Alexander Scheel cipherboy

## gpg.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                cipherboy
                / gpg.md
            
            
              Last active
              July 2, 2019 18:07
            
              
                How to GPG
              
          
    Why GPG (the protocol) is hard and why GnuPG (the implementation) is broken

Definitions and an Overview of the problem


GPG == the PGP protocol + any specific quirks.
GnuPG == the application which implements the GPG "standard" (i.e., gpg2 on the command line).

A GPG key consists of:

a fingerprint (digest of the modulus of the main key)
an identity (created by the key owner)


## pki.diff
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java
index 6954cb283..af64d1fe4 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java
@@ -28,6 +28,7 @@ import com.netscape.certsrv.dbs.IElementProcessor;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.logging.Logger;

+import netscape.ldap.LDAPv2;
 import netscape.ldap.LDAPConnection;

## filter_packages.sh
#!/bin/sh

# Pipes STDIN through a series of sed filters to update package names.

sed 's/\([^.]\)netscape.security.acl.AclEntryImpl/\1org.mozilla.jss.netscape.security.acl.AclEntryImpl/g' |
    sed 's/\([^.]\)netscape.security.acl.AclImpl/\1org.mozilla.jss.netscape.security.acl.AclImpl/g' |
    sed 's/\([^.]\)netscape.security.acl.AllPermissionsImpl/\1org.mozilla.jss.netscape.security.acl.AllPermissionsImpl/g' |
    sed 's/\([^.]\)netscape.security.acl.GroupImpl/\1org.mozilla.jss.netscape.security.acl.GroupImpl/g' |
    sed 's/\([^.]\)netscape.security.acl.OwnerImpl/\1org.mozilla.jss.netscape.security.acl.OwnerImpl/g' |
    sed 's/\([^.]\)netscape.security.acl.PermissionImpl/\1org.mozilla.jss.netscape.security.acl.PermissionImpl/g' |

## RPMs.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                cipherboy
                / RPMs.md
            
            
              Created
              November 19, 2018 20:21
            
          
    jss-cmake:

jss-4.5.0-1.20181119105731.c2199849.fc28.x86_64.rpm
jss-debugsource-4.5.0-1.20181119105731.c2199849.fc28.x86_64.rpm
jss-debuginfo-4.5.0-1.20181119105731.c2199849.fc28.x86_64.rpm
jss-javadoc-4.5.0-1.20181119105731.c2199849.fc28.x86_64.rpm

jss-old (current master):

jss-4.5.0-1.20181119180456.b0627a93.fc28.x86_64.rpm

  
## CK_EFFECTIVELY_INFINITE
gif 'CK_EFFECTIVELY_INFINITE'
lib/util/pkcs11t.h:59:#define CK_EFFECTIVELY_INFINITE 0
lib/ckfw/dbm/token.c:172:    return CK_EFFECTIVELY_INFINITE;
lib/ckfw/nssckmdt.h:616:     * is assumed.  XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
lib/ckfw/nssckmdt.h:630:     * CK_EFFECTIVELY_INFINITE?
cmd/lib/pk11table.c:581:    mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),

## CK_UNAVAILABLE_INFORMATION
 gif 'CK_UNAVAILABLE_INFORMATION'
lib/util/pkcs11t.h:58:#define CK_UNAVAILABLE_INFORMATION (~0UL)
lib/ckfw/dbm/token.c:249:    /*  GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
lib/ckfw/dbm/token.c:250:    /*  GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
lib/ckfw/dbm/token.c:251:    /*  GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
lib/ckfw/dbm/token.c:252:    /*  GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
lib/ckfw/token.c:893:        return CK_UNAVAILABLE_INFORMATION;
lib/ckfw/token.c:898:        return CK_UNAVAILABLE_INFORMATION;
lib/ckfw/token.c:915:        return CK_UNAVAILABLE_INFORMATION;
lib/ckfw/token.c:920:        return CK_UNAVAILABLE_INFORMATION;

## CK_INVALID_HANDLE
gif 'CK_INVALID_HANDLE'
nss-tool/db/dbtool.cc:275:  rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:138:  EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:167:  EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
gtests/pk11_gtest/pk11_export_unittest.cc:31:    kmo.hClientMacSecret = CK_INVALID_HANDLE;
gtests/pk11_gtest/pk11_export_unittest.cc:32:    kmo.hServerMacSecret = CK_INVALID_HANDLE;
gtests/pk11_gtest/pk11_export_unittest.cc:33:    kmo.hClientKey = CK_INVALID_HANDLE;
gtests/pk11_gtest/pk11_export_unittest.cc:34:    kmo.hServerKey = CK_INVALID_HANDLE;
gtests/softoken_gtest/softoken_gtest.cc:304:      PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, "test", false);
lib/ssl/ssl3con.c:7048:    peerKey->pkcs11ID = CK_INVALID_HANDLE;

## CK_INVALID_SESSION
lib/util/pkcs11t.h:33:#define CK_INVALID_SESSION 0
lib/dev/devtoken.c:263:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1127:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1209:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1265:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1331:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1353:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1381:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devtoken.c:1460:    if (!session || session->handle == CK_INVALID_SESSION) {
lib/dev/devslot.c:192:            if (session->handle != CK_INVALID_SESSION) {

## CK_NULL_PTR.txt
$ gif 'CK_NULL_PTR'
lib/util/pkcs11t.h:28:#define CK_NULL_PTR 0
lib/ckfw/wrap.c:267:    if ((CK_INFO_PTR)CK_NULL_PTR == pInfo) {
lib/ckfw/wrap.c:344:    if ((CK_ULONG_PTR)CK_NULL_PTR == pulCount) {
lib/ckfw/wrap.c:354:    if ((CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList) {
lib/ckfw/wrap.c:431:    if ((CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo) {
lib/ckfw/wrap.c:523:    if ((CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo) {
lib/ckfw/wrap.c:682:    if ((CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot) {
lib/ckfw/wrap.c:687:    if ((CK_VOID_PTR)CK_NULL_PTR != pReserved) {
lib/ckfw/wrap.c:761:    if ((CK_ULONG_PTR)CK_NULL_PTR == pulCount) {

## contents.txt
Field: CKA_AC_ISSUER - OK
Field: CKA_ALLOWED_MECHANISMS - only JSS
Field: CKA_ALWAYS_AUTHENTICATE - only JSS
Field: CKA_ALWAYS_SENSITIVE - OK
Field: CKA_APPLICATION - OK
Field: CKA_ATTR_TYPES - OK
Field: CKA_AUTH_PIN_FLAGS - OK
Field: CKA_BASE - OK
Field: CKA_BITS_PER_PIXEL - only JSS
Field: CKA_CERTIFICATE_CATEGORY - only JSS
	diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java
	index 6954cb283..af64d1fe4 100644
	--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java
	+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java
	@@ -28,6 +28,7 @@ import com.netscape.certsrv.dbs.IElementProcessor;
	import com.netscape.certsrv.logging.ILogger;
	import com.netscape.cms.logging.Logger;

	+import netscape.ldap.LDAPv2;
	import netscape.ldap.LDAPConnection;
	#!/bin/sh

	# Pipes STDIN through a series of sed filters to update package names.

	sed 's/\([^.]\)netscape.security.acl.AclEntryImpl/\1org.mozilla.jss.netscape.security.acl.AclEntryImpl/g' \|
	sed 's/\([^.]\)netscape.security.acl.AclImpl/\1org.mozilla.jss.netscape.security.acl.AclImpl/g' \|
	sed 's/\([^.]\)netscape.security.acl.AllPermissionsImpl/\1org.mozilla.jss.netscape.security.acl.AllPermissionsImpl/g' \|
	sed 's/\([^.]\)netscape.security.acl.GroupImpl/\1org.mozilla.jss.netscape.security.acl.GroupImpl/g' \|
	sed 's/\([^.]\)netscape.security.acl.OwnerImpl/\1org.mozilla.jss.netscape.security.acl.OwnerImpl/g' \|
	sed 's/\([^.]\)netscape.security.acl.PermissionImpl/\1org.mozilla.jss.netscape.security.acl.PermissionImpl/g' \|
	gif 'CK_EFFECTIVELY_INFINITE'
	lib/util/pkcs11t.h:59:#define CK_EFFECTIVELY_INFINITE 0
	lib/ckfw/dbm/token.c:172: return CK_EFFECTIVELY_INFINITE;
	lib/ckfw/nssckmdt.h:616: * is assumed. XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
	lib/ckfw/nssckmdt.h:630: * CK_EFFECTIVELY_INFINITE?
	cmd/lib/pk11table.c:581: mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
	gif 'CK_UNAVAILABLE_INFORMATION'
	lib/util/pkcs11t.h:58:#define CK_UNAVAILABLE_INFORMATION (~0UL)
	lib/ckfw/dbm/token.c:249: /* GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
	lib/ckfw/dbm/token.c:250: /* GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
	lib/ckfw/dbm/token.c:251: /* GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
	lib/ckfw/dbm/token.c:252: /* GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
	lib/ckfw/token.c:893: return CK_UNAVAILABLE_INFORMATION;
	lib/ckfw/token.c:898: return CK_UNAVAILABLE_INFORMATION;
	lib/ckfw/token.c:915: return CK_UNAVAILABLE_INFORMATION;
	lib/ckfw/token.c:920: return CK_UNAVAILABLE_INFORMATION;
	gif 'CK_INVALID_HANDLE'
	nss-tool/db/dbtool.cc:275: rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE,
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc:138: EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc:167: EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
	gtests/pk11_gtest/pk11_export_unittest.cc:31: kmo.hClientMacSecret = CK_INVALID_HANDLE;
	gtests/pk11_gtest/pk11_export_unittest.cc:32: kmo.hServerMacSecret = CK_INVALID_HANDLE;
	gtests/pk11_gtest/pk11_export_unittest.cc:33: kmo.hClientKey = CK_INVALID_HANDLE;
	gtests/pk11_gtest/pk11_export_unittest.cc:34: kmo.hServerKey = CK_INVALID_HANDLE;
	gtests/softoken_gtest/softoken_gtest.cc:304: PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, "test", false);
	lib/ssl/ssl3con.c:7048: peerKey->pkcs11ID = CK_INVALID_HANDLE;
	lib/util/pkcs11t.h:33:#define CK_INVALID_SESSION 0
	lib/dev/devtoken.c:263: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1127: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1209: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1265: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1331: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1353: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1381: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devtoken.c:1460: if (!session \|\| session->handle == CK_INVALID_SESSION) {
	lib/dev/devslot.c:192: if (session->handle != CK_INVALID_SESSION) {
	$ gif 'CK_NULL_PTR'
	lib/util/pkcs11t.h:28:#define CK_NULL_PTR 0
	lib/ckfw/wrap.c:267: if ((CK_INFO_PTR)CK_NULL_PTR == pInfo) {
	lib/ckfw/wrap.c:344: if ((CK_ULONG_PTR)CK_NULL_PTR == pulCount) {
	lib/ckfw/wrap.c:354: if ((CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList) {
	lib/ckfw/wrap.c:431: if ((CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo) {
	lib/ckfw/wrap.c:523: if ((CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo) {
	lib/ckfw/wrap.c:682: if ((CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot) {
	lib/ckfw/wrap.c:687: if ((CK_VOID_PTR)CK_NULL_PTR != pReserved) {
	lib/ckfw/wrap.c:761: if ((CK_ULONG_PTR)CK_NULL_PTR == pulCount) {
	Field: CKA_AC_ISSUER - OK
	Field: CKA_ALLOWED_MECHANISMS - only JSS
	Field: CKA_ALWAYS_AUTHENTICATE - only JSS
	Field: CKA_ALWAYS_SENSITIVE - OK
	Field: CKA_APPLICATION - OK
	Field: CKA_ATTR_TYPES - OK
	Field: CKA_AUTH_PIN_FLAGS - OK
	Field: CKA_BASE - OK
	Field: CKA_BITS_PER_PIXEL - only JSS
	Field: CKA_CERTIFICATE_CATEGORY - only JSS