Closed
Bug 177387
Opened 23 years ago
Closed 22 years ago
Implement software integrity check of the softoken using DSA
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.8
People
(Reporter: wtc, Assigned: rrelyea)
References
Details
Attachments
(2 files, 2 obsolete files)
|
10.01 KB,
patch
|
Details | Diff | Splinter Review | |
|
3.01 KB,
patch
|
Details | Diff | Splinter Review |
We need to implement a software integrity check of
the softoken using DSA.
Here is my proposal.
1. Write a tool that generates a DSA key pair and
generates a signature.
2. During the build, we invoke the tool on the
softoken after it is built. Store the public key
and the signature in a file. Discard the private
key.
3. Distribute the public key/signature file with
the softoken. The public key/signature file must
be installed in the same directory as the softoken.
4. The software integrity check of the softoken
uses platform-dependent techniques to discover its
installation directory. It then reads itself (as
a file) and the public key/signature file to verify
the signature.
|
Reporter | |
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.7
Version: 3.5 → 3.2.2
|
|
Reporter | |
Updated•23 years ago
|
Severity: normal → enhancement
|
|
Reporter | |
Comment 1•22 years ago
|
||
Moved to target milestone 3.8 because the original
NSS 3.7 release has been renamed 3.8.
Target Milestone: 3.7 → 3.8
|
|
Reporter | |
Comment 2•22 years ago
|
||
This patch adds freebl_GetLibraryFilePathname to libfreebl.a
temporarily. The new function is defined in the new file
mozilla/security/nss/lib/freebl/libpath.c and has the same
semantics as the NSPR 4.3 function PR_GetLibraryFilePathname.
This patch should be backed out when NSPR 4.3 is released.
|
|
Reporter | |
Comment 3•22 years ago
|
||
Use __LP64__ instead of __LP64 on HP-UX.
Attachment #113076 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 4•22 years ago
|
||
The *.chk files need to be included in our binary distributions.
|
|
Reporter | |
Comment 5•22 years ago
|
||
I got this error once:
./Linux2.4_x86_glibc_PTH_DBG.OBJ/shlibsign -v -i ../../../../dist/Linux2.4_x86_g
libc_PTH_DBG.OBJ/lib/libsoftokn3.so
Generating DSA Key Pair....Generating PQG Params: An I/O error occurred during s
ecurity authorization.
|
|
Reporter | |
Comment 6•22 years ago
|
||
The previous patch doesn't work if mozilla/dist/$(OBJDIR)/lib/*.chk
are not symbolic links.
The changes to cmd/shlibsign/Makefile are good changes in general
because they put all the configuration/assignments before the
rules, which is the right order. The change to
cmd/shlibsign/manifest.mn is what causes the *.chk files to be
included in mdbinary.jar. It requires that CHECKLOC be defined
before coreconf/rules.mk is included in Makefile, which is why
I put the configuration/assignments and rules in the right order.
Attachment #113658 -
Attachment is obsolete: true
|
Assignee | |
Comment 7•22 years ago
|
||
Code is checked in and Running
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•