Patchwork [4/5] nss: create checksum files for the nss libraries

login
register
mail settings
Submitter Hongxu Jia
Date July 10, 2013, 8:03 a.m.
Message ID <fb33ec7730da4eec3aeb2a73295a851ed15af941.1373443071.git.hongxu.jia@windriver.com>
Download mbox | patch
Permalink /patch/53439/
State Accepted
Commit a4580f967c8064294a06d406acf5deb24aee2acc
Headers show

Comments

Hongxu Jia - July 10, 2013, 8:03 a.m.
Add checksum files required for the NSS softoken to operate in FIPS 140 mode.
The shlibsign is invoked to sign the libraries, and it is built for the target
architecture and doesn't support cross-compiling so far.

Invoke shlibsign at target's first boot time to generate checksum files.

https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note6
http://en.wikipedia.org/wiki/FIPS_140
https://bugzilla.mozilla.org/show_bug.cgi?id=681624

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/recipes-support/nss/files/signlibs.sh | 20 ++++++++++++++++++++
 meta/recipes-support/nss/nss.inc           | 16 ++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-support/nss/files/signlibs.sh
Ross Burton - July 12, 2013, 12:39 p.m.
On 10 July 2013 09:03, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> Add checksum files required for the NSS softoken to operate in FIPS 140 mode.
> The shlibsign is invoked to sign the libraries, and it is built for the target
> architecture and doesn't support cross-compiling so far.
>
> Invoke shlibsign at target's first boot time to generate checksum files.

As NSS depends on nss-native, can't you use that?  The bug you link to
implies that's what someone else has done when building NSS for iOS.

Ross
Hongxu Jia - July 12, 2013, 12:45 p.m.
On 07/12/2013 08:39 PM, Burton, Ross wrote:
> On 10 July 2013 09:03, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> Add checksum files required for the NSS softoken to operate in FIPS 140 mode.
>> The shlibsign is invoked to sign the libraries, and it is built for the target
>> architecture and doesn't support cross-compiling so far.
>>
>> Invoke shlibsign at target's first boot time to generate checksum files.
> As NSS depends on nss-native, can't you use that?  The bug you link to
> implies that's what someone else has done when building NSS for iOS.
Yes, invoke 'certutil' to create a blank certificate at build time.

//Hongxu
>
> Ross

Patch

diff --git a/meta/recipes-support/nss/files/signlibs.sh b/meta/recipes-support/nss/files/signlibs.sh
new file mode 100644
index 0000000..1ec79f4
--- /dev/null
+++ b/meta/recipes-support/nss/files/signlibs.sh
@@ -0,0 +1,20 @@ 
+#!/bin/sh
+
+# signlibs.sh
+#
+# (c)2010 Wind River Systems, Inc.
+#
+# regenerates the .chk files for the NSS libraries that require it
+# since the ones that are built have incorrect checksums that were
+# calculated on the host where they really need to be done on the
+# target
+
+CHK_FILES=`find /lib* /usr/lib* -name "*.chk"`
+SIGN_BINARY=`which shlibsign`
+for I in $CHK_FILES
+do
+       DN=`dirname $I`
+       BN=`basename $I .chk`
+       FN=$DN/$BN.so
+       $SIGN_BINARY -i $FN
+done
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index 87cba38..4270743 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -18,6 +18,7 @@  SRC_URI = "\
 "
 SRC_URI_append_class-target += "\
     file://nss.pc.in \
+    file://signlibs.sh \
 "
 inherit siteinfo
 PR = "r0"
@@ -136,6 +137,14 @@  do_install() {
 }
 
 do_install_append_class-target() {
+    # Create empty .chk files for the NSS libraries at build time. They could
+    # be regenerated at target's boot time.
+    for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
+        touch ${D}/${libdir}/$file
+        chmod 755 ${D}/${libdir}/$file
+    done
+    install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh
+
     install -d ${D}${libdir}/pkgconfig/
     sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
     sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
@@ -151,6 +160,13 @@  do_install_append_class-target() {
     rm ./empty_password
 }
 
+pkg_postinst_${PN} () {
+    if [ -n "$D" ]; then
+        exit 1
+    fi
+    signlibs.sh
+}
+
 FILES_${PN} = "\
     ${sysconfdir} \
     ${bindir} \