mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-07 15:09:50 +00:00
Code Issues Projects Releases Wiki Activity

nss: fix non-determinism when create a blank certificate

Browse Source 
It uses certutil from nss to create a blank certificate. But the
checksum of database file key4.db changes every time:

$ certutil -N -d sql:. --empty-password
$ md5sum *
f9dac2cfcb07cc8ca6db442a9a570906  cert9.db
b892c5ff7c1977d4728240b0cf628377  key4.db
7b9136cb03f07ae62eb213a5239fda71  pkcs11.txt
$ rm *

$ certutil -N -d sql:. --empty-password
$ md5sum *
f9dac2cfcb07cc8ca6db442a9a570906  cert9.db
405d55178e866a115c1aa975fccfa764  key4.db
7b9136cb03f07ae62eb213a5239fda71  pkcs11.txt

Provide pre-created databases with a blank certificate to fix
non-determinism issue. And these database files are from nss qemux86-64
build.

(From OE-Core rev: e64a30f7af87fa960b012ace92c51b88e8abae68)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Kai Kang
2018-10-12 10:08:44 +08:00
committed by Richard Purdie
parent 48df61b171
commit 9e958c9023
4 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/nss/nss/blank-cert9.db
BIN
View File
Binary file not shown.
meta/recipes-support/nss/nss/blank-key4.db
BIN
View File
Binary file not shown.
meta/recipes-support/nss/nss/system-pkcs11.txt
+5
View File
@@ -0,0 +1,5 @@
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
meta/recipes-support/nss/nss_3.38.bb
+13 -8
View File
@@ -25,6 +25,9 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
file://nss-fix-nsinstall-build.patch \
file://disable-Wvarargs-with-clang.patch \
file://pqg.c-ULL_addend.patch \
file://blank-cert9.db \
file://blank-key4.db \
file://system-pkcs11.txt \
"
SRC_URI[md5sum] = "ac9065460a7634ba8eb0f942f404e773"
@@ -212,14 +215,16 @@ do_install_append() {
}
do_install_append_class-target() {
# Create a blank certificate
mkdir -p ${D}${sysconfdir}/pki/nssdb/
touch ./empty_password
certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password
chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db
rm ./empty_password
# Remove build path prefix
sed -i "s:${D}::g" ${D}${sysconfdir}/pki/nssdb/pkcs11.txt
# It used to call certutil to create a blank certificate with empty password at
# build time, but the checksum of key4.db changes every time when certutil is called.
# It causes non-determinism issue, so provide databases with a blank certificate
# which are originally from output of nss in qemux86-64 build. You can get these
# databases by:
# certutil -N -d sql:/database/path/ --empty-password
install -d ${D}${sysconfdir}/pki/nssdb/
install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db
install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db
install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt
}
PACKAGE_WRITE_DEPS += "nss-native"