[PATCH 0/1] nss: fix non-determinism when create blank certificate

All of lore.kernel.org
 help / color / mirror / Atom feed

From: <kai.kang@windriver.com>
To: <richard.purdie@linuxfoundation.org>
Cc: openembedded-core@lists.openembedded.org
Subject: [PATCH 0/1] nss: fix non-determinism when create blank certificate
Date: Thu, 11 Oct 2018 22:24:16 +0800	[thread overview]
Message-ID: <cover.1539267480.git.kai.kang@windriver.com> (raw)

From: Kai Kang <kai.kang@windriver.com>

Test on qemux86-64 qemuarm qemumips64 and qemuppc
1 bitbake core-image-sato
2 boot image
3 run some certutil commands to list create delete certificate and works well

root@qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root@qemuppc:~# certutil -U -d sql:/etc/pki/nssdb/

    slot: NSS User Private Key and Certificate Services
   token: NSS Certificate DB
     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: NSS Internal Cryptographic Services
   token: NSS Generic Crypto Services
     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
root@qemuppc:~# certutil -K -d sql:/etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: no keys found

root@qemuppc:~# certutil -S -d sql:/etc/pki/nssdb/ -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650
...

root@qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

my-ca-cert                                                   Cu,Cu,Cu
root@qemuppc:~# certutil -K -d /etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      df1dfdd0f643f7821daea44ea4f3a2125db4e2b3   NSS Certificate DB:my-ca-cert
root@qemuppc:~# certutil -D -d sql:/etc/pki/nssdb/ -n "my-ca-cert"
root@qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root@qemuppc:~# certutil -K -d /etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      df1dfdd0f643f7821daea44ea4f3a2125db4e2b3   (orphan)
root@qemuppc:~#


The following changes since commit 8a2e53b525ebc4f50c7384af056cbe67a3913282:

  libxml2: Make it compatible with externalsrc (2018-10-10 17:59:09 +0100)

are available in the Git repository at:

  git://git.pokylinux.org/poky-contrib kangkai/nss
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/nss

Kai Kang (1):
  nss: fix non-determinism when create blank certificate

 meta/recipes-support/nss/nss/blank-cert9.db    | Bin 0 -> 28672 bytes
 meta/recipes-support/nss/nss/blank-key4.db     | Bin 0 -> 36864 bytes
 meta/recipes-support/nss/nss/system-pkcs11.txt |   5 +++++
 meta/recipes-support/nss/nss_3.38.bb           |  16 ++++++++--------
 4 files changed, 13 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-support/nss/nss/blank-cert9.db
 create mode 100644 meta/recipes-support/nss/nss/blank-key4.db
 create mode 100644 meta/recipes-support/nss/nss/system-pkcs11.txt

--
2.18.0

next             reply	other threads:[~2018-10-11 15:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-11 14:24 kai.kang [this message]
2018-10-11 14:24 ` [PATCH 1/1] nss: fix non-determinism when create blank certificate kai.kang
2018-10-11 18:55   ` richard.purdie
2018-10-12  1:25     ` Kang Kai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1539267480.git.kai.kang@windriver.com \
    --to=kai.kang@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=richard.purdie@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.