[OE-core] [PATCH 0/1] nss: fix non-determinism when create blank certificate

kai.kang at windriver.com kai.kang at windriver.com
Thu Oct 11 14:24:16 UTC 2018 

From: Kai Kang <kai.kang at windriver.com>

Test on qemux86-64 qemuarm qemumips64 and qemuppc
1 bitbake core-image-sato
2 boot image
3 run some certutil commands to list create delete certificate and works well

root at qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root at qemuppc:~# certutil -U -d sql:/etc/pki/nssdb/

    slot: NSS User Private Key and Certificate Services
   token: NSS Certificate DB
     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: NSS Internal Cryptographic Services
   token: NSS Generic Crypto Services
     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
root at qemuppc:~# certutil -K -d sql:/etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: no keys found

root at qemuppc:~# certutil -S -d sql:/etc/pki/nssdb/ -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650
...

root at qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

my-ca-cert                                                   Cu,Cu,Cu
root at qemuppc:~# certutil -K -d /etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      df1dfdd0f643f7821daea44ea4f3a2125db4e2b3   NSS Certificate DB:my-ca-cert
root at qemuppc:~# certutil -D -d sql:/etc/pki/nssdb/ -n "my-ca-cert"
root at qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root at qemuppc:~# certutil -K -d /etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      df1dfdd0f643f7821daea44ea4f3a2125db4e2b3   (orphan)
root at qemuppc:~#


The following changes since commit 8a2e53b525ebc4f50c7384af056cbe67a3913282:

  libxml2: Make it compatible with externalsrc (2018-10-10 17:59:09 +0100)

are available in the Git repository at:

  git://git.pokylinux.org/poky-contrib kangkai/nss
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/nss

Kai Kang (1):
  nss: fix non-determinism when create blank certificate

 meta/recipes-support/nss/nss/blank-cert9.db    | Bin 0 -> 28672 bytes
 meta/recipes-support/nss/nss/blank-key4.db     | Bin 0 -> 36864 bytes
 meta/recipes-support/nss/nss/system-pkcs11.txt |   5 +++++
 meta/recipes-support/nss/nss_3.38.bb           |  16 ++++++++--------
 4 files changed, 13 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-support/nss/nss/blank-cert9.db
 create mode 100644 meta/recipes-support/nss/nss/blank-key4.db
 create mode 100644 meta/recipes-support/nss/nss/system-pkcs11.txt

--
2.18.0

More information about the Openembedded-core mailing list