Move mozpkix from PSM to NSS

RESOLVED FIXED in Firefox 64

Status

enhancement
P2
normal
RESOLVED FIXED
11 months ago
8 months ago

People

(Reporter: franziskus, Assigned: franziskus)

Tracking

(Blocks 1 bug)

3.38
3.40
Dependency tree / graph

Firefox Tracking Flags

(firefox64 fixed)

Details

Attachments

(8 attachments, 2 obsolete attachments)

46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review
46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review
46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review
46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review
46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review
46 bytes, text/x-phabricator-request
Details | Review
46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review
46 bytes, text/x-phabricator-request
glandium
: review+
Details | Review
mozpkix should live in NSS and replace the old pkix libraries.

In this first step the mozpkix code gets moved to NSS and linked statically into Firefox.
Posted file Bug 1479787 - move mozpkix to NSS (obsolete) —
This patch adds mozpkix to NSS and builds it as a static library, which is then used in PSM.
There are two static libs: `mozpkix` and `mozpkix-test`. The latter is needed for PSM gtests.
Currently the static mozpkix libraries always built with gyp. If we want to build mozpkix only for Firefox, we could do that.
The re-naming of `Time.h` to `PkixTime.h` is necessary because it would conflict with `time.h` on Windows.

I have of course a separate patch for NSS but this gives the entire picture. If there are no fundamental objections, I'll upload the two separate patches for NSS and Firefox.
This patch copies mozpkix from mozilla-central to NSS with all its history (thanks to hg convert).
It'll need changes to the NSS repository to get this landed (we don't allow more than one root currenlty and I have to get someone to allow this new root).
This moves mozpkix to the right locations and builds it as part of NSS.
This patch also uses `std::unique_ptr` everywhere instead of `ScopedPtr`.

Depends on D2719.
Running clang-format on everything to make this pass NSS CI.
Delete mozpkix code from the Firefox repo.

Depends on D2721.
Posted file Bug 1479787 - delete mozpkix (obsolete) —
This patch deletes the mozpkix code from the Firefox repo. 

Depends on D2721

Updated

11 months ago
Attachment #8997440 - Attachment is obsolete: true
Use mozpkix static lib from NSS in Firefox.

Depends on D2722

Updated

11 months ago
Attachment #8996704 - Attachment is obsolete: true
Comment on attachment 8997438 [details]
Bug 1479787 - clang-format

[:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D2721
Attachment #8997438 - Flags: review+
Comment on attachment 8997439 [details]
Bug 1479787 - delete mozpkix

[:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D2722
Attachment #8997439 - Flags: review+
Comment on attachment 8997442 [details]
Bug 1479787 - use NSS mozpkix in Firefox

[:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D2725
Attachment #8997442 - Flags: review+
Comment on attachment 8997436 [details]
Bug 1479787 - build mozpkix as part of NSS

[:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D2720
Attachment #8997436 - Flags: review+
Comment on attachment 8997435 [details]
Bug 1479787 - merge mozpkix from mozilla-central to NSS

[:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D2719
Attachment #8997435 - Flags: review+
Comment on attachment 8997435 [details]
Bug 1479787 - merge mozpkix from mozilla-central to NSS

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D2719
Attachment #8997435 - Flags: review+
Comment on attachment 8997436 [details]
Bug 1479787 - build mozpkix as part of NSS

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D2720
Attachment #8997436 - Flags: review+
Comment on attachment 8997438 [details]
Bug 1479787 - clang-format

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D2721
Attachment #8997438 - Flags: review+
Comment on attachment 8997442 [details]
Bug 1479787 - use NSS mozpkix in Firefox

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D2725
Attachment #8997442 - Flags: review+
Comment on attachment 8997439 [details]
Bug 1479787 - delete mozpkix

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D2722
Attachment #8997439 - Flags: review+
As Mike noticed correctly the patch in D2725 breaks builds with system NSS.
Since the Firefox build system doesn't allow us to pick things out of the NSS build I introduced a new way to build NSS (`--mozpkix-only`) and use that when building Firefox with system NSS.

Unfortunately this is never tested anywhere so we'll have to wait for distros to pick this up and see what happens.

Depends on D2725.
This patch adds an option to build only mozpkix against the system NSS.
Note that mozpkix includes `<nss/xxx.h>` now as we can't add include directories through gyp to the Firefox build.

Depends on D2720.
Comment on attachment 8998215 [details]
Bug 1479787 - mozpkix-only build

[:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D2861
Attachment #8998215 - Flags: review+
Comment on attachment 8998215 [details]
Bug 1479787 - mozpkix-only build

Martin Thomson [:mt:] has approved the revision.
Attachment #8998215 - Flags: review+
Comment on attachment 8998213 [details]
Bug 1479787 - build mozpkix when system NSS is used

Martin Thomson [:mt:] has approved the revision.
Attachment #8998213 - Flags: review+
So, I was trying to setup a build on try for Firefox + system NSS, using the in-tree NSS. But... the gyp build system doesn't create nss-config, which breaks --with-system-nss (incidentally, there is no `install` rule either, and the dist directory does not have a hierarchy that would match /usr or /usr/local). I don't feel like using the make build system...
Depends on: 1341222
Un-assigning Franziskus as he's out until October.
Assignee: franziskuskiefer → nobody
Assignee: nobody → franziskuskiefer
This is a combined patch of the m-c changes for movin mozpkix to NSS.
This requires to land NSS tip in m-c first (e.g. python2 client.py update_nss).

* delete mozpkix (D2722)
* use NSS mozpkix in Firefox (D2725)
* build mozpkix when system NSS is used (2860)
Comment on attachment 9013247 [details]
Bug 1479787 - use mozpkix from NSS and delete from m-c

Mike Hommey [:glandium] has approved the revision.
Attachment #9013247 - Flags: review+

Comment 32

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/fd2a0cc4b40a
https://hg.mozilla.org/mozilla-central/rev/432a98e50d2b
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED

Comment 33

9 months ago
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/b9846bdfa088
Port bug 1479787 - Use NSS mozpkix instead of pkix (analysis by Rob Lemley). rs=bustage-fix
You need to log in before you can comment on or make changes to this bug.