Created attachment 634838 [details] Patch1: Add extended key usage to the tools Description of problem: Support for Secure Boot support is missing in the NSS libraries and tools. Version-Release number of selected component (if applicable): nss-3.14 How reproducible: Alays Steps to Reproduce: Actual results: Expected results: Additional info: This problem was identified and brought to ours attention by Peter Jones, one of the developers working on Secure Boot support. To quote from his measage. One of the things needed for SB is certificates generated with a specific extended key usage" field that currently isn't supported by certutil. I will attach Peters Jones two original patches - one for nss-util and one for nss itself - which add the OID in question. Ideally you'd be able to specify any OID by number on the command line, but that's pretty out of scope for what he is doing. NSS needs to address those issues.
Created attachment 634839 [details] Patch2: Add extended key usage to the nss-util
To quote furthet from the origial message: The reason for the nss-utils patch appears to be a bug in our packaging; secoidt.h exists in both nss-utils-devel and nss itself. If you have nss-utils-devel installed when you build nss, *some* parts of the code wind up building with the internal header, and some with the external one. We're going to need this pretty soon - ideally we'd have it in F18 beta, which is coming up unfortunately quickly. So if you could review it, I'd be happy to make any changes you feel are needed.
Bob Relyea has reviwed those patches and his guidance is that: We not include the secoidt.h changes, instead use dynamic oids to add the microsoft oid... That will 1) make sure we don't mess up ABI with any upstream changes, and 2) handle the issue of two secoidt.h's that Peter ran into. I will attach next modified versions of the patches I am currentl working on. They are eartly cuts.
Created attachment 634848 [details] Patch 1 - extended key usage support in nss - early work
Created attachment 634849 [details] Patch 2 - extended key usage support in nss-util
Created attachment 634850 [details] Patch 3 - temporary patchto removed soon - early work
Notice that whereas the original patches where based on nss-3.13.5 this new patchesare based on nss-3.14 to which nss on f18 will be updating soon. Th format also lens itself to upstream submission. They ere actually developped on rawhide and should take very minorr moodifications for f18 if any. This is work in progress and a very early crack at it.
Comment on attachment 634848 [details] Patch 1 - extended key usage support in nss - early work r- The secutil changes can be pushed upstream immediately, they are pretty generic, and are correct. Certutil is missing a call to cert_fecthoid. You can't used the new oid you defined until you actually load it. This is waht earned the r-. The certcgi changes aren't right. The reason you couldn't use the expected oid is because you need the same initialization code you added to certutil. If this were the only problem I would r+ the patch since I'm pretty sure certcgi is bitrotted, and it currently isn't used anywhere, but we should at least not add to the issues. bob
Comment on attachment 634849 [details] Patch 2 - extended key usage support in nss-util r- This is the patch you want to get upstream first. oids are enums, so we should never add our new oids until it has been pushed upstream. That is why we need the dynamic code. (BTW this patch is reasonable to submit upstream). bob
Comment on attachment 634850 [details] Patch 3 - temporary patchto removed soon - early work r- For upstream: This should be part of the enums (with a true NSS name starting with SEC_OID). NOTE, your patch 2 should add the new oid at the end. Static oid tags are indexes into the oid table and you cannot change the table order without compromising ABI. For your local patch: remove this altogether szOID_KP_XXXXX should be an extern SECOIDTag, which needs to be defined and initialized in each program once using Cert_fetchoid(). bob
Created attachment 636948 [details] Patch1 V2 - secure boot support in nss tools only
Created attachment 636949 [details] Patch1 V2 - secure boot support in nss tools only
Created attachment 636950 [details] Patch2 V2 - extended key usage support in nss-util Patch 2 is for upstream submission only at this moment. Once applied upstream we shall pick them up in a suitable rebase of nss.
Created attachment 641077 [details] Patch1 V3 - secure boot support in tools Implements the suggestions I made as made comments in the previous version. To ease future modifications once upstream accepts Path1 and Patch2 I have moved the bulk of the changes to mozilla/security/nss/cmds/lib/moreoids.c.
Created attachment 644478 [details] preliminary secure boot support in tools In tools only until the full patch is approved upstream and we can update to it.
Comment on attachment 644478 [details] preliminary secure boot support in tools r+, but kill the ifdef. You don't need it. This code will work correctly even if the oid is statically added to the NSS table.
nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-7.fc18,nss-softokn-3.14-5.fc18,nss-util-3.14-1.fc18
Package nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-util-3.14-1.fc18 nss-3.14-7.fc18 nss-softokn-3.14-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-7.fc18,nss-softokn-3.14-5.fc18,nss-util-3.14-1.fc18 then log in and leave karma (feedback).
nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17
nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
nss-util-3.14-1.fc17, nss-softokn-3.14-5.fc17, nss-3.14-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.