From e64a30f7af87fa960b012ace92c51b88e8abae68 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Fri, 12 Oct 2018 10:08:44 +0800 Subject: [PATCH] nss: fix non-determinism when create a blank certificate It uses certutil from nss to create a blank certificate. But the checksum of database file key4.db changes every time: $ certutil -N -d sql:. --empty-password $ md5sum * f9dac2cfcb07cc8ca6db442a9a570906 cert9.db b892c5ff7c1977d4728240b0cf628377 key4.db 7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt $ rm * $ certutil -N -d sql:. --empty-password $ md5sum * f9dac2cfcb07cc8ca6db442a9a570906 cert9.db 405d55178e866a115c1aa975fccfa764 key4.db 7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt Provide pre-created databases with a blank certificate to fix non-determinism issue. And these database files are from nss qemux86-64 build. Signed-off-by: Kai Kang Signed-off-by: Richard Purdie --- meta/recipes-support/nss/nss/blank-cert9.db | Bin 0 -> 28672 bytes meta/recipes-support/nss/nss/blank-key4.db | Bin 0 -> 36864 bytes .../recipes-support/nss/nss/system-pkcs11.txt | 5 +++++ meta/recipes-support/nss/nss_3.38.bb | 21 +++++++++++------- 4 files changed, 18 insertions(+), 8 deletions(-) create mode 100644 meta/recipes-support/nss/nss/blank-cert9.db create mode 100644 meta/recipes-support/nss/nss/blank-key4.db create mode 100644 meta/recipes-support/nss/nss/system-pkcs11.txt diff --git a/meta/recipes-support/nss/nss/blank-cert9.db b/meta/recipes-support/nss/nss/blank-cert9.db new file mode 100644 index 0000000000000000000000000000000000000000..7d4bcf2582d510f7b51d4306706746178c41fbbc GIT binary patch literal 28672 zcmeH~OK;Oa6ou_RTxhB2E*&F{wuccN{o(-@&vF*Mi2=rvIMnr}O+nF`U&7>vtSn_P&Rbs?}Ky8c(Wy zjHlCiaZ{VD-7zVX_dOET`quV08qKEvy)(=5Nl};AV#WCkI{QcIZ4Tp+IO%uabo%Gw zb$Tw&dfn5rlx8?M?!7wd9t=ch|F}PRE;4CfWnXPyLz+9NM^RTo&4ii>H)%)`Qiv$T z6m}^j6xtLr3b_q!wvuIJM@b$^mh+H{l4PSK`6x+7N|KY3WThl|DM@BZ4k^0jmFr_? zU21mL?5x>Yv$JMr&CZ&g4ObbiGF)Z2%5YW8*_g92XJgLBWtKf-_T1%>%ttXG%{$eS zYBldv^J+tBAFZg{N%A#3+VE(@qivFhlmlr@$fQC^bB9bSWKto|8uF|mf0u}BBX*0} zE#lf?5t-0LWa%XNI!POIl4fv{w&*17(@6s8BvC9SLveCZ#&}%sqAae;;>B{Ttd?VC zwHzy}THeW0!r{#>I zOpbCUp3t|IjGe}YCgyXi+by*cG}5N;l|Le%C-z2vk2!H?xfB*=900@8p2!H?xfB*HU&&_aBAa~B@8(POer3jZPkcWy z`P|6mo5q3cmM!kM!TvAiVe%S-c% z3-wjeY^*HS>WyPU|Gc`cqBpzpe$Fb^OQzAi(h0xnU+wA6R-dC=2)>@Ht*E=lBEG@m5HOG%a-ncl?zv!TW+o%6M@t(ecb|EzZ|N02klX` zt4bfM^s&kxX-L(j#-qlk<~TJ~YG$bksA=nFmZN0Ua-yURC8Og|ijowgB;_bcK}u4R zk`$#RWhqHvO0H2GFE3gjC)-iY$u=k3oNRNl&B-<=+nnt1EQe<~Jj>x(4$tzr*XLfJ zdwuTpqh8MRIrBJ=WFN&qHlL|2X|By@YV&GcsW)5E?zp5}heta++Tqc3%$tZD|PGg>UZ#vCSrupe|beSwim&tN;nJh<_Nv)fW)#XdMbkER%^-c=%+OriWV--Ir z@Ap?=`e(JJ(t1RHN6FE5l?iI5sKEvS2tWV=5P$##AOHafKmY;|fWWW{c#d009U<00Izz00bZa0SG_<0uUH}0X+W?|24)L zLI45~fB*y_009U<00Izz00ij&|2HRpH1roX2tWV=5P$##AOHafKmY;|fB*zuk3h>D zExFsdFN1#n`o?DG@A=!mz4-R0mFHhS{`aGMCw_gf{mystq@1=2M|VElc{X7l7&S-a z;q0N#(b>ECcfWb-&&$6&y8G8Z_h0;R>*tJVW~XMJ>|DC|(5t=u;D?(BCuVNYzyF() mPYwNr4FV8=00bZa0SG_<0uX=z1Rwx`ArdHzl*W_aDEtSkqPYeD literal 0 HcmV?d00001 diff --git a/meta/recipes-support/nss/nss/system-pkcs11.txt b/meta/recipes-support/nss/nss/system-pkcs11.txt new file mode 100644 index 0000000000..1a264e9cc4 --- /dev/null +++ b/meta/recipes-support/nss/nss/system-pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/meta/recipes-support/nss/nss_3.38.bb b/meta/recipes-support/nss/nss_3.38.bb index 904b621a07..e0ee209106 100644 --- a/meta/recipes-support/nss/nss_3.38.bb +++ b/meta/recipes-support/nss/nss_3.38.bb @@ -25,6 +25,9 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://nss-fix-nsinstall-build.patch \ file://disable-Wvarargs-with-clang.patch \ file://pqg.c-ULL_addend.patch \ + file://blank-cert9.db \ + file://blank-key4.db \ + file://system-pkcs11.txt \ " SRC_URI[md5sum] = "ac9065460a7634ba8eb0f942f404e773" @@ -212,14 +215,16 @@ do_install_append() { } do_install_append_class-target() { - # Create a blank certificate - mkdir -p ${D}${sysconfdir}/pki/nssdb/ - touch ./empty_password - certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password - chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db - rm ./empty_password - # Remove build path prefix - sed -i "s:${D}::g" ${D}${sysconfdir}/pki/nssdb/pkcs11.txt + # It used to call certutil to create a blank certificate with empty password at + # build time, but the checksum of key4.db changes every time when certutil is called. + # It causes non-determinism issue, so provide databases with a blank certificate + # which are originally from output of nss in qemux86-64 build. You can get these + # databases by: + # certutil -N -d sql:/database/path/ --empty-password + install -d ${D}${sysconfdir}/pki/nssdb/ + install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db + install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db + install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt } PACKAGE_WRITE_DEPS += "nss-native" -- 2.40.1