smimepolicy.txt - mozsearch

# This Source Code Form is subject to the terms of the Mozilla Public

# License: v. 2.0. If a copy of the MPL was not distributed with this

# file: You can obtain one at http://mozilla.org/MPL/2.0/.

# This file enables policy testing

# The policy string is set to the config= line in the pkcs11.txt

# it currently has 2 keywords:

# disallow= turn off the use of this algorithm by policy. (implies disable)

# allow= allow this algorithm to by used if selected by policy.

# disable= turn off the use of this algorithm even if allowed by policy

#          (application can override)

# enable= turn off this algorithm by default (implies allow)

# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy:

#  NSS_SetOption: or SSL_SetCipherPolicy

#        ssl-lock: can't change the cipher suite settings with the application.

# The syntax is disallow=algorithm{/uses}:algorithm{/uses}

# where {} signifies an optional element

# Signatures:

#	DSA

#	RSA-PKCS

#	RSA-PSS

#       ECDSA

# Hashes:

#	MD2

#	MD4

#	MD5

#	SHA1

#	SHA224

#	SHA256

#	SHA384

#	SHA512

#	SHA3_224

#	SHA3_256

#	SHA3_384

#	SHA3_512

# Ciphers:

#	AES128-CBC

#	AES192-CBC

#	AES256-CBC

#	CAMELLIA128-CBC

#	CAMELLIA192-CBC

#	CAMELLIA256-CBC

#	SEED-CBC

#	DES-EDE3-CBC

#	RC2-40-CBC

#	RC2-64-CBC

#	RC2-128-CBC

# Key exchange

#	RSA-PKCS

#	RSA-OAEP

#	DH

#	ECDH

# Include all of the above:

#       ALL

#-----------------------------------------------

# Uses are:

#    smime

#    smime-legacy

#    smime-key-exchange

#    key-exchange (includes smime-key-exchange)

#    cert-signature

#    smime-signature  (=cms-signature)

#    all-signature (includes cert-signature)

#    signature (all signatures off: some signature allowed based on other option)

#    all (includes all of the above)

# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.

# Sign Vfy Enc Dec hash rec_email rec_name rec_policy snd_name snd_policy alg Test Name

  0 0 0 0 SHA256 dave@example.com Dave enable=hmac-sha1 Alice enable=hmac-sha1 AES-256-CBC  Use default policy and enable

  0 0 0 0 SHA512 bob@example.com Bob enable=aes256-cbc Alice enable=aes256-cbc AES-256-CBC Only enable aes-256

  0 0 0 0 SHA512 bob@example.com Bob enable=camellia256-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Only enable camellia

  0 0 1 x SHA1 bob@example.com Bob allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob allows all: enables default, alice allows and enables camellia

  0 0 0 1 SHA384 bob@example.com Bob enable=camellia256-cbc Alice allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc RC2-CBC Alice allows all: enables default, bob allows and enables camellia

  0 0 1 x SHA384 bob@example.com Bob enable=aes256-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob Only enables aes Alice Only enables camellia

  0 0 0 0 SHA384 bob@example.com Bob enable=camellia256-cbc Alice enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc CAMELLIA-256-CBC Alice enable all explicit, bob allows and enables camellia

  0 0 0 0 SHA1 bob@example.com Bob enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Bob enables all explicit, alice allows and enables camellia

  0 0 0 1 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange Alice enable=hmac-sha1 AES-256-CBC  turn off RSA key exchange (decrypt)

  1 x x x SHA-1 dave@example.com Dave disallow=sha1/smime-signature Alice enable=hmac-sha1 NONE-FAILURE turn off sha-1 for S/MIME (generate sig)

  0 1 x x SHA-1 dave@example.com Dave enable=hmac-sha1 Alice disallow=sha1/smime-signature  NONE-FAILURE turn off sha-1 for S/MIME (verify sig)

  0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange NONE-FAILURE turn off RSA key exchange (encrypt)

  0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange_allow=rsa-pkcs/smime-key-echange_legacy NONE_FAILURE turn off RSA key exchange for encrypt only (try to encrypt)

  0 0 0 0 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange-encrypt Alice enable=hmac-sha1 AES-256-CBC  turn off RSA key exchange for encrypt only (try to decrypt)

  1 x x x SHA256 dave@example.com Dave allow=rsa-min=3000 Alice allow=all NONE-FAILED  Enforce all key size policy on Sender

  0 1 x x SHA256 dave@example.com Dave allow=all Alice allow=rsa-min=3000 NONE-FAILED  Enforce all key size policy on Recipient

  0 0 1 x SHA256 dave@example.com Dave allow=all Alice allow=key-size-flags=key-size-smime:rsa-min=3000 NONE-FAILED  Enforce KEA key size policy on Recipient

  0 0 0 1 SHA256 dave@example.com Dave allow=key-size-flags=key-size-smime:rsa-min=3000 Alice allow=all AES-256-CBC  Enforce KEA key size policy on Sender

Source code

Revision control

Copy as Markdown

Other Tools