From e64a30f7af87fa960b012ace92c51b88e8abae68 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Fri, 12 Oct 2018 10:08:44 +0800 Subject: [PATCH] nss: fix non-determinism when create a blank certificate It uses certutil from nss to create a blank certificate. But the checksum of database file key4.db changes every time: $ certutil -N -d sql:. --empty-password $ md5sum * f9dac2cfcb07cc8ca6db442a9a570906 cert9.db b892c5ff7c1977d4728240b0cf628377 key4.db 7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt $ rm * $ certutil -N -d sql:. --empty-password $ md5sum * f9dac2cfcb07cc8ca6db442a9a570906 cert9.db 405d55178e866a115c1aa975fccfa764 key4.db 7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt Provide pre-created databases with a blank certificate to fix non-determinism issue. And these database files are from nss qemux86-64 build. Signed-off-by: Kai Kang Signed-off-by: Richard Purdie --- meta/recipes-support/nss/nss/blank-cert9.db | Bin 0 -> 28672 bytes meta/recipes-support/nss/nss/blank-key4.db | Bin 0 -> 36864 bytes .../recipes-support/nss/nss/system-pkcs11.txt | 5 +++++ meta/recipes-support/nss/nss_3.38.bb | 21 +++++++++++------- 4 files changed, 18 insertions(+), 8 deletions(-) create mode 100644 meta/recipes-support/nss/nss/blank-cert9.db create mode 100644 meta/recipes-support/nss/nss/blank-key4.db create mode 100644 meta/recipes-support/nss/nss/system-pkcs11.txt diff --git a/meta/recipes-support/nss/nss/blank-cert9.db b/meta/recipes-support/nss/nss/blank-cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..7d4bcf2582d510f7b51d4306706746178c41fbbc GIT binary patch literal 28672 zc-rmPzi-n(6bEp-KU`?3+ATs1xsgZ+*=PIWEGTJeq==BVA(iNWDm!tdKxjpiNQ`W3 z?EFFSH!&f6-)nts8JJ)|-;d;{XWzZ&S2s=NS4aKnq7Y{nm+!NM2%TNWb)B{lj^nuH zvEf+j<*|0-+;#rUb)Jf^+dDrTZ}X?~;Qr3Ht?yf(w%X+h5fKp)(LdMryjrd9o=ndt z#mDixY&tog&kvXRY&zcP4%5yk6}`cJ`dVO391KLYE*@urFB{L+(cu^!W?5d$svX{~ z4p_U}A#Cigd9_D%_YLaj%lvIIUQ|2QZ*{m@{e6m{(OLCs53hfY>3qH{E~_nTx0;y6 zyFHSi@ww%0)arHjOJ|Ygv!Yt9l9j7Iqt0GGy;)s8n8RW3WoLLIUZf}Dc+fjKPW2tS z2ZQJRUUwuqdk4eO6OsAl5tN54k5K2hpsxh_Qld{2eVX7@Z%HB@VjYwYO&t;)S~_Gp z2S%%@ticF5)l>RK|N7-?d9j8oNHqC6B+jMNxiA@Weo>eJ6 z2qw+#IJq8Y5@-G-#}iL{u+LZFb1PeoV8yGYb=NUpA|Gbu8~tgvTwLJ%wE9y$4XSjt z{PMe}zX7*(*yVo$A|fIpA|j&y*(TrriHL}Zh=_>z{!c_iL_|bHM121zA|fIpA|fKb Z{}T}r5fKp)5#Rrbh=_=Yh=}N~`vvXfQ_}zd literal 0 Hc-jL100001 diff --git a/meta/recipes-support/nss/nss/blank-key4.db b/meta/recipes-support/nss/nss/blank-key4.db new file mode 100644 index 0000000000000000000000000000000000000000..d47f08d04fe82197bc6a39ef9bf216b61c3dc77a GIT binary patch literal 36864 zc-rmU&uT+Ey zS7+wyVsKPUcG_a8G51-uaZY?%KPS#C%$+_{7mEv`wzx1mKUZ58jr!7jwN^hO;@?+S z%E^;c`Y2=NYX#HjTx~~R^{#c}qfNEmU#0!#pnkJF$VO)@E1xf#=V?Ogit4nl_IgWe zo$IO}jcheHw{Wulg`h#*0#6W=s%$%@6T?*FEY;|$FzWIYYex+le5Hn4noV2zgGIBM zw7ni)j#_=5GQ6Y4*6?dODVJ(PR{p@?tLgN5>(Ls|N$)6=jJ{GOD3@*?H%IctqItVU zmyCxwOYOL9+Y7w?!c}J$8_P$8vg0kjZpw)_SLbv>mYTQ z)*;ZLqJz>Qj6;P=*-4~|wnH&_9gm_ z>`-NgDmzr!p~^0;a%q)It6W;;(ke-#l13$sN*a~PDAklybDCxbNu)DKU#Vj!xnAo~ zx1JqysO7Dc&Na<;X|_wVJv*75OiYfr6g`SQMg7_yy{bpA>d|%aX{}FdeLFd#*R~?x z^<2Nqsl(~E2_C0Dr;^iYPJ@@JYdSB)22E9m(xTZbx!ElG};X z3a5(Gkkb~YZB8RjFT70YjgX`vw-f4i+P<>eA)WESCVYM+y>FdL$xT`LQ^hxZ1oHQ4 zv&{KW{6U@3pVnhKOyH*$00000006*lmc{))000000002){{a91000000Qdg@00000 z004mde*gdg00000!2Le}00000006vm`v3o%<3Ael0{{R300000-jAj^T<|tBU#ed3 z#_C%8@7Y_wJ^%ivrDtFN_u`ZL$9{ddap;bH+@7>@hc`dod^%?C88(OP1L^(k!{=jC7iz4zBY51#*V^XHUlrYEKzZ(h3i$gh6z@P}{rjZJ-%rThOUM*IK(00000 P0DxU2H&hrM{6*n^tfILF literal 0 Hc-jL100001 diff --git a/meta/recipes-support/nss/nss/system-pkcs11.txt b/meta/recipes-support/nss/nss/system-pkcs11.txt new file mode 100644 index 00000000000..1a264e9cc4a --- /dev/null +++ b/meta/recipes-support/nss/nss/system-pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/meta/recipes-support/nss/nss_3.38.bb b/meta/recipes-support/nss/nss_3.38.bb index 904b621a073..e0ee2091060 100644 --- a/meta/recipes-support/nss/nss_3.38.bb +++ b/meta/recipes-support/nss/nss_3.38.bb @@ -25,6 +25,9 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://nss-fix-nsinstall-build.patch \ file://disable-Wvarargs-with-clang.patch \ file://pqg.c-ULL_addend.patch \ + file://blank-cert9.db \ + file://blank-key4.db \ + file://system-pkcs11.txt \ " SRC_URI[md5sum] = "ac9065460a7634ba8eb0f942f404e773" @@ -212,14 +215,16 @@ do_install_append() { } do_install_append_class-target() { - # Create a blank certificate - mkdir -p ${D}${sysconfdir}/pki/nssdb/ - touch ./empty_password - certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password - chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db - rm ./empty_password - # Remove build path prefix - sed -i "s:${D}::g" ${D}${sysconfdir}/pki/nssdb/pkcs11.txt + # It used to call certutil to create a blank certificate with empty password at + # build time, but the checksum of key4.db changes every time when certutil is called. + # It causes non-determinism issue, so provide databases with a blank certificate + # which are originally from output of nss in qemux86-64 build. You can get these + # databases by: + # certutil -N -d sql:/database/path/ --empty-password + install -d ${D}${sysconfdir}/pki/nssdb/ + install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db + install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db + install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt } PACKAGE_WRITE_DEPS += "nss-native" -- 2.47.2