91 lines
5 KiB
Text
91 lines
5 KiB
Text
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License: v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file: You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
#
|
|
# This file enables policy testing
|
|
#
|
|
# The policy string is set to the config= line in the pkcs11.txt
|
|
# it currently has 2 keywords:
|
|
#
|
|
# disallow= turn off the use of this algorithm by policy. (implies disable)
|
|
# allow= allow this algorithm to by used if selected by policy.
|
|
# disable= turn off the use of this algorithm even if allowed by policy
|
|
# (application can override)
|
|
# enable= turn off this algorithm by default (implies allow)
|
|
# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy:
|
|
# NSS_SetOption: or SSL_SetCipherPolicy
|
|
# ssl-lock: can't change the cipher suite settings with the application.
|
|
#
|
|
# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
|
|
# where {} signifies an optional element
|
|
#
|
|
# Signatures:
|
|
# DSA
|
|
# RSA-PKCS
|
|
# RSA-PSS
|
|
# ECDSA
|
|
# Hashes:
|
|
# MD2
|
|
# MD4
|
|
# MD5
|
|
# SHA1
|
|
# SHA224
|
|
# SHA256
|
|
# SHA384
|
|
# SHA512
|
|
# SHA3_224
|
|
# SHA3_256
|
|
# SHA3_384
|
|
# SHA3_512
|
|
# Ciphers:
|
|
# AES128-CBC
|
|
# AES192-CBC
|
|
# AES256-CBC
|
|
# CAMELLIA128-CBC
|
|
# CAMELLIA192-CBC
|
|
# CAMELLIA256-CBC
|
|
# SEED-CBC
|
|
# DES-EDE3-CBC
|
|
# RC2-40-CBC
|
|
# RC2-64-CBC
|
|
# RC2-128-CBC
|
|
# Key exchange
|
|
# RSA-PKCS
|
|
# RSA-OAEP
|
|
# DH
|
|
# ECDH
|
|
# Include all of the above:
|
|
# ALL
|
|
#-----------------------------------------------
|
|
# Uses are:
|
|
# smime
|
|
# smime-legacy
|
|
# smime-key-exchange
|
|
# key-exchange (includes smime-key-exchange)
|
|
# cert-signature
|
|
# smime-signature (=cms-signature)
|
|
# all-signature (includes cert-signature)
|
|
# signature (all signatures off: some signature allowed based on other option)
|
|
# all (includes all of the above)
|
|
#
|
|
# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.
|
|
#
|
|
# Sign Vfy Enc Dec hash rec_email rec_name rec_policy snd_name snd_policy alg Test Name
|
|
0 0 0 0 SHA256 dave@example.com Dave enable=hmac-sha1 Alice enable=hmac-sha1 AES-256-CBC Use default policy and enable
|
|
0 0 0 0 SHA512 bob@example.com Bob enable=aes256-cbc Alice enable=aes256-cbc AES-256-CBC Only enable aes-256
|
|
0 0 0 0 SHA512 bob@example.com Bob enable=camellia256-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Only enable camellia
|
|
0 0 1 x SHA1 bob@example.com Bob allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob allows all: enables default, alice allows and enables camellia
|
|
0 0 0 1 SHA384 bob@example.com Bob enable=camellia256-cbc Alice allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc RC2-CBC Alice allows all: enables default, bob allows and enables camellia
|
|
0 0 1 x SHA384 bob@example.com Bob enable=aes256-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob Only enables aes Alice Only enables camellia
|
|
0 0 0 0 SHA384 bob@example.com Bob enable=camellia256-cbc Alice enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc CAMELLIA-256-CBC Alice enable all explicit, bob allows and enables camellia
|
|
0 0 0 0 SHA1 bob@example.com Bob enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Bob enables all explicit, alice allows and enables camellia
|
|
0 0 0 1 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange Alice enable=hmac-sha1 AES-256-CBC turn off RSA key exchange (decrypt)
|
|
1 x x x SHA-1 dave@example.com Dave disallow=sha1/smime-signature Alice enable=hmac-sha1 NONE-FAILURE turn off sha-1 for S/MIME (generate sig)
|
|
0 1 x x SHA-1 dave@example.com Dave enable=hmac-sha1 Alice disallow=sha1/smime-signature NONE-FAILURE turn off sha-1 for S/MIME (verify sig)
|
|
0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange NONE-FAILURE turn off RSA key exchange (encrypt)
|
|
0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange_allow=rsa-pkcs/smime-key-echange_legacy NONE_FAILURE turn off RSA key exchange for encrypt only (try to encrypt)
|
|
0 0 0 0 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange-encrypt Alice enable=hmac-sha1 AES-256-CBC turn off RSA key exchange for encrypt only (try to decrypt)
|
|
1 x x x SHA256 dave@example.com Dave allow=rsa-min=3000 Alice allow=all NONE-FAILED Enforce all key size policy on Sender
|
|
0 1 x x SHA256 dave@example.com Dave allow=all Alice allow=rsa-min=3000 NONE-FAILED Enforce all key size policy on Recipient
|
|
0 0 1 x SHA256 dave@example.com Dave allow=all Alice allow=key-size-flags=key-size-smime:rsa-min=3000 NONE-FAILED Enforce KEA key size policy on Recipient
|
|
0 0 0 1 SHA256 dave@example.com Dave allow=key-size-flags=key-size-smime:rsa-min=3000 Alice allow=all AES-256-CBC Enforce KEA key size policy on Sender
|