Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 636948 Details for
Bug 870864
Add support in NSS for Secure Boot
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch1 V2 - secure boot support in nss tools only
0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch (text/plain), 8.43 KB, created by
Elio Maldonado Batiz
on 2012-11-02 05:15:57 UTC
(
hide
)
Description:
Patch1 V2 - secure boot support in nss tools only
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2012-11-02 05:15:57 UTC
Size:
8.43 KB
patch
obsolete
>diff -up ./mozilla/security/nss/cmd/certcgi/ca_form.html.secureboot ./mozilla/security/nss/cmd/certcgi/ca_form.html >--- ./mozilla/security/nss/cmd/certcgi/ca_form.html.secureboot 2012-03-20 10:46:53.000000000 -0400 >+++ ./mozilla/security/nss/cmd/certcgi/ca_form.html 2012-10-30 12:46:22.479548810 -0400 >@@ -167,6 +167,7 @@ > <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P> > <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P> > <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P> >+ <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P> > </tr> > <tr> > <td> >diff -up ./mozilla/security/nss/cmd/certcgi/certcgi.c.secureboot ./mozilla/security/nss/cmd/certcgi/certcgi.c >--- ./mozilla/security/nss/cmd/certcgi/certcgi.c.secureboot 2012-04-29 08:52:04.000000000 -0400 >+++ ./mozilla/security/nss/cmd/certcgi/certcgi.c 2012-10-30 12:46:22.482548818 -0400 >@@ -33,6 +33,17 @@ > > static char *progName; > >+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) } >+ >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; >+/* { 1.3.6.1.4.1.311 } */ >+static const unsigned char msExtendedKeyUsageCodeSigning[] = >+ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 }; >+static const SECOidData microsoftAuthenticodeSigning_Entry = >+ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN, >+ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM, >+ INVALID_CERT_EXTENSION }; >+ > typedef struct PairStr Pair; > > struct PairStr { >@@ -819,6 +830,16 @@ AddExtKeyUsage(void *extHandle, Pair *da > if( SECSuccess != rv ) goto loser; > } > >+ if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) { >+ /* Consider letting the sectools library do it for us, but not now. >+ SECUTIL_registerDynamicOids(); >+ */ >+ cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING, >+ µsoftAuthenticodeSigning_Entry); >+ rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING); >+ if( SECSuccess != rv ) goto loser; >+ } >+ > if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) { > rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); > if( SECSuccess != rv ) goto loser; >diff -up ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.secureboot ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html >--- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.secureboot 2012-03-20 10:46:53.000000000 -0400 >+++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html 2012-10-30 12:46:22.482548818 -0400 >@@ -34,6 +34,7 @@ > <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P> > <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P> > <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P> >+ <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P> > </tr> > <tr> > <td> >diff -up ./mozilla/security/nss/cmd/certutil/certext.c.secureboot ./mozilla/security/nss/cmd/certutil/certext.c >--- ./mozilla/security/nss/cmd/certutil/certext.c.secureboot 2012-03-20 10:46:54.000000000 -0400 >+++ ./mozilla/security/nss/cmd/certutil/certext.c 2012-10-30 12:46:22.484548823 -0400 >@@ -18,6 +18,9 @@ > #endif > > #include "secutil.h" >+/* #include "secoidt.h" */ /* For when we update nss */ >+ >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; > > #if defined(XP_UNIX) > #include <unistd.h> >@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut > "timeStamp", > "ocspResponder", > "stepUp", >+ "msCodeSigning", > NULL}; > > static SECStatus >@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c > case 6: > rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED); > break; >+ case 7: >+ rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING); >+ break; > default: > goto endloop; > } >diff -up ./mozilla/security/nss/cmd/certutil/certutil.c.secureboot ./mozilla/security/nss/cmd/certutil/certutil.c >--- ./mozilla/security/nss/cmd/certutil/certutil.c.secureboot 2012-03-20 10:46:54.000000000 -0400 >+++ ./mozilla/security/nss/cmd/certutil/certutil.c 2012-10-30 12:52:24.776282144 -0400 >@@ -46,6 +46,18 @@ > > char *progName; > >+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) } >+ >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; >+ >+/* { 1.3.6.1.4.1.311 } */ >+static const unsigned char msExtendedKeyUsageCodeSigning[] = >+ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 }; >+static const SECOidData microsoftAuthenticodeSigning_Entry = >+ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN, >+ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM, >+ INVALID_CERT_EXTENSION }; >+ > static CERTCertificateRequest * > GetCertRequest(PRFileDesc *inFile, PRBool ascii) > { >@@ -1145,6 +1157,7 @@ static void luC(enum usage_level ul, con > "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n" > "%-20s \"stepUp\", \"critical\"\n", > " -6 | --extKeyUsage keyword,keyword,...", "", "", "", ""); >+ "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n", > FPS "%-20s Create an email subject alt name extension\n", > " -7 emailAddrs"); > FPS "%-20s Create an dns subject alt name extension\n", >@@ -2636,6 +2649,13 @@ certutil_main(int argc, char **argv, PRB > goto shutdown; > } > initialized = PR_TRUE; >+ /* We should consider letting the sectools library do it for us >+ * by having SECU_RegisterDynamicOids call to cert_fetchOID >+ * but not now. >+ */ >+ cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING, >+ µsoftAuthenticodeSigning_Entry); >+ > SECU_RegisterDynamicOids(); > } > certHandle = CERT_GetDefaultCertDB(); >diff -up ./mozilla/security/nss/cmd/lib/moreoids.c.secureboot ./mozilla/security/nss/cmd/lib/moreoids.c >--- ./mozilla/security/nss/cmd/lib/moreoids.c.secureboot 2012-03-20 10:46:59.000000000 -0400 >+++ ./mozilla/security/nss/cmd/lib/moreoids.c 2012-10-30 12:46:22.487548831 -0400 >@@ -41,6 +41,23 @@ OIDT mKPSCL[] = { MICROSOFT, 20, 2, 2 } > OIDT mNTPN [] = { MICROSOFT, 20, 2, 3 }; /* NT Principal Name */ > OIDT mCASRV[] = { MICROSOFT, 21, 1 }; /* CertServ CA version */ > >+/* >+NOTE: certcgi link must resolove its >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; >+*/ >+ >+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) } >+ >+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN; >+/* { 1.3.6.1.4.1.311 } */ >+static const unsigned char msExtendedKeyUsageCodeSigning[] = >+ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 }; >+ >+static const SECOidData microsoftAuthenticodeSigning_Entry = >+ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN, >+ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM, >+ INVALID_CERT_EXTENSION }; >+ > /* AOL OIDs (1 3 6 1 4 1 1066 ... ) */ > #define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A > >@@ -127,6 +144,28 @@ static const SECOidData oids[] = { > > static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]); > >+/* register the oid if we haven't already */ >+void >+cert_fetchOID(SECOidTag *data, const SECOidData *src) >+{ >+ if (*data == SEC_OID_UNKNOWN) { >+ /* AddEntry does the right thing if someone else has already >+ * added the oid. (that is return that oid tag) */ >+ *data = SECOID_AddEntry(src); >+ } >+} >+ >+ >+/* NOTE: Possible improvement for a future iteration would be >+ * to fetch the oid from SECU_RegisterDynamicOids so the tools >+ * don't have to do it themselves. We could add >+ * >+ * cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING, >+ * µsoftAuthenticodeSigning_Entry); >+ * >+ * Postponing this until more urgent tasks get taken care off. >+ */ >+ > SECStatus > SECU_RegisterDynamicOids(void) > { >diff -up ./mozilla/security/nss/cmd/lib/secutil.h.secureboot ./mozilla/security/nss/cmd/lib/secutil.h >--- ./mozilla/security/nss/cmd/lib/secutil.h.secureboot 2012-09-27 13:13:33.000000000 -0400 >+++ ./mozilla/security/nss/cmd/lib/secutil.h 2012-10-30 12:46:22.487548831 -0400 >@@ -293,6 +293,9 @@ extern SECStatus DER_PrettyPrint(FILE *o > > extern char *SECU_SECModDBName(void); > >+/* register the dynamic oid if we haven't already */ >+extern void cert_fetchOID(SECOidTag *data, const SECOidData *src); >+ > extern SECStatus SECU_RegisterDynamicOids(void); > > /* Identifies hash algorithm tag by its string representation. */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=636948">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 870864
:
634838
|
634839
|
634848
|
634849
|
634850
|
636948
|
636949
|
636950
|
641077
|
644478