[PATCH 0/1] nss: fix non-determinism when create blank certificate

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: <kai.kang@windriver.com>
To: <richard.purdie@linuxfoundation.org>
Cc: openembedded-core@lists.openembedded.org
Subject: [PATCH 0/1] nss: fix non-determinism when create blank certificate
Date: Thu, 11 Oct 2018 22:24:16 +0800	[thread overview]
Message-ID: <cover.1539267480.git.kai.kang@windriver.com> (raw)

From: Kai Kang <kai.kang@windriver.com>

Test on qemux86-64 qemuarm qemumips64 and qemuppc
1 bitbake core-image-sato
2 boot image
3 run some certutil commands to list create delete certificate and works well

root@qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root@qemuppc:~# certutil -U -d sql:/etc/pki/nssdb/

    slot: NSS User Private Key and Certificate Services
   token: NSS Certificate DB
     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: NSS Internal Cryptographic Services
   token: NSS Generic Crypto Services
     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
root@qemuppc:~# certutil -K -d sql:/etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: no keys found

root@qemuppc:~# certutil -S -d sql:/etc/pki/nssdb/ -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650
...

root@qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

my-ca-cert                                                   Cu,Cu,Cu
root@qemuppc:~# certutil -K -d /etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      df1dfdd0f643f7821daea44ea4f3a2125db4e2b3   NSS Certificate DB:my-ca-cert
root@qemuppc:~# certutil -D -d sql:/etc/pki/nssdb/ -n "my-ca-cert"
root@qemuppc:~# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root@qemuppc:~# certutil -K -d /etc/pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      df1dfdd0f643f7821daea44ea4f3a2125db4e2b3   (orphan)
root@qemuppc:~#


The following changes since commit 8a2e53b525ebc4f50c7384af056cbe67a3913282:

  libxml2: Make it compatible with externalsrc (2018-10-10 17:59:09 +0100)

are available in the Git repository at:

  git://git.pokylinux.org/poky-contrib kangkai/nss
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/nss

Kai Kang (1):
  nss: fix non-determinism when create blank certificate

 meta/recipes-support/nss/nss/blank-cert9.db    | Bin 0 -> 28672 bytes
 meta/recipes-support/nss/nss/blank-key4.db     | Bin 0 -> 36864 bytes
 meta/recipes-support/nss/nss/system-pkcs11.txt |   5 +++++
 meta/recipes-support/nss/nss_3.38.bb           |  16 ++++++++--------
 4 files changed, 13 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-support/nss/nss/blank-cert9.db
 create mode 100644 meta/recipes-support/nss/nss/blank-key4.db
 create mode 100644 meta/recipes-support/nss/nss/system-pkcs11.txt

--
2.18.0

next             reply	other threads:[~2018-10-11 15:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-11 14:24 kai.kang [this message]
2018-10-11 14:24 ` [PATCH 1/1] nss: fix non-determinism when create blank certificate kai.kang
2018-10-11 18:55   ` richard.purdie
2018-10-12  1:25     ` Kang Kai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1539267480.git.kai.kang@windriver.com \
    --to=kai.kang@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=richard.purdie@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox