss->stepDownKeyPair    = NULL;
 	ss->dbHandle           = CERT_GetDefaultCertDB();
+	ss->certStatusArray    = NULL;
 
 	/* Provide default implementation of hooks */
 	ss->authCertificate    = SSL_AuthCertificate;

mozilla/security/nss/lib/ssl/sslt.h

@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslt.h,v 1.23 2012-06-07 02:06:19 wtc%google.com Exp $ */
+/* $Id: sslt.h,v 1.24 2013-02-15 17:52:45 kaie%kuix.de Exp $ */
 
 #ifndef __sslt_h_
 #define __sslt_h_
@@ -175,6 +175,7 @@ typedef enum {
 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
 typedef enum {
     ssl_server_name_xtn              = 0,
+    ssl_cert_status_xtn              = 5,
 #ifdef NSS_ENABLE_ECC
     ssl_elliptic_curves_xtn          = 10,
     ssl_ec_point_formats_xtn         = 11,
@@ -185,6 +186,6 @@ typedef enum {
     ssl_renegotiation_info_xtn       = 0xff01	/* experimental number */
 } SSLExtensionType;
 
-#define SSL_MAX_EXTENSIONS             7
+#define SSL_MAX_EXTENSIONS             8
 
 #endif /* __sslt_h_ */

mozilla/security/nss/lib/util/nssutil.def

@@ -261,3 +261,12 @@ NSSUTIL_QuoteSize;
 ;+    local:
 ;+       *;
 ;+};
+;+NSSUTIL_3.14.2 {         # NSS Utilities 3.14.2 release
+;+    global:
+SECITEM_AllocArray;
+SECITEM_DupArray;
+SECITEM_FreeArray;
+SECITEM_ZfreeArray;
+;+    local:
+;+       *;
+;+};

mozilla/security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.14.3.0"
+#define NSSUTIL_VERSION  "3.14.4.0 Beta"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   14
-#define NSSUTIL_VPATCH   3
+#define NSSUTIL_VPATCH   4
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_FALSE
+#define NSSUTIL_BETA     PR_TRUE
 
 SEC_BEGIN_PROTOS
 

mozilla/security/nss/lib/util/seccomon.h

@@ -9,7 +9,7 @@
  * for security libraries.  It should not be dependent on any other
  * headers, and should not require linking with any libraries.
  *
- * $Id: seccomon.h,v 1.8 2012-04-25 14:50:16 gerv%gerv.net Exp $
+ * $Id: seccomon.h,v 1.9 2013-02-15 17:55:42 kaie%kuix.de Exp $
  */
 
 #ifndef _SECCOMMON_H_
@@ -56,6 +56,13 @@ struct SECItemStr {
     unsigned int len;
 };
 
+typedef struct SECItemArrayStr SECItemArray;
+
+struct SECItemArrayStr {
+    SECItem *items;
+    unsigned int len;
+};
+
 /*
 ** A status code. Status's are used by procedures that return status
 ** values. Again the motivation is so that a compiler can generate

mozilla/security/nss/lib/util/secitem.c

@@ -5,13 +5,14 @@
 /*
  * Support routines for SECItem data structure.
  *
- * $Id: secitem.c,v 1.18 2012-04-25 14:50:16 gerv%gerv.net Exp $
+ * $Id: secitem.c,v 1.20 2013-02-15 17:56:19 kaie%kuix.de Exp $
  */
 
 #include "seccomon.h"
 #include "secitem.h"
 #include "base64.h"
 #include "secerr.h"
+#include "secport.h"
 
 SECItem *
 SECITEM_AllocItem(PRArenaPool *arena, SECItem *item, unsigned int len)
@@ -294,3 +295,125 @@ SECITEM_HashCompare ( const void *k1, const void *k2)
 
     return SECITEM_ItemsAreEqual(i1,i2);
 }
+
+SECItemArray *
+SECITEM_AllocArray(PLArenaPool *arena, SECItemArray *array, unsigned int len)
+{
+    SECItemArray *result = NULL;
+    void *mark = NULL;
+
+    if (arena != NULL) {
+        mark = PORT_ArenaMark(arena);
+    }
+
+    if (array == NULL) {
+        if (arena != NULL) {
+            result = PORT_ArenaZAlloc(arena, sizeof(SECItemArray));
+        } else {
+            result = PORT_ZAlloc(sizeof(SECItemArray));
+        }
+        if (result == NULL) {
+            goto loser;
+        }
+    } else {
+        PORT_Assert(array->items == NULL);
+        result = array;
+    }
+
+    result->len = len;
+    if (len) {
+        if (arena != NULL) {
+            result->items = PORT_ArenaZNewArray(arena, SECItem, len);
+        } else {
+            result->items = PORT_ZNewArray(SECItem, len);
+        }
+        if (result->items == NULL) {
+            goto loser;
+        }
+    } else {
+        result->items = NULL;
+    }
+
+    if (mark) {
+        PORT_ArenaUnmark(arena, mark);
+    }
+    return(result);
+
+loser:
+    if ( arena != NULL ) {
+        if (mark) {
+            PORT_ArenaRelease(arena, mark);
+        }
+        if (array != NULL) {
+            array->items = NULL;
+            array->len = 0;
+        }
+    } else {
+        if (result != NULL && array == NULL) {
+            PORT_Free(result);
+        }
+        /*
+         * If array is not NULL, the above has set array->data and
+         * array->len to 0.
+         */
+    }
+    return(NULL);
+}
+
+void secitem_FreeArray(SECItemArray *array, PRBool zero_items, PRBool freeit)
+{
+    unsigned int i;
+
+    if (!array || !array->len || !array->items)
+        return;
+
+    for (i=0; i<array->len; ++i) {
+        SECItem *item = &array->items[i];
+
+        if (item->data) {
+            if (zero_items) {
+                SECITEM_ZfreeItem(item, PR_FALSE);
+            } else {
+                SECITEM_FreeItem(item, PR_FALSE);
+            }
+        }
+    }
+
+    if (freeit)
+        PORT_Free(array);
+}
+
+void SECITEM_FreeArray(SECItemArray *array, PRBool freeit)
+{
+    secitem_FreeArray(array, PR_FALSE, freeit);
+}
+
+void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit)
+{
+    secitem_FreeArray(array, PR_TRUE, freeit);
+}
+
+SECItemArray *
+SECITEM_DupArray(PLArenaPool *arena, const SECItemArray *from)
+{
+    SECItemArray *result;
+    unsigned int i;
+
+    if (!from || !from->items || !from->len)
+        return NULL;
+
+    result = SECITEM_AllocArray(arena, NULL, from->len);
+    if (!result)
+        return NULL;
+
+    for (i=0; i<from->len; ++i) {
+        SECStatus rv = SECITEM_CopyItem(arena,
+                                        &result->items[i], &from->items[i]);
+        if (rv != SECSuccess) {
+            SECITEM_ZfreeArray(result, PR_TRUE);
+            return NULL;
+        }
+    }
+
+    return result;
+}

mozilla/security/nss/lib/util/secitem.h

@@ -11,7 +11,7 @@
  * secitem.h - public data structures and prototypes for handling
  *	       SECItems
  *
- * $Id: secitem.h,v 1.9 2012-04-25 14:50:16 gerv%gerv.net Exp $
+ * $Id: secitem.h,v 1.11 2013-02-15 17:56:19 kaie%kuix.de Exp $
  */
 
 #include "plarena.h"
@@ -90,6 +90,12 @@ PLHashNumber PR_CALLBACK SECITEM_Hash ( const void *key);
 
 PRIntn PR_CALLBACK SECITEM_HashCompare ( const void *k1, const void *k2);
 
+extern SECItemArray *SECITEM_AllocArray(PLArenaPool *arena,
+                                        SECItemArray *array,
+                                        unsigned int len);
+extern SECItemArray *SECITEM_DupArray(PLArenaPool *arena, const SECItemArray *from);
+extern void SECITEM_FreeArray(SECItemArray *array, PRBool freeit);
+extern void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit);
 
 SEC_END_PROTOS
 

mozilla/security/nss/tests/all.sh

@@ -183,7 +183,7 @@ run_cycle_upgrade_db()
     init_directories
 
     if [ -r "${OLDHOSTDIR}/cert.log" ]; then
-        DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA tools/copydir cert.log cert.done tests.*"
+        DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
         for i in $DIRS
         do
             cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null
@@ -281,7 +281,7 @@ ALL_TESTS=${TESTS}
 nss_ssl_tests="crl bypass_normal normal_bypass fips_normal normal_fips iopr"
 NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
 
-nss_ssl_run="cov auth stress"
+nss_ssl_run="cov auth stapling stress"
 NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
 
 SCRIPTNAME=all.sh

mozilla/security/nss/tests/cert/cert.sh

@@ -74,6 +74,23 @@ cert_log() ######################    write the cert_status file
     echo $* >>${CERT_LOG_FILE}
 }
 
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout.
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+    echo "${CU_ACTION} --------------------------"
+
+    echo "pk12util $@"
+    ${BINDIR}/pk12util $@
+    RET=$?
+
+    return $RET
+}
+
 ################################ certu #################################
 # local shell function to call certutil, also: writes action and options to
 # stdout, sets variable RET and writes results to the html file results
@@ -921,6 +938,12 @@ cert_ssl()
   else
       cert_log "SUCCESS: SSL passed"
   fi
+
+  echo "$SCRIPTNAME: Creating database for OCSP stapling tests  ==============="
+  echo "cp -rv ${SERVERDIR} ${STAPLINGDIR}"
+  cp -rv ${R_SERVERDIR} ${R_STAPLINGDIR}
+  pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
+  pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
 }
 ############################## cert_stresscerts ################################
 # local shell function to create client certs for SSL stresstest

mozilla/security/nss/tests/common/init.sh

@@ -75,6 +75,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
         IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
 
         CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
+        STAPLINGDIR=${HOSTDIR}/stapling
 
         PWFILE=${HOSTDIR}/tests.pw
         NOISE_FILE=${HOSTDIR}/tests_noise
@@ -537,6 +538,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     R_EXT_SERVERDIR=../ext_server
     R_EXT_CLIENTDIR=../ext_client
     R_CERT_EXT=../cert_extensions
+    R_STAPLINGDIR=../stapling
 
     #
     # profiles are either paths or domains depending on the setting of

mozilla/security/nss/tests/dbupgrade/dbupgrade.sh

@@ -63,7 +63,7 @@ dbupgrade_main()
 	# test upgrade to the new database
 	echo "nss" > ${PWFILE}
 	html_head "Legacy to shared Library update"
-	dirs="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server SDR server serverCA tools/copydir"
+	dirs="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server SDR server serverCA stapling tools/copydir"
 	for i in $dirs
 	do
 		echo $i

mozilla/security/nss/tests/memleak/memleak.sh

@@ -93,7 +93,7 @@ memleak_init()
 				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_64int_3"
 			else
 				FREEBL_DEFAULT="libfreebl_32fpu_3"
-				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_32int_3 libfreebl_32int64_3"
+				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_32int64_3"
 			fi
 		else
 			if [ "${BIT_NAME}" = "64" ] ; then
@@ -366,11 +366,19 @@ run_selfserv_dbg()
 run_strsclnt()
 {
 	for cipher in ${cipher_list}; do
-		ATTR="${STRSCLNT_ATTR} -C ${cipher}"
+		VMIN="ssl3"
-		if [ "${cipher}" = "f" -o "${cipher}" = "g" ] ; then
+		VMAX=
+		case "${cipher}" in
+		A|B|C|D|E|F)
+			# Enable SSL 2 only for SSL 2 cipher suites.
+			VMIN="ssl2"
+			;;
+		f|g)
 			# TLS 1.1 disallows export cipher suites.
-			ATTR="${ATTR} -V :tls1.0"
+			VMAX="tls1.0"
-		fi
+			;;
+		esac
+		ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}"
 		echo "${SCRIPTNAME}: -------- Trying cipher ${cipher}:"
 		echo "strsclnt ${ATTR}"
 		${BINDIR}/strsclnt ${ATTR}
@@ -403,11 +411,19 @@ run_strsclnt()
 run_strsclnt_dbg()
 {
 	for cipher in ${cipher_list}; do
-		ATTR="${STRSCLNT_ATTR} -C ${cipher}"
+		VMIN="ssl3"
-		if [ "${cipher}" = "f" -o "${cipher}" = "g" ] ; then
+		VMAX=
+		case "${cipher}" in
+		A|B|C|D|E|F)
+			# Enable SSL 2 only for SSL 2 cipher suites.
+			VMIN="ssl2"
+			;;
+		f|g)
 			# TLS 1.1 disallows export cipher suites.
-			ATTR="${ATTR} -V :tls1.0"
+			VMAX="tls1.0"
-		fi
+			;;
+		esac
+		ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}"
 		${RUN_COMMAND_DBG} ${BINDIR}/strsclnt ${CLIENT_OPTION} ${ATTR}
 		ret=$?
 		if [ $ret -ne 0 ]; then

mozilla/security/nss/tests/ocsp/ocsp.sh

@@ -44,9 +44,75 @@ ocsp_init()
   SCRIPTNAME=ocsp.sh
   echo "$SCRIPTNAME: OCSP tests ==============================="
 
+  REQF=${QADIR}/ssl/sslreq.dat
+
   cd ${CLIENTDIR}
 }
 
+ocsp_stapling()
+{
+  TESTNAME="startssl valid, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}
+  html_msg $? 0 "$TESTNAME"
+
+  TESTNAME="startssl revoked, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}
+  html_msg $? 3 "$TESTNAME"
+
+  TESTNAME="comodo trial test expired revoked, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}
+  html_msg $? 1 "$TESTNAME"
+
+  TESTNAME="thawte (expired) valid, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}
+  html_msg $? 1 "$TESTNAME"
+
+  TESTNAME="thawte (expired) revoked, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}
+  html_msg $? 1 "$TESTNAME"
+
+  TESTNAME="digicert valid, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}
+  html_msg $? 0 "$TESTNAME"
+
+  TESTNAME="digicert revoked, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}
+  html_msg $? 3 "$TESTNAME"
+
+  TESTNAME="live valid, supports OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}
+  html_msg $? 0 "$TESTNAME"
+
+  TESTNAME="startssl valid, doesn't support OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}
+  html_msg $? 2 "$TESTNAME"
+
+  TESTNAME="cacert untrusted, doesn't support OCSP stapling"
+  echo "$SCRIPTNAME: $TESTNAME"
+  echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}"
+  ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}
+  html_msg $? 1 "$TESTNAME"
+}
+
 ################## main #################################################
 ocsp_init
 ocsp_iopr_run
+ocsp_stapling

mozilla/security/nss/tests/ssl/ssl.sh

@@ -58,7 +58,7 @@ ssl_init()
 
   PORT=${PORT-8443}
   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
-  nss_ssl_run="cov auth stress"
+  nss_ssl_run="stapling cov auth stress"
   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
 
   # Test case files
@@ -404,6 +404,131 @@ ssl_auth()
   html "</TABLE><BR>"
 }
 
+ssl_stapling_sub()
+{
+    testname=$1
+    SO=$2
+    value=$3
+
+    if [ "$NORM_EXT" = "Extended Test" ] ; then
+	# these tests use the ext_client directory for tstclnt,
+	# which doesn't contain the required "TestCA" for server cert
+	# verification, I don't know if it would be OK to add it...
+	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+	return 0
+    fi
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+	return 0
+    fi
+
+    SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+    SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+    SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+    P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+    echo "${testname}"
+
+    start_selfserv
+
+    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
+    echo "        -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+	    -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+	    >${TMP}/$HOST.tmp.$$  2>&1
+    ret=$?
+    cat ${TMP}/$HOST.tmp.$$
+    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+    # hopefully no workaround for bug #402058 needed here?
+    # (see commands in ssl_auth
+
+    html_msg $ret $value "${testname}" \
+	    "produced a returncode of $ret, expected is $value"
+    kill_selfserv
+
+    SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+    P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+ssl_stapling_stress()
+{
+    testname="Stress OCSP stapling, server uses random status"
+    SO="-A TestCA -T random"
+    value=0
+
+    if [ "$NORM_EXT" = "Extended Test" ] ; then
+	# these tests use the ext_client directory for tstclnt,
+	# which doesn't contain the required "TestCA" for server cert
+	# verification, I don't know if it would be OK to add it...
+	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+	return 0
+    fi
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+	return 0
+    fi
+
+    SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+    SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+    SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+    P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+    echo "${testname}"
+    start_selfserv
+
+    echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+    echo "         -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}"
+    echo "strsclnt started at `date`"
+    ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+	    -c 1000 -V ssl3: -N -T $verbose ${HOSTADDR}
+    ret=$?
+
+    echo "strsclnt completed at `date`"
+    html_msg $ret $value \
+	    "${testname}" \
+	    "produced a returncode of $ret, expected is $value."
+    kill_selfserv
+
+    SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+    P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+############################ ssl_stapling ##############################
+# local shell function to perform SSL Cert Status (OCSP Stapling) tests
+########################################################################
+ssl_stapling()
+{
+  html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  # tstclnt Exit code:
+  # 0: have fresh and valid revocation data, status good
+  # 1: cert failed to verify, prior to revocation checking
+  # 2: missing, old or invalid revocation data
+  # 3: have fresh and valid revocation data, status revoked
+
+  # selfserv modes
+  # good, revoked, unkown: Include locally signed response. Requires: -A
+  # failure: Include OCSP failure status, such as "try later" (unsigned)
+  # badsig: use a good status but with an invalid signature
+  # corrupted: stapled cert status is an invalid block of data
+
+  ssl_stapling_sub "OCSP stapling, signed response, good status"     "-A TestCA -T good"      0
+  ssl_stapling_sub "OCSP stapling, signed response, revoked status"  "-A TestCA -T revoked"   3
+  ssl_stapling_sub "OCSP stapling, signed response, unknown status"  "-A TestCA -T unknown"   2
+  ssl_stapling_sub "OCSP stapling, unsigned failure response"        "-A TestCA -T failure"   2
+  ssl_stapling_sub "OCSP stapling, good status, bad signature"       "-A TestCA -T badsig"    2
+  ssl_stapling_sub "OCSP stapling, invalid cert status data"         "-A TestCA -T corrupted" 2
+  ssl_stapling_sub "Valid cert, Server doesn't staple"               ""                       2
+
+  ssl_stapling_stress
+
+  html "</TABLE><BR>"
+}
+
 
 ############################## ssl_stress ##############################
 # local shell function to perform SSL stress test
@@ -801,6 +926,9 @@ ssl_run()
     for SSL_RUN in ${NSS_SSL_RUN}
     do
         case "${SSL_RUN}" in
+        "stapling")
+            ssl_stapling
+            ;;
         "cov")
             ssl_cov
             ;;

mozilla/security/nss/tests/ssl/sslcov.txt

@@ -72,29 +72,6 @@
   noECC  TLS11   y    TLS11_RSA_WITH_AES_256_CBC_SHA
   noECC  TLS11   z    TLS11_RSA_WITH_NULL_SHA
 #
-# ECC ciphers (SSL3)
-#
-   ECC   SSL3  :C001 SSL3_ECDH_ECDSA_WITH_NULL_SHA
-   ECC   SSL3  :C002 SSL3_ECDH_ECDSA_WITH_RC4_128_SHA
-   ECC   SSL3  :C003 SSL3_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
-   ECC   SSL3  :C004 SSL3_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-   ECC   SSL3  :C005 SSL3_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-   ECC   SSL3  :C006 SSL3_ECDHE_ECDSA_WITH_NULL_SHA
-   ECC   SSL3  :C007 SSL3_ECDHE_ECDSA_WITH_RC4_128_SHA
-   ECC   SSL3  :C008 SSL3_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-   ECC   SSL3  :C009 SSL3_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-   ECC   SSL3  :C00A SSL3_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-   ECC   SSL3  :C00B SSL3_ECDH_RSA_WITH_NULL_SHA
-   ECC   SSL3  :C00C SSL3_ECDH_RSA_WITH_RC4_128_SHA
-   ECC   SSL3  :C00D SSL3_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
-   ECC   SSL3  :C00E SSL3_ECDH_RSA_WITH_AES_128_CBC_SHA
-   ECC   SSL3  :C00F SSL3_ECDH_RSA_WITH_AES_256_CBC_SHA
-   ECC   SSL3  :C010 SSL3_ECDHE_RSA_WITH_NULL_SHA
-   ECC   SSL3  :C011 SSL3_ECDHE_RSA_WITH_RC4_128_SHA
-   ECC   SSL3  :C012 SSL3_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-   ECC   SSL3  :C013 SSL3_ECDHE_RSA_WITH_AES_128_CBC_SHA
-   ECC   SSL3  :C014 SSL3_ECDHE_RSA_WITH_AES_256_CBC_SHA
-#
 # ECC ciphers (TLS)
 #
    ECC   TLS10  :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA

mozilla/security/nss/tests/ssl/sslstress.txt

@@ -35,8 +35,7 @@
 #
 # ############################ ECC ciphers ############################
 #
-   ECC      0      -c_:C009  -c_100_-C_:C009_-N_-V_:ssl3  Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C009  -V_ssl3:_-c_100_-C_:C009_-N  Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
-   ECC      0      -c_:C013  -c_1000_-C_:C013_-V_:ssl3    Stress SSL3 ECDHE-RSA   AES 128 CBC with SHA
    ECC      0      -c_:C004  -V_ssl3:_-c_100_-C_:C004_-N  Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (no reuse)
    ECC      0      -c_:C00E  -V_ssl3:_-c_100_-C_:C00E_-N  Stress TLS  ECDH-RSA    AES 128 CBC with SHA (no reuse)
    ECC      0      -c_:C013  -V_ssl3:_-c_1000_-C_:C013    Stress TLS  ECDHE-RSA   AES 128 CBC with SHA
@@ -44,9 +43,9 @@
 #
 # add client auth versions here...
 #
-   ECC      0      -r_-r_-c_:C009  -c_10_-C_:C009_-N_-V_:ssl3_-n_TestUser-ec Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C009  -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
-   ECC      0      -r_-r_-c_:C013  -c_100_-C_:C013_-V_:ssl3_-n_TestUser-ec Stress SSL3 ECDHE-RSA AES 128 CBC with SHA (client auth)
+   ECC      0      -r_-r_-c_:C013  -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
-   ECC      0      -r_-r_-c_:C004  -c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C004  -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
-   ECC      0      -r_-r_-c_:C00E  -c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C00E  -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
-   ECC      0      -r_-r_-c_:C013  -c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+   ECC      0      -r_-r_-c_:C013  -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
    ECC      0      -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)

mozilla/webtools/aus/README

@@ -1,11 +1 @@
-AUS
+AUS is on death's door. https://wiki.mozilla.org/Balrog is the new hotness.
-
-AUS is a multi-faceted web service.  It contains:
-    * ./? -- build scripts for patch generation and creation of update metadata
-    * ./xml -- PHP XML generation code based on build data
-    * ./sanity -- Simple PHP scripts to test for regressions
-
-For more information on AUS, view the wiki page at:
-    http://wiki.mozilla.org/AUS
-
-Contact: <morgamic@mozilla.com>

mozilla/webtools/aus/xml/inc/config-dist.php

@@ -75,6 +75,11 @@ define('THROTTLE_LEVEL',100);
 // Turns logging throttled hits on and off.
 define('THROTTLE_LOGGING',false);
 
+// This defines explicit throttling levels per locale. It overrides global and 
+// product throttling only for the specified locales.
+
+$localeThrottling = array(
+);
 // This defines explicit throttling levels.  If global throttling is on, these
 // override global levels.  If it is off, this still works.  For example, this
 // is 10% throttling (only 10% of the time updates are offered):
@@ -83,6 +88,92 @@ define('THROTTLE_LOGGING',false);
 //       "UNTHROTTLED"     == 100 (or remove the entry)
 
 $productThrottling = array(
+    'Firefox' => array(
+        '10.0' => 100,
+        '10.0.1' => 100,
+        '10.0.2' => 100,
+        '11.0' => 100,
+        '12.0' => 100,
+        '13.0' => 100,
+        '13.0.1' => 100,
+        '14.0.1' => 100,
+        '15.0' => 100,
+        '15.0.1' => 100,
+        '16.0' => 100,
+        '16.0.1' => 100,
+        '16.0.2' => 100,
+        '17.0' => 100,
+        '17.0.1' => 100,
+        '18.0' => 100,
+        '18.0.1' => 100,
+        '18.0.2' => 100,
+        '19.0' => 100,
+        '19.0.1' => 100,
+        '19.0.2' => 100,
+        '20.0' => 100,
+        '20.0.1' => 100,
+        '21.0' => 100,
+        '22.0' => 100,
+        '23.0' => 100,
+        '23.0.1' => 100,
+        '24.0' => 100,
+        '25.0' => 100,
+        '25.0.1' => 100,
+        '26.0' => 100,
+        '27.0' => 100,
+        '27.0.1' => 100,
+        '28.0' => 100,
+        '29.0' => 100,
+        '29.0.1' => 100,
+        '30.0' => 100,
+        '31.0' => 100,
+        '32.0' => 100,
+        '32.0.1' => 100,
+        '32.0.2' => 100,
+        '32.0.3' => 100,
+        '33.0' => 100,
+        '33.0.1' => 100,
+        '33.0.2' => 100,
+        '33.0.3' => 100,
+        '33.1' => 100,
+        '33.1.1' => 100,
+        '34.0' => 100,
+        '34.0.5' => 100,
+    ),
+    'Thunderbird' => array(
+        '10.0'   => 100,
+        '10.0.1' => 100,
+        '10.0.2' => 100,
+        '11.0'   => 100,
+        '11.0.1' => 100,
+        '12.0'   => 100,
+        '12.0.1' => 100,
+        '13.0'   => 100,
+        '13.0.1' => 100,
+        '14.0'   => 100,
+        '15.0'   => 100,
+        '15.0.1' => 100,
+        '16.0'   => 100,
+        '16.0.1' => 100,
+        '16.0.2' => 100,
+        '17.0'   => 100,
+        '17.0.2' => 100,
+        '17.0.3' => 100,
+        '17.0.4' => 100,
+        '17.0.5' => 100,
+        '17.0.6' => 100,
+        '17.0.7' => 100,
+        '17.0.8' => 100,
+        '24.0'   => 100,
+        '24.0.1' => 100,
+        '24.1.0' => 100,
+        '24.1.1' => 100,
+        '24.2.0' => 100,
+        '24.3.0' => 100,
+        '24.4.0' => 100,
+        '24.5.0' => 100,
+        '24.6.0' => 100,
+    ),
 );
 
 // List of exceptions for throttling.
@@ -98,7 +189,350 @@ $productThrottling = array(
 // In this example, 3.0.11 with channel names that match these channels will not
 // be throttled unless there is a global throttle enabled.
 $throttleExceptions = array(
- );
+    '10.0' => array(
+            'betatest',
+            'releasetest',
+            'esrtest',
+            'esrreleasetest',
+            'beta',
+            'esr'
+        ),
+    '10.0.1' => array(
+            'betatest',
+            'releasetest',
+            'esrtest',
+            'esrreleasetest',
+            'beta',
+            'esr'
+        ),
+    '10.0.2' => array(
+            'betatest',
+            'releasetest',
+            'esrtest',
+            'esrreleasetest',
+            'beta',
+            'esr'
+        ),
+    '11.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '12.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '13.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '13.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '14.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '15.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '15.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '16.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '16.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '16.0.2' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '17.0' => array(
+            'betatest',
+            'releasetest',
+            'esrtest',
+            'esrreleasetest',
+            'esr',
+            'beta'
+        ),
+    '17.0.1' => array(
+            'betatest',
+            'releasetest',
+            'esrtest',
+            'esrreleasetest',
+            'esr',
+            'beta'
+        ),
+    '17.0.2' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '17.0.3' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '17.0.4' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '17.0.5' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '17.0.6' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '17.0.7' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '17.0.8' => array(
+         'esrtest',
+         'esrreleasetest',
+         'esr'
+        ),
+    '18.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '18.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '18.0.2' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '19.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '19.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '19.0.2' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '20.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '20.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '21.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '22.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '23.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '23.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.0' => array(
+            'betatest',
+            'releasetest',
+            'beta',
+            'esrtest',
+            'esrreleasetest',
+            'esr',
+        ),
+    '24.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.1.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.1.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.2.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.3.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.4.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.5.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '24.6.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '25.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '25.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '26.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '27.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '27.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '28.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '29.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '29.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '30.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '31.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '32.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '32.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '32.0.2' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '32.0.3' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '33.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '33.0.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '33.0.2' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '33.0.3' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '33.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '33.1.1' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '34.0' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+    '34.0.5' => array(
+            'betatest',
+            'releasetest',
+            'beta'
+        ),
+);
 
  
 // These are channels that have access to nightly updates.
@@ -106,6 +540,7 @@ $throttleExceptions = array(
 $nightlyChannels = array(
     'nightly',
     'nightlytest',
+    'nightly-alder',
     'nightly-tracemonkey',
     'nightly-electrolysis',
     'nightly-mozilla-2.1',
@@ -115,11 +550,14 @@ $nightlyChannels = array(
     'nightly-birch',
     'nightly-ash',
     'nightly-elm',
+    'nightly-fig',
     'nightly-ionmonkey',
     'nightly-oak',
     'nightly-profiling',
     'nightly-esr10',
     'nightly-esr17',
+    'nightly-esr24',
+    'nightly-esr31',
     'aurora',
     'auroratest'
 );
@@ -129,10 +567,21 @@ $nightlyChannels = array(
 // @todo replace this with a better datasource that can be easily managed via a GUI.
 // The ordering is !important!, given the wildcard block at the bottom.
 $productBranchVersions = array(
+    'MetroFirefox'     =>  array(
+        '*'       => array(
+           'nightly'                 => 'mozilla-central',
+           'nightlytest'             => 'mozilla-central-test',
+           'nightly-alder'           => 'alder',
+           'nightly-oak'             => 'oak',
+           'aurora'                  => 'mozilla-aurora',
+           'auroratest'              => 'mozilla-aurora-test'
+        )
+    ),
     'Firefox'     =>  array(
         '*'       => array(
            'nightly'                 => 'mozilla-central',
            'nightlytest'             => 'mozilla-central-test',
+           'nightly-alder'           => 'alder',
            'nightly-tracemonkey'     => 'tracemonkey',
            'nightly-electrolysis'    => 'electrolysis',
            'nightly-jaegermonkey'    => 'jaegermonkey',
@@ -144,8 +593,10 @@ $productBranchVersions = array(
            'nightly-ionmonkey'       => 'ionmonkey',
            'nightly-oak'             => 'oak',
            'nightly-profiling'       => 'mozilla-central',
-           'nightly-esr10'           => 'mozilla-esr10',
+           'nightly-esr10'           => 'mozilla-esr24',
-           'nightly-esr17'           => 'mozilla-esr17',
+           'nightly-esr17'           => 'mozilla-esr24',
+           'nightly-esr24'           => 'mozilla-esr31',
+           'nightly-esr31'           => 'mozilla-esr31',
            'aurora'                  => 'mozilla-aurora',
            'auroratest'              => 'mozilla-aurora-test'
         )
@@ -160,7 +611,8 @@ $productBranchVersions = array(
            'nightly-birch'           => 'mozilla-central',
            'nightly-ash'             => 'ash',
            'nightly-maple'           => 'maple',
-           'nightly-oak'             => 'oak'
+           'nightly-oak'             => 'oak',
+           'nightly-fig'             => 'fig'
         )
     ),
     'Thunderbird' =>  array(
@@ -169,6 +621,8 @@ $productBranchVersions = array(
            'nightlytest'    => 'comm-central-test',
            'nightly-esr10'  => 'comm-esr10',
            'nightly-esr17'  => 'comm-esr17',
+           'nightly-esr24'  => 'comm-esr24',
+           'nightly-esr31'  => 'comm-esr31',
            'aurora'         => 'comm-aurora',
            'auroratest'     => 'comm-aurora-test'
         ),
@@ -287,7 +741,7 @@ $unsupportedPlatforms = array(
             'GTK 2.15.',
             'GTK 2.16.',
             'GTK 2.17.',
-        ),
+        )
     ),
     'Thunderbird'     =>  array(
         // Mac 10.2/10.3, Win < 2k, GTK < 2.10 - bug 418129

mozilla/webtools/aus/xml/inc/patch.class.php

@@ -362,7 +362,7 @@ class Patch extends AUS_Object {
         //
         // If the file does exist, we don't ever fall back, which is the hacky way to stop the fallback behavior,
         // but the only way we have so far.
-        if (!$this->isChangingChannel() && !empty($channel) && $this->setPath($product,$platform,$locale,$version,$build,3,$channel) && !file_exists($this->path) && preg_match('/^[\w\-]+\-cck\-.[\w\-]+$/',$channel)) {
+        if (!$this->isChangingChannel() && !empty($channel) && $this->setPath($product,$platform,$locale,$version,$build,3,$channel) && !file_exists($this->path) && preg_match('/^[\w\-]+\-cck\-.[\w\-\.]+$/',$channel)) {
 
             // Partner fallback channel to be used if the partner-specific update doesn't exist or work.
             $buf = array();

mozilla/webtools/aus/xml/index.php

@@ -100,7 +100,6 @@ if ( $clean['product'] == 'Firefox'
         exit;
 }
 
- 
 // Check to see if the user is explicitly requesting an update.  If they are,
 // skip throttling.  If they aren't, and throttling is enabled, first check
 // explicit throttling.  If no specific rules exist, fallback to global rules.
@@ -113,12 +112,16 @@ if ( (empty($_GET['force']) || $_GET['force']!=1) ) {
     $aus = new AUS_Object();
 
     // Check explicit throttling.
-    if ( !$aus->isThrottleException($clean['version'], $clean['channel'])
+    if ( !$aus->isThrottleException($clean['version'], $clean['channel']) ) {
-         && isset($productThrottling[$clean['product']][$clean['version']]) 
+        // check if locale based throttling is set. Do not use product based throttling if set
-         && mt_rand(0,99) >= $productThrottling[$clean['product']][$clean['version']]
+        if ( isset($localeThrottling[$clean['product']][$clean['version']][$clean['locale']]) ) {
-         ) {
+            if ( mt_rand(0,99) >= $localeThrottling[$clean['product']][$clean['version']][$clean['locale']] ){
-        $throttleMe = true;
+                $throttleMe = true;
-
+            }
+        } elseif ( isset($productThrottling[$clean['product']][$clean['version']])
+                 && mt_rand(0,99) >= $productThrottling[$clean['product']][$clean['version']] ) {
+            $throttleMe = true;
+        }
     // Check global throttling.
     } elseif ( defined('THROTTLE_GLOBAL') && THROTTLE_GLOBAL && 
       defined('THROTTLE_LEVEL') &&

mozilla/webtools/aus/xml/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

mozilla/webtools/bonsai/defparams.pl

@@ -42,7 +42,7 @@ sub WriteParams {
     my $v = $::param{'version'};
     delete $::param{'version'};  # Don't write the version number out to
                                 # the params file.
-    print PARAM_FID GenerateCode('%::param');
+    print PARAM_FID Data::Dumper->Dump([\%::param], ['*::param']);
     $::param{'version'} = $v;
     print PARAM_FID "1;\n";
     close PARAM_FID;

mozilla/webtools/bonsai/globals.pl

@@ -36,6 +36,8 @@ use Mail::Mailer;
 use Mail::Internet;
 use Mail::Header;
 
+use Data::Dumper;
+
 $ENV{'MAILADDRESS'} = Param('maintainer');
 
 # use Carp;                       # for confess
@@ -261,63 +263,6 @@ sub SplitEnumType {
 }
 
 
-##
-##  Routines to generate perl code that will reinitialize variables
-##  correctly when eval'ed
-##
-
-
-# Generate a string which, when later interpreted by the Perl compiler, will
-# be the same as the given string.
-sub PerlQuote {
-    my ($str) = (@_);
-
-    $str =~ s/([\\\'])/\\$1/g;
-    $str =~ s/\0/\\0/g;
-    return "'$str'";
-}
-
-sub GenerateArrayCode {
-    my ($ref) = (@_);
-    my @list;
-    foreach my $i (@$ref) {
-        push @list, PerlQuote($i);
-    }
-    return join(',', @list);
-}
-
-
-# Given the name of a global variable, generate Perl code that, if later
-# executed, would restore the variable to its current value.
-
-sub GenerateCode {
-    my ($name) = (@_);
-    my $result = $name . " = ";
-    if ($name =~ /^\$/) {
-        my $value = eval($name);
-        if (ref($value) eq "ARRAY") {
-            $result .= "[" . GenerateArrayCode($value) . "]";
-        } else {
-            $result .= PerlQuote(eval($name));
-        }
-    } elsif ($name =~ /^@/) {
-        my @value = eval($name);
-        $result .= "(" . GenerateArrayCode(\@value) . ")";
-    } elsif ($name =~ '%') {
-        $result = "";
-        foreach my $k (sort { uc($a) cmp uc($b)} eval("keys $name")) {
-            $result .= GenerateCode("\$" . substr($name, 1) .
-                                    "{'" . $k . "'}");
-        }
-        return $result;
-    } else {
-        die "Can't do $name -- unacceptable variable type.";
-    }
-    $result .= ";\n";
-    return $result;
-}
-
-
 ##
 ##  Locking and Logging routines
 ##
@@ -650,7 +595,7 @@ sub PickNewBatchID {
      $batchfile = DataDir() . "/batchid.pl";
 
      LockOpen(\*BATCH, "> $batchfile", "Couldn't write $batchfile");
-     print BATCH GenerateCode('$::BatchID');
+     print BATCH Data::Dumper->Dump([\$::BatchID],['*::BatchID']);
      close(BATCH);
      Unlock();
 }
@@ -709,14 +654,14 @@ sub WriteCheckins {
 
      undef(%person);
 
-     foreach $i ('TreeOpen', 'LastGoodTimeStamp', 'CloseTimeStamp') {
+     print TEMP Data::Dumper->Dump([\$::TreeOpen, \$::LastGoodTimeStamp,
-          print TEMP GenerateCode("\$::$i");
+                                    \$::CloseTimeStamp, \@::CheckInList],
-     }
+                                   ['*::TreeOpen','*::LastGoodTimeStamp',
-     print TEMP GenerateCode('@::CheckInList');
+                                    '*::CloseTimeStamp','*::CheckInList']);
      foreach $checkin (@::CheckInList) {
           my $info = eval("\\\%$checkin");
 
-          print TEMP GenerateCode("\%$checkin");
+          print TEMP Data::Dumper->Dump([\%$checkin],['*'.$checkin]);
           $person{$$info{'person'}} = 1;
      }
      print TEMP "1;\n";
@@ -791,7 +736,7 @@ sub WriteMOTD {
 
      LockOpen(\*MOTD, "> $motd_file", "Couldn't create $motd_file");
      chmod(0666, $motd_file);
-     print MOTD GenerateCode('$::MOTD');
+     print MOTD Data::Dumper->Dump([\$::MOTD],['*::MOTD']);
      close(MOTD);
      Unlock();
 }

mozilla/webtools/bugzilla/.bzrignore

@@ -1,10 +1,8 @@
 .htaccess
 /lib/*
 /template/en/custom
-/docs/bugzilla.ent
-/docs/en/xml/bugzilla.ent
-/docs/en/txt
 /docs/en/html
+/docs/en/txt
 /docs/en/pdf
 /skins/custom
 /graphs
@@ -12,21 +10,5 @@
 /localconfig
 /index.html
 
-/skins/contrib/Dusk/IE-fixes.css
 /skins/contrib/Dusk/admin.css
-/skins/contrib/Dusk/attachment.css
+/skins/contrib/Dusk/bug.css
-/skins/contrib/Dusk/create_attachment.css
-/skins/contrib/Dusk/dependency-tree.css
-/skins/contrib/Dusk/duplicates.css
-/skins/contrib/Dusk/editusers.css
-/skins/contrib/Dusk/enter_bug.css
-/skins/contrib/Dusk/help.css
-/skins/contrib/Dusk/panel.css
-/skins/contrib/Dusk/page.css
-/skins/contrib/Dusk/params.css
-/skins/contrib/Dusk/reports.css
-/skins/contrib/Dusk/show_bug.css
-/skins/contrib/Dusk/search_form.css
-/skins/contrib/Dusk/show_multiple.css
-/skins/contrib/Dusk/summarize-time.css
-.DS_Store

mozilla/webtools/bugzilla/.bzrrev

@@ -1 +1 @@
-8571
+9388

mozilla/webtools/bugzilla/.gitignore

@@ -0,0 +1,16 @@
+.htaccess
+/lib/*
+/template/en/custom
+/docs/en/rst/extensions/*
+/docs/en/rst/api/extensions/*
+/docs/en/html
+/docs/en/txt
+/docs/en/pdf
+/skins/custom
+/graphs
+/data
+/localconfig
+/index.html
+
+/skins/contrib/Dusk/admin.css
+/skins/contrib/Dusk/bug.css

mozilla/webtools/bugzilla/.gitrev

@@ -0,0 +1 @@
+dc3e779d94ef2be397660f102240d1d9c83d5147

mozilla/webtools/bugzilla/.htaccess

@@ -1,6 +1,21 @@
 # Don't allow people to retrieve non-cgi executable files or our private data
-<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
+<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*|cpanfile)$>
-  deny from all
+  <IfModule mod_version.c>
+    <IfVersion < 2.4>
+      Deny from all
+    </IfVersion>
+    <IfVersion >= 2.4>
+      <IfModule mod_perl.c>
+        Deny from all
+      </IfModule>
+      <IfModule !mod_perl.c>
+        Require all denied
+      </IfModule>
+    </IfVersion>
+  </IfModule>
+  <IfModule !mod_version.c>
+    Deny from all
+  </IfModule>
 </FilesMatch>
 
 Options -Indexes
@@ -26,3 +41,9 @@ Options -Indexes
 </IfModule>
 </IfModule>
 </IfModule>
+
+<IfModule mod_rewrite.c>
+  RewriteEngine On
+  RewriteOptions inherit
+  RewriteRule ^rest/(.*)$ rest.cgi/$1 [NE]
+</IfModule>