From 6e1a26a079f834059d0a7069ffe7905781fa271c Mon Sep 17 00:00:00 2001
From: Elio Maldonado Batiz
Date: Mon, 19 Nov 2012 21:45:58 -0800
Subject: [PATCH] Resolves: rhbz#870864 - Add support in NSS for Secure Boot
---
...-usage-for-MS-Authenticode-Code-Sign.patch | 168 ++++++++++++++++++
nss.spec | 8 +-
2 files changed, 175 insertions(+), 1 deletion(-)
create mode 100644 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
diff --git a/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch b/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
new file mode 100644
index 0000000..7ff16af
--- /dev/null
+++ b/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
@@ -0,0 +1,168 @@
+diff -up ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 ./mozilla/security/nss/cmd/certcgi/ca_form.html
+--- ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 2012-03-20 07:46:53.000000000 -0700
++++ ./mozilla/security/nss/cmd/certcgi/ca_form.html 2012-11-19 21:32:32.568415831 -0800
+@@ -167,6 +167,7 @@
+ Timestamp
+
+
+diff -up ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 ./mozilla/security/nss/cmd/certcgi/certcgi.c
+--- ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 2012-04-29 05:52:04.000000000 -0700
++++ ./mozilla/security/nss/cmd/certcgi/certcgi.c 2012-11-19 21:32:32.569415846 -0800
+@@ -21,6 +21,7 @@
+ #include "pk11pqg.h"
+ #include "certxutl.h"
+ #include "nss.h"
++#include "secutil.h"
+
+
+ /* #define TEST 1 */
+@@ -33,6 +34,8 @@
+
+ static char *progName;
+
++extern SECOidTag SEC_OID_KP_CTL_USAGE_SIGNING;
++
+ typedef struct PairStr Pair;
+
+ struct PairStr {
+@@ -819,6 +822,10 @@ AddExtKeyUsage(void *extHandle, Pair *da
+ if( SECSuccess != rv ) goto loser;
+ }
+
++ if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) {
++ SECU_RegisterDynamicOids();
++ }
++
+ if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
+ rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
+ if( SECSuccess != rv ) goto loser;
+diff -up ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
+--- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 2012-03-20 07:46:53.000000000 -0700
++++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html 2012-11-19 21:32:32.570415861 -0800
+@@ -34,6 +34,7 @@
+ Timestamp
+ OCSP Responder
+ Step-up
++ Microsoft Code Signing
+ |
+
+
+diff -up ./mozilla/security/nss/cmd/certutil/certext.c.870864 ./mozilla/security/nss/cmd/certutil/certext.c
+--- ./mozilla/security/nss/cmd/certutil/certext.c.870864 2012-03-20 07:46:54.000000000 -0700
++++ ./mozilla/security/nss/cmd/certutil/certext.c 2012-11-19 21:32:32.571415876 -0800
+@@ -18,6 +18,9 @@
+ #endif
+
+ #include "secutil.h"
++/* #include "secoidt.h" */ /* For when we update nss */
++
++extern SECOidTag SEC_OID_KP_CTL_USAGE_SIGNING;
+
+ #if defined(XP_UNIX)
+ #include
+@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut
+ "timeStamp",
+ "ocspResponder",
+ "stepUp",
++ "msCodeSigning",
+ NULL};
+
+ static SECStatus
+@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c
+ case 6:
+ rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
+ break;
++ case 7:
++ rv = AddOidToSequence(os, SEC_OID_KP_CTL_USAGE_SIGNING);
++ break;
+ default:
+ goto endloop;
+ }
+diff -up ./mozilla/security/nss/cmd/certutil/certutil.c.870864 ./mozilla/security/nss/cmd/certutil/certutil.c
+--- ./mozilla/security/nss/cmd/certutil/certutil.c.870864 2012-03-20 07:46:54.000000000 -0700
++++ ./mozilla/security/nss/cmd/certutil/certutil.c 2012-11-19 21:32:32.573415906 -0800
+@@ -46,6 +46,8 @@
+
+ char *progName;
+
++extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
++
+ static CERTCertificateRequest *
+ GetCertRequest(PRFileDesc *inFile, PRBool ascii)
+ {
+@@ -1145,6 +1147,7 @@ static void luC(enum usage_level ul, con
+ "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
+ "%-20s \"stepUp\", \"critical\"\n",
+ " -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
++ "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n",
+ FPS "%-20s Create an email subject alt name extension\n",
+ " -7 emailAddrs");
+ FPS "%-20s Create an dns subject alt name extension\n",
+diff -up ./mozilla/security/nss/cmd/lib/moreoids.c.870864 ./mozilla/security/nss/cmd/lib/moreoids.c
+--- ./mozilla/security/nss/cmd/lib/moreoids.c.870864 2012-03-20 07:46:59.000000000 -0700
++++ ./mozilla/security/nss/cmd/lib/moreoids.c 2012-11-19 21:36:23.782925556 -0800
+@@ -41,6 +41,18 @@ OIDT mKPSCL[] = { MICROSOFT, 20, 2, 2 }
+ OIDT mNTPN [] = { MICROSOFT, 20, 2, 3 }; /* NT Principal Name */
+ OIDT mCASRV[] = { MICROSOFT, 21, 1 }; /* CertServ CA version */
+
++#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) }
++
++SECOidTag SEC_OID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN;
++/* { 1.3.6.1.4.1.311 } */
++static const unsigned char msExtendedKeyUsageCodeSigning[] =
++ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 };
++
++static const SECOidData microsoftAuthenticodeSigning_Entry =
++ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN,
++ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM,
++ INVALID_CERT_EXTENSION };
++
+ /* AOL OIDs (1 3 6 1 4 1 1066 ... ) */
+ #define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A
+
+@@ -127,6 +139,18 @@ static const SECOidData oids[] = {
+
+ static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
+
++/* register the oid if we haven't already */
++void
++SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src)
++{
++ if (*data == SEC_OID_UNKNOWN) {
++ /* AddEntry does the right thing if someone else has already
++ * added the oid. (that is return that oid tag) */
++ *data = SECOID_AddEntry(src);
++ }
++}
++
++
+ SECStatus
+ SECU_RegisterDynamicOids(void)
+ {
+@@ -144,5 +168,10 @@ SECU_RegisterDynamicOids(void)
+ #endif
+ }
+ }
++
++ /* Fetch and register the oid on behalf of the tools. */
++ SECU_cert_fetchOID(&SEC_OID_KP_CTL_USAGE_SIGNING,
++ µsoftAuthenticodeSigning_Entry);
++
+ return rv;
+ }
+diff -up ./mozilla/security/nss/cmd/lib/secutil.h.870864 ./mozilla/security/nss/cmd/lib/secutil.h
+--- ./mozilla/security/nss/cmd/lib/secutil.h.870864 2012-09-27 10:13:33.000000000 -0700
++++ ./mozilla/security/nss/cmd/lib/secutil.h 2012-11-19 21:32:32.575415936 -0800
+@@ -293,6 +293,8 @@ extern SECStatus DER_PrettyPrint(FILE *o
+
+ extern char *SECU_SECModDBName(void);
+
++extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
++
+ extern SECStatus SECU_RegisterDynamicOids(void);
+
+ /* Identifies hash algorithm tag by its string representation. */
diff --git a/nss.spec b/nss.spec
index 3d02f85..37a4484 100644
--- a/nss.spec
+++ b/nss.spec
@@ -7,7 +7,7 @@
Summary: Network Security Services
Name: nss
Version: 3.14
-Release: 9%{?dist}
+Release: 10%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -71,6 +71,8 @@ Patch40: nss-3.14.0.0-disble-ocsp-test.patch
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=357025
Patch41: Bug-872124-fix-pk11wrap-locking.patch
+# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=807890
+Patch42: 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -155,6 +157,7 @@ low level services.
%patch39 -p1 -b .nobypass
%patch40 -p1 -b .noocsptest
%patch41 -p0 -b .872124
+%patch42 -p0 -b .870864
%build
@@ -590,6 +593,9 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog
+* Mon Nov 19 2012 Elio Maldonado - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
* Sat Nov 10 2012 Elio Maldonado - 3.14-9
- Disable bypass code at build time and return failure on attempts to enable at runtime
- Bug 806588 - Disable SSL PKCS #11 bypass at build time
|