-
Tue May 26 2015 John Dennis <jdennis@redhat.com> - 0.16.0-3
- Resolves: #1225212
Reads from file like objects actually only worked for file objects
- Resolves: #1179573
python-nss-doc package is missing the run_tests script
- Resolves: #1194349
test_pkcs12.py does not works in FIPS mode
-
Tue Nov 25 2014 John Dennis <jdennis@redhat.com> - 0.16.0-2
- Remove the TLS 1.3 symbols from ssl_version_range.py example
because RHEL only has NSS 3.16.
-
Mon Nov 24 2014 John Dennis <jdennis@redhat.com> - 0.16.0-1
- resolves: bug#1155703 - Add API call for SSL_VersionRangeSet (rebase)
rebased to 0.16.0
- The primary enhancements in this version is adding support for the
setting trust attributes on a Certificate, the SSL version range API,
information on the SSL cipher suites and information on the SSL connection.
* The following module functions were added:
- ssl.get_ssl_version_from_major_minor
- ssl.get_default_ssl_version_range
- ssl.get_supported_ssl_version_range
- ssl.set_default_ssl_version_range
- ssl.ssl_library_version_from_name
- ssl.ssl_library_version_name
- ssl.get_cipher_suite_info
- ssl.ssl_cipher_suite_name
- ssl.ssl_cipher_suite_from_name
* The following deprecated module functions were removed:
- ssl.nssinit
- ssl.nss_ini
- ssl.nss_shutdown
* The following classes were added:
- SSLCipherSuiteInfo
- SSLChannelInfo
* The following class methods were added:
- Certificate.trust_flags
- Certificate.set_trust_attributes
- SSLSocket.set_ssl_version_range
- SSLSocket.get_ssl_version_range
- SSLSocket.get_ssl_channel_info
- SSLSocket.get_negotiated_host
- SSLSocket.connection_info_format_lines
- SSLSocket.connection_info_format
- SSLSocket.connection_info_str
- SSLCipherSuiteInfo.format_lines
- SSLCipherSuiteInfo.format
- SSLChannelInfo.format_lines
- SSLChannelInfo.format
* The following class properties were added:
- Certificate.ssl_trust_flags
- Certificate.email_trust_flags
- Certificate.signing_trust_flags
- SSLCipherSuiteInfo.cipher_suite
- SSLCipherSuiteInfo.cipher_suite_name
- SSLCipherSuiteInfo.auth_algorithm
- SSLCipherSuiteInfo.auth_algorithm_name
- SSLCipherSuiteInfo.kea_type
- SSLCipherSuiteInfo.kea_type_name
- SSLCipherSuiteInfo.symmetric_cipher
- SSLCipherSuiteInfo.symmetric_cipher_name
- SSLCipherSuiteInfo.symmetric_key_bits
- SSLCipherSuiteInfo.symmetric_key_space
- SSLCipherSuiteInfo.effective_key_bits
- SSLCipherSuiteInfo.mac_algorithm
- SSLCipherSuiteInfo.mac_algorithm_name
- SSLCipherSuiteInfo.mac_bits
- SSLCipherSuiteInfo.is_fips
- SSLCipherSuiteInfo.is_exportable
- SSLCipherSuiteInfo.is_nonstandard
- SSLChannelInfo.protocol_version
- SSLChannelInfo.protocol_version_str
- SSLChannelInfo.protocol_version_enum
- SSLChannelInfo.major_protocol_version
- SSLChannelInfo.minor_protocol_version
- SSLChannelInfo.cipher_suite
- SSLChannelInfo.auth_key_bits
- SSLChannelInfo.kea_key_bits
- SSLChannelInfo.creation_time
- SSLChannelInfo.creation_time_utc
- SSLChannelInfo.last_access_time
- SSLChannelInfo.last_access_time_utc
- SSLChannelInfo.expiration_time
- SSLChannelInfo.expiration_time_utc
- SSLChannelInfo.compression_method
- SSLChannelInfo.compression_method_name
- SSLChannelInfo.session_id
* The following files were added:
- doc/examples/cert_trust.py
- doc/examples/ssl_version_range.py
* The following constants were added:
- nss.CERTDB_TERMINAL_RECORD
- nss.CERTDB_VALID_PEER
- nss.CERTDB_TRUSTED
- nss.CERTDB_SEND_WARN
- nss.CERTDB_VALID_CA
- nss.CERTDB_TRUSTED_CA
- nss.CERTDB_NS_TRUSTED_CA
- nss.CERTDB_USER
- nss.CERTDB_TRUSTED_CLIENT_CA
- nss.CERTDB_GOVT_APPROVED_CA
- ssl.SRTP_AES128_CM_HMAC_SHA1_32
- ssl.SRTP_AES128_CM_HMAC_SHA1_80
- ssl.SRTP_NULL_HMAC_SHA1_32
- ssl.SRTP_NULL_HMAC_SHA1_80
- ssl.SSL_CK_DES_192_EDE3_CBC_WITH_MD5
- ssl.SSL_CK_DES_64_CBC_WITH_MD5
- ssl.SSL_CK_IDEA_128_CBC_WITH_MD5
- ssl.SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- ssl.SSL_CK_RC2_128_CBC_WITH_MD5
- ssl.SSL_CK_RC4_128_EXPORT40_WITH_MD5
- ssl.SSL_CK_RC4_128_WITH_MD5
- ssl.SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
- ssl.SSL_FORTEZZA_DMS_WITH_NULL_SHA
- ssl.SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
- ssl.SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA
- ssl.SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA
- ssl.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
- ssl.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- ssl.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
- ssl.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_DHE_DSS_WITH_DES_CBC_SHA
- ssl.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
- ssl.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- ssl.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- ssl.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- ssl.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- ssl.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_DHE_RSA_WITH_DES_CBC_SHA
- ssl.TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
- ssl.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
- ssl.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_DH_DSS_WITH_DES_CBC_SHA
- ssl.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
- ssl.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
- ssl.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_DH_RSA_WITH_DES_CBC_SHA
- ssl.TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
- ssl.TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
- ssl.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
- ssl.TLS_DH_anon_WITH_AES_128_CBC_SHA
- ssl.TLS_DH_anon_WITH_AES_256_CBC_SHA
- ssl.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_DH_anon_WITH_DES_CBC_SHA
- ssl.TLS_DH_anon_WITH_RC4_128_MD5
- ssl.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- ssl.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- ssl.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- ssl.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ssl.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- ssl.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- ssl.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- ssl.TLS_FALLBACK_SCSV
- ssl.TLS_NULL_WITH_NULL_NULL
- ssl.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
- ssl.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- ssl.TLS_RSA_EXPORT_WITH_RC4_40_MD5
- ssl.TLS_RSA_WITH_3DES_EDE_CBC_SHA
- ssl.TLS_RSA_WITH_AES_128_CBC_SHA256
- ssl.TLS_RSA_WITH_AES_128_GCM_SHA256
- ssl.TLS_RSA_WITH_AES_256_CBC_SHA256
- ssl.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- ssl.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- ssl.TLS_RSA_WITH_DES_CBC_SHA
- ssl.TLS_RSA_WITH_IDEA_CBC_SHA
- ssl.TLS_RSA_WITH_NULL_MD5
- ssl.TLS_RSA_WITH_NULL_SHA
- ssl.TLS_RSA_WITH_NULL_SHA256
- ssl.TLS_RSA_WITH_RC4_128_MD5
- ssl.TLS_RSA_WITH_RC4_128_SHA
- ssl.TLS_RSA_WITH_SEED_CBC_SHA
- ssl.SSL_VARIANT_DATAGRAM
- ssl.SSL_VARIANT_STREAM
- ssl.SSL_LIBRARY_VERSION_2
- ssl.SSL_LIBRARY_VERSION_3_0
- ssl.SSL_LIBRARY_VERSION_TLS_1_0
- ssl.SSL_LIBRARY_VERSION_TLS_1_1
- ssl.SSL_LIBRARY_VERSION_TLS_1_2
- ssl.SSL_LIBRARY_VERSION_TLS_1_3
- ssl.ssl2
- ssl.ssl3
- ssl.tls1.0
- ssl.tls1.1
- ssl.tls1.2
- ssl.tls1.3
* The following methods were missing thread locks, this has been fixed.
- nss.nss_initialize
- nss.nss_init_context
- nss.nss_shutdown_context
-
Mon Jun 16 2014 John Dennis <jdennis@redhat.com> - 0.15.0-1
- resolves: bug#1109769 rebase to 0.15.0
- includes fixes for 1087031 and 1060314
See doc/Changelog for details
-
Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.14.0-5
- Mass rebuild 2014-01-24
-
Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.14.0-4
- Mass rebuild 2013-12-27
-
Fri Oct 18 2013 John Dennis <jdennis@redhat.com> - 0.14.0-3
- resolves: bug#1003979
- In coordination with QE with regards to bz 1019934 it was requested
the unittest patches be enhanced with a more robust version of
test_pkcs12, no actual bug, just better testing.
-
Tue Oct 08 2013 John Dennis <jdennis@redhat.com> - 0.14.0-2
- resolves: bug#1002589
- resolves: bug#1003979
- Rewrite setup_certs.py. No longer behaves like an expect script
which was fragile. By default now creates a sql style database.
- By default all examples & tests use new sql format for NSS database
- db-name is now used instead of dbdir to provide distinction between
the database directory and it's scheme (e.g. 'sql:')
- all examples and tests now default db-name to 'sql:pki'
- replaced legacy getopt & optparse command line argument handling
with modern argparse.
-
Mon May 13 2013 John Dennis <jdennis@redhat.com> - 0.14-1
External Changes:
-----------------
The primary enhancements in this version is support of certifcate
validation, OCSP support, and support for the certificate "Authority
Information Access" extension.
Enhanced certifcate validation including CA certs can be done via
Certificate.verify() or Certificate.is_ca_cert(). When cert
validation fails you can now obtain diagnostic information as to why
the cert failed to validate. This is encapsulated in the
CertVerifyLog class which is a iterable collection of
CertVerifyLogNode objects. Most people will probablby just print the
string representation of the returned CertVerifyLog object. Cert
validation logging is handled by the Certificate.verify() method.
Support has also been added for the various key usage and cert type
entities which feature prominently during cert validation.
* Certificate() constructor signature changed from
Certificate(data=None, der_is_signed=True)
to
Certificate(data, certdb=cert_get_default_certdb(), perm=False, nickname=None)
This change was necessary because all certs should be added to the
NSS temporary database when they are loaded, but earlier code
failed to to that. It's is not likely that an previous code was
failing to pass initialization data or the der_is_signed flag so
this change should be backwards compatible.
* Fix bug #922247, PKCS12Decoder.database_import() method. Importing into
a NSS database would sometimes fail or segfault.
* Error codes and descriptions were updated from upstream NSPR & NSS.
* The password callback did not allow for breaking out of a password
prompting loop, now if None is returned from the password callback
the password prompting is terminated.
* nss.nss_shutdown_context now called from InitContext destructor,
this assures the context is shutdown even if the programmer forgot
to. It's still best to explicitly shut it down, this is just
failsafe.
* Support was added for shutdown callbacks.
* The following classes were added:
- nss.CertVerifyLogNode
- nss.CertVerifyLog
- error.CertVerifyError (exception)
- nss.AuthorityInfoAccess
- nss.AuthorityInfoAccesses
* The following class methods were added:
- nss.Certificate.is_ca_cert
- nss.Certificate.verify
- nss.Certificate.verify_with_log
- nss.Certificate.get_cert_chain
- nss.Certificate.check_ocsp_status
- nss.PK11Slot.list_certs
- nss.CertVerifyLogNode.format_lines
- nss.CertVerifyLog.format_lines
- nss.CRLDistributionPts.format_lines
* The following class properties were added:
- nss.CertVerifyLogNode.certificate
- nss.CertVerifyLogNode.error
- nss.CertVerifyLogNode.depth
- nss.CertVerifyLog.count
* The following module functions were added:
- nss.x509_cert_type
- nss.key_usage_flags
- nss.list_certs
- nss.find_certs_from_email_addr
- nss.find_certs_from_nickname
- nss.nss_get_version
- nss.nss_version_check
- nss.set_shutdown_callback
- nss.get_use_pkix_for_validation
- nss.set_use_pkix_for_validation
- nss.enable_ocsp_checking
- nss.disable_ocsp_checking
- nss.set_ocsp_cache_settings
- nss.set_ocsp_failure_mode
- nss.set_ocsp_timeout
- nss.clear_ocsp_cache
- nss.set_ocsp_default_responder
- nss.enable_ocsp_default_responder
- nss.disable_ocsp_default_responder
* The following files were added:
src/py_traceback.h
doc/examples/verify_cert.py
test/test_misc.py
* The following constants were added:
- nss.KU_DIGITAL_SIGNATURE
- nss.KU_NON_REPUDIATION
- nss.KU_KEY_ENCIPHERMENT
- nss.KU_DATA_ENCIPHERMENT
- nss.KU_KEY_AGREEMENT
- nss.KU_KEY_CERT_SIGN
- nss.KU_CRL_SIGN
- nss.KU_ENCIPHER_ONLY
- nss.KU_ALL
- nss.KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION
- nss.KU_KEY_AGREEMENT_OR_ENCIPHERMENT
- nss.KU_NS_GOVT_APPROVED
- nss.PK11CertListUnique
- nss.PK11CertListUser
- nss.PK11CertListRootUnique
- nss.PK11CertListCA
- nss.PK11CertListCAUnique
- nss.PK11CertListUserUnique
- nss.PK11CertListAll
- nss.certUsageSSLClient
- nss.certUsageSSLServer
- nss.certUsageSSLServerWithStepUp
- nss.certUsageSSLCA
- nss.certUsageEmailSigner
- nss.certUsageEmailRecipient
- nss.certUsageObjectSigner
- nss.certUsageUserCertImport
- nss.certUsageVerifyCA
- nss.certUsageProtectedObjectSigner
- nss.certUsageStatusResponder
- nss.certUsageAnyCA
- nss.ocspMode_FailureIsVerificationFailure
- nss.ocspMode_FailureIsNotAVerificationFailure
* cert_dump.py extended to print NS_CERT_TYPE_EXTENSION
* cert_usage_flags, nss_init_flags now support optional repr_kind parameter
Internal Changes:
-----------------
* Reimplement exception handling
- NSPRError is now derived from StandardException instead of
EnvironmentError. It was never correct to derive from
EnvironmentError but was difficult to implement a new subclassed
exception with it's own attributes, using EnvironmentError had
been expedient.
- NSPRError now derived from StandardException, provides:
* errno (numeric error code)
* strerror (error description associated with error code)
* error_message (optional detailed message)
* error_code (alias for errno)
* error_desc (alias for strerror)
- CertVerifyError derived from NSPRError, extends with:
* usages (bitmask of returned usages)
* log (CertVerifyLog object)
* Expose error lookup to sibling modules
* Use macros for bitmask_to_list functions to reduce code
duplication and centralize logic.
* Add repr_kind parameter to cert_trust_flags_str()
* Add support for repr_kind AsEnumName to bitstring table lookup.
* Add cert_type_bitstr_to_tuple() lookup function
* Add PRTimeConvert(), used to convert Python time values
to PRTime, centralizes conversion logic, reduces duplication
* Add UTF8OrNoneConvert to better handle unicode parameters which
are optional.
* Add Certificate_summary_format_lines() utility to generate
concise certificate identification info for output.
* Certificate_new_from_CERTCertificate now takes add_reference parameter
to properly reference count certs, should fix shutdown busy problems.
* Add print_traceback(), print_cert() debugging support.
-
Mon Feb 18 2013 John Dennis <jdennis@redhat.com> - 0.13-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild