Attachment 644478 Details for Bug 870864 – preliminary secure boot support in tools

[patch] preliminary secure boot support in tools

0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch (text/plain), 8.71 KB, created by Elio Maldonado Batiz on 2012-11-13 23:59:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Elio Maldonado Batiz

Created: 2012-11-13 23:59:02 UTC

Size: 8.71 KB

patch

obsolete

>Index: ./mozilla/security/nss/cmd/platlibs.mk
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v
>retrieving revision 1.71
>diff -u -p -r1.71 platlibs.mk
>--- ./mozilla/security/nss/cmd/platlibs.mk	17 Jul 2012 15:22:42 -0000	1.71
>+++ ./mozilla/security/nss/cmd/platlibs.mk	8 Nov 2012 18:27:22 -0000
>@@ -194,4 +194,11 @@ ifndef USE_SYSTEM_ZLIB
> ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
> endif
> 
>+# Needed until secure boot is added upstream and fedora
>+# updates to the nss release with it.
>+#
>+ifdef NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL
>+DEFINES += -DNO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL
>+endif
>+
> JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX)
>Index: ./mozilla/security/nss/cmd/certcgi/ca_form.html
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/certcgi/ca_form.html,v
>retrieving revision 1.4
>diff -u -p -r1.4 ca_form.html
>--- ./mozilla/security/nss/cmd/certcgi/ca_form.html	20 Mar 2012 14:46:53 -0000	1.4
>+++ ./mozilla/security/nss/cmd/certcgi/ca_form.html	8 Nov 2012 19:16:37 -0000
>@@ -167,6 +167,7 @@
>     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
>     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
>     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
>+    <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
>     </tr>
>     <tr>
>     <td>
>Index: ./mozilla/security/nss/cmd/certcgi/certcgi.c
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/certcgi/certcgi.c,v
>retrieving revision 1.22
>diff -u -p -r1.22 certcgi.c
>--- ./mozilla/security/nss/cmd/certcgi/certcgi.c	29 Apr 2012 12:52:04 -0000	1.22
>+++ ./mozilla/security/nss/cmd/certcgi/certcgi.c	8 Nov 2012 19:16:38 -0000
>@@ -21,6 +21,7 @@
> #include "pk11pqg.h"
> #include "certxutl.h"
> #include "nss.h"
>+#include "secutil.h"
> 
> 
> /* #define TEST           1 */
>@@ -33,6 +34,8 @@
> 
> static char *progName;
> 
>+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
>+
> typedef struct PairStr Pair;
> 
> struct PairStr {
>@@ -819,6 +822,10 @@ AddExtKeyUsage(void *extHandle, Pair *da
>     if( SECSuccess != rv ) goto loser;
>   }
> 
>+  if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) {
>+    SECU_RegisterDynamicOids();
>+  }
>+
>   if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
>     rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
>     if( SECSuccess != rv ) goto loser;
>Index: ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html,v
>retrieving revision 1.4
>diff -u -p -r1.4 stnd_ext_form.html
>--- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html	20 Mar 2012 14:46:53 -0000	1.4
>+++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html	8 Nov 2012 19:16:38 -0000
>@@ -34,6 +34,7 @@
>     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
>     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
>     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
>+    <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
>     </tr>
>     <tr>
>     <td>
>Index: ./mozilla/security/nss/cmd/certutil/certext.c
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/certutil/certext.c,v
>retrieving revision 1.12
>diff -u -p -r1.12 certext.c
>--- ./mozilla/security/nss/cmd/certutil/certext.c	20 Mar 2012 14:46:54 -0000	1.12
>+++ ./mozilla/security/nss/cmd/certutil/certext.c	8 Nov 2012 19:16:38 -0000
>@@ -18,6 +18,9 @@
> #endif
> 
> #include "secutil.h"
>+/* #include "secoidt.h" */ /* For when we update nss */
>+
>+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
> 
> #if defined(XP_UNIX)
> #include <unistd.h>
>@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut
>                               "timeStamp",
>                               "ocspResponder",
>                               "stepUp",
>+                              "msCodeSigning",
>                               NULL};
> 
> static SECStatus 
>@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c
>         case 6:
>             rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
>             break;
>+        case 7:
>+            rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING);
>+            break;
>         default:
>             goto endloop;
>         }
>Index: ./mozilla/security/nss/cmd/certutil/certutil.c
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v
>retrieving revision 1.162
>diff -u -p -r1.162 certutil.c
>--- ./mozilla/security/nss/cmd/certutil/certutil.c	20 Mar 2012 14:46:54 -0000	1.162
>+++ ./mozilla/security/nss/cmd/certutil/certutil.c	8 Nov 2012 19:16:38 -0000
>@@ -46,6 +46,8 @@
> 
> char *progName;
> 
>+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
>+
> static CERTCertificateRequest *
> GetCertRequest(PRFileDesc *inFile, PRBool ascii)
> {
>@@ -1145,6 +1147,7 @@ static void luC(enum usage_level ul, con
>               "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
>               "%-20s \"stepUp\", \"critical\"\n",
>         "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
>+              "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n",
>     FPS "%-20s Create an email subject alt name extension\n",
>         "   -7 emailAddrs");
>     FPS "%-20s Create an dns subject alt name extension\n",
>Index: ./mozilla/security/nss/cmd/lib/moreoids.c
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/lib/moreoids.c,v
>retrieving revision 1.3
>diff -u -p -r1.3 moreoids.c
>--- ./mozilla/security/nss/cmd/lib/moreoids.c	20 Mar 2012 14:46:59 -0000	1.3
>+++ ./mozilla/security/nss/cmd/lib/moreoids.c	8 Nov 2012 19:16:38 -0000
>@@ -41,6 +41,31 @@ OIDT  mKPSCL[]	= { MICROSOFT, 20, 2, 2 }
> OIDT  mNTPN []	= { MICROSOFT, 20, 2, 3 }; /* NT Principal Name        */
> OIDT  mCASRV[]	= { MICROSOFT, 21, 1    }; /* CertServ CA version      */
> 
>+/* Until the new oid gets approved upstream the fedora nss package maintainer
>+ * adds 'export NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL=1' to the nss.spec file.
>+ * This sets -D'export NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL=1' in platlibs.mk.
>+ * When https://bugzilla.mozilla.org/show_bug.cgi?id=807890 is approved and
>+ * fedora updates to the corresponding upstream the conditionalizations will
>+ * be replace what we currently have as the #else case.
>+ */
>+#if NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL
>+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN;
>+#else
>+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
>+#endif
>+
>+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) }
>+
>+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN;
>+/* { 1.3.6.1.4.1.311 } */
>+static const unsigned char msExtendedKeyUsageCodeSigning[] =
>+        { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1  };
>+
>+static const SECOidData microsoftAuthenticodeSigning_Entry =
>+        { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN,
>+        "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM,
>+        INVALID_CERT_EXTENSION };
>+
> /* AOL OIDs     (1 3 6 1 4 1 1066 ... )   */
> #define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A
> 
>@@ -127,6 +152,18 @@ static const SECOidData oids[] = {
> 
> static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
> 
>+/* register the oid if we haven't already */
>+void
>+SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src)
>+{
>+    if (*data == SEC_OID_UNKNOWN) {
>+        /* AddEntry does the right thing if someone else has already
>+         * added the oid. (that is return that oid tag) */
>+        *data = SECOID_AddEntry(src);
>+    }
>+}
>+
>+
> SECStatus
> SECU_RegisterDynamicOids(void)
> {
>@@ -144,5 +181,10 @@ SECU_RegisterDynamicOids(void)
> #endif
> 	}
>     }
>+
>+    /* Fetch and register the oid on behalf of the tools. */
>+    SECU_cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING,
>+	&microsoftAuthenticodeSigning_Entry);
>+
>     return rv;
> }
>Index: ./mozilla/security/nss/cmd/lib/secutil.h
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v
>retrieving revision 1.48
>diff -u -p -r1.48 secutil.h
>--- ./mozilla/security/nss/cmd/lib/secutil.h	27 Sep 2012 17:13:33 -0000	1.48
>+++ ./mozilla/security/nss/cmd/lib/secutil.h	8 Nov 2012 19:16:38 -0000
>@@ -293,6 +293,8 @@ extern SECStatus DER_PrettyPrint(FILE *o
> 
> extern char *SECU_SECModDBName(void);
> 
>+extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
>+
> extern SECStatus SECU_RegisterDynamicOids(void);
> 
> /* Identifies hash algorithm tag by its string representation. */

Flags:

rrelyea: review+

Actions: View | Diff

Attachments on bug 870864: 634838 | 634839 | 634848 | 634849 | 634850 | 636948 | 636949 | 636950 | 641077 | 644478