Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 644478 Details for
Bug 870864
Add support in NSS for Secure Boot
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
preliminary secure boot support in tools
0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch (text/plain), 8.71 KB, created by
Elio Maldonado Batiz
on 2012-11-13 23:59:02 UTC
(
hide
)
Description:
preliminary secure boot support in tools
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2012-11-13 23:59:02 UTC
Size:
8.71 KB
patch
obsolete
>Index: ./mozilla/security/nss/cmd/platlibs.mk >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v >retrieving revision 1.71 >diff -u -p -r1.71 platlibs.mk >--- ./mozilla/security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 >+++ ./mozilla/security/nss/cmd/platlibs.mk 8 Nov 2012 18:27:22 -0000 >@@ -194,4 +194,11 @@ ifndef USE_SYSTEM_ZLIB > ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX) > endif > >+# Needed until secure boot is added upstream and fedora >+# updates to the nss release with it. >+# >+ifdef NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL >+DEFINES += -DNO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL >+endif >+ > JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) >Index: ./mozilla/security/nss/cmd/certcgi/ca_form.html >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/certcgi/ca_form.html,v >retrieving revision 1.4 >diff -u -p -r1.4 ca_form.html >--- ./mozilla/security/nss/cmd/certcgi/ca_form.html 20 Mar 2012 14:46:53 -0000 1.4 >+++ ./mozilla/security/nss/cmd/certcgi/ca_form.html 8 Nov 2012 19:16:37 -0000 >@@ -167,6 +167,7 @@ > <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P> > <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P> > <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P> >+ <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P> > </tr> > <tr> > <td> >Index: ./mozilla/security/nss/cmd/certcgi/certcgi.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/certcgi/certcgi.c,v >retrieving revision 1.22 >diff -u -p -r1.22 certcgi.c >--- ./mozilla/security/nss/cmd/certcgi/certcgi.c 29 Apr 2012 12:52:04 -0000 1.22 >+++ ./mozilla/security/nss/cmd/certcgi/certcgi.c 8 Nov 2012 19:16:38 -0000 >@@ -21,6 +21,7 @@ > #include "pk11pqg.h" > #include "certxutl.h" > #include "nss.h" >+#include "secutil.h" > > > /* #define TEST 1 */ >@@ -33,6 +34,8 @@ > > static char *progName; > >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; >+ > typedef struct PairStr Pair; > > struct PairStr { >@@ -819,6 +822,10 @@ AddExtKeyUsage(void *extHandle, Pair *da > if( SECSuccess != rv ) goto loser; > } > >+ if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) { >+ SECU_RegisterDynamicOids(); >+ } >+ > if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) { > rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); > if( SECSuccess != rv ) goto loser; >Index: ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html,v >retrieving revision 1.4 >diff -u -p -r1.4 stnd_ext_form.html >--- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html 20 Mar 2012 14:46:53 -0000 1.4 >+++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html 8 Nov 2012 19:16:38 -0000 >@@ -34,6 +34,7 @@ > <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P> > <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P> > <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P> >+ <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P> > </tr> > <tr> > <td> >Index: ./mozilla/security/nss/cmd/certutil/certext.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/certutil/certext.c,v >retrieving revision 1.12 >diff -u -p -r1.12 certext.c >--- ./mozilla/security/nss/cmd/certutil/certext.c 20 Mar 2012 14:46:54 -0000 1.12 >+++ ./mozilla/security/nss/cmd/certutil/certext.c 8 Nov 2012 19:16:38 -0000 >@@ -18,6 +18,9 @@ > #endif > > #include "secutil.h" >+/* #include "secoidt.h" */ /* For when we update nss */ >+ >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; > > #if defined(XP_UNIX) > #include <unistd.h> >@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut > "timeStamp", > "ocspResponder", > "stepUp", >+ "msCodeSigning", > NULL}; > > static SECStatus >@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c > case 6: > rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED); > break; >+ case 7: >+ rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING); >+ break; > default: > goto endloop; > } >Index: ./mozilla/security/nss/cmd/certutil/certutil.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v >retrieving revision 1.162 >diff -u -p -r1.162 certutil.c >--- ./mozilla/security/nss/cmd/certutil/certutil.c 20 Mar 2012 14:46:54 -0000 1.162 >+++ ./mozilla/security/nss/cmd/certutil/certutil.c 8 Nov 2012 19:16:38 -0000 >@@ -46,6 +46,8 @@ > > char *progName; > >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; >+ > static CERTCertificateRequest * > GetCertRequest(PRFileDesc *inFile, PRBool ascii) > { >@@ -1145,6 +1147,7 @@ static void luC(enum usage_level ul, con > "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n" > "%-20s \"stepUp\", \"critical\"\n", > " -6 | --extKeyUsage keyword,keyword,...", "", "", "", ""); >+ "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n", > FPS "%-20s Create an email subject alt name extension\n", > " -7 emailAddrs"); > FPS "%-20s Create an dns subject alt name extension\n", >Index: ./mozilla/security/nss/cmd/lib/moreoids.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/lib/moreoids.c,v >retrieving revision 1.3 >diff -u -p -r1.3 moreoids.c >--- ./mozilla/security/nss/cmd/lib/moreoids.c 20 Mar 2012 14:46:59 -0000 1.3 >+++ ./mozilla/security/nss/cmd/lib/moreoids.c 8 Nov 2012 19:16:38 -0000 >@@ -41,6 +41,31 @@ OIDT mKPSCL[] = { MICROSOFT, 20, 2, 2 } > OIDT mNTPN [] = { MICROSOFT, 20, 2, 3 }; /* NT Principal Name */ > OIDT mCASRV[] = { MICROSOFT, 21, 1 }; /* CertServ CA version */ > >+/* Until the new oid gets approved upstream the fedora nss package maintainer >+ * adds 'export NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL=1' to the nss.spec file. >+ * This sets -D'export NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL=1' in platlibs.mk. >+ * When https://bugzilla.mozilla.org/show_bug.cgi?id=807890 is approved and >+ * fedora updates to the corresponding upstream the conditionalizations will >+ * be replace what we currently have as the #else case. >+ */ >+#if NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL >+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN; >+#else >+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; >+#endif >+ >+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) } >+ >+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN; >+/* { 1.3.6.1.4.1.311 } */ >+static const unsigned char msExtendedKeyUsageCodeSigning[] = >+ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 }; >+ >+static const SECOidData microsoftAuthenticodeSigning_Entry = >+ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN, >+ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM, >+ INVALID_CERT_EXTENSION }; >+ > /* AOL OIDs (1 3 6 1 4 1 1066 ... ) */ > #define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A > >@@ -127,6 +152,18 @@ static const SECOidData oids[] = { > > static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]); > >+/* register the oid if we haven't already */ >+void >+SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src) >+{ >+ if (*data == SEC_OID_UNKNOWN) { >+ /* AddEntry does the right thing if someone else has already >+ * added the oid. (that is return that oid tag) */ >+ *data = SECOID_AddEntry(src); >+ } >+} >+ >+ > SECStatus > SECU_RegisterDynamicOids(void) > { >@@ -144,5 +181,10 @@ SECU_RegisterDynamicOids(void) > #endif > } > } >+ >+ /* Fetch and register the oid on behalf of the tools. */ >+ SECU_cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING, >+ µsoftAuthenticodeSigning_Entry); >+ > return rv; > } >Index: ./mozilla/security/nss/cmd/lib/secutil.h >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v >retrieving revision 1.48 >diff -u -p -r1.48 secutil.h >--- ./mozilla/security/nss/cmd/lib/secutil.h 27 Sep 2012 17:13:33 -0000 1.48 >+++ ./mozilla/security/nss/cmd/lib/secutil.h 8 Nov 2012 19:16:38 -0000 >@@ -293,6 +293,8 @@ extern SECStatus DER_PrettyPrint(FILE *o > > extern char *SECU_SECModDBName(void); > >+extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src); >+ > extern SECStatus SECU_RegisterDynamicOids(void); > > /* Identifies hash algorithm tag by its string representation. */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
rrelyea
: review+
Actions:
View
|
Diff
Attachments on
bug 870864
:
634838
|
634839
|
634848
|
634849
|
634850
|
636948
|
636949
|
636950
|
641077
| 644478