The default bug view has changed. See this FAQ.

Implement software integrity check of the softoken using DSA

RESOLVED FIXED in 3.8

Status

NSS
Libraries
P1
enhancement
RESOLVED FIXED
15 years ago
14 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Robert Relyea)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

15 years ago
We need to implement a software integrity check of
the softoken using DSA.

Here is my proposal.

1. Write a tool that generates a DSA key pair and
generates a signature.

2. During the build, we invoke the tool on the
softoken after it is built.  Store the public key
and the signature in a file.  Discard the private
key.

3. Distribute the public key/signature file with
the softoken.  The public key/signature file must
be installed in the same directory as the softoken.

4. The software integrity check of the softoken
uses platform-dependent techniques to discover its
installation directory.  It then reads itself (as
a file) and the public key/signature file to verify
the signature.
(Reporter)

Updated

15 years ago
Priority: -- → P1
Target Milestone: --- → 3.7
Version: 3.5 → 3.2.2
(Reporter)

Updated

15 years ago
Severity: normal → enhancement
(Reporter)

Comment 1

15 years ago
Moved to target milestone 3.8 because the original
NSS 3.7 release has been renamed 3.8.
Target Milestone: 3.7 → 3.8
(Reporter)

Updated

14 years ago
Depends on: 189332
(Reporter)

Comment 2

14 years ago
Created attachment 113076 [details] [diff] [review]
Add freebl_GetLibraryFilePathname to libfreebl.a temporarily

This patch adds freebl_GetLibraryFilePathname to libfreebl.a
temporarily.  The new function is defined in the new file
mozilla/security/nss/lib/freebl/libpath.c and has the same
semantics as the NSPR 4.3 function PR_GetLibraryFilePathname.
This patch should be backed out when NSPR 4.3 is released.
(Reporter)

Comment 3

14 years ago
Created attachment 113078 [details] [diff] [review]
Add freebl_GetLibraryFilePathname to libfreebl.a temporarily, v2

Use __LP64__ instead of __LP64 on HP-UX.
Attachment #113076 - Attachment is obsolete: true
(Reporter)

Comment 4

14 years ago
Created attachment 113658 [details] [diff] [review]
Include the *.chk files in mdbinary.jar

The *.chk files need to be included in our binary distributions.
(Reporter)

Comment 5

14 years ago
I got this error once:

./Linux2.4_x86_glibc_PTH_DBG.OBJ/shlibsign -v -i ../../../../dist/Linux2.4_x86_g
libc_PTH_DBG.OBJ/lib/libsoftokn3.so
Generating DSA Key Pair....Generating PQG Params: An I/O error occurred during s
ecurity authorization.
(Reporter)

Comment 6

14 years ago
Created attachment 113696 [details] [diff] [review]
Include the *.chk files in mdbinary.jar, v2

The previous patch doesn't work if mozilla/dist/$(OBJDIR)/lib/*.chk
are not symbolic links.

The changes to cmd/shlibsign/Makefile are good changes in general
because they put all the configuration/assignments before the
rules, which is the right order.  The change to
cmd/shlibsign/manifest.mn is what causes the *.chk files to be
included in mdbinary.jar.  It requires that CHECKLOC be defined
before coreconf/rules.mk is included in Makefile, which is why
I put the configuration/assignments and rules in the right order.
Attachment #113658 - Attachment is obsolete: true
(Assignee)

Comment 7

14 years ago
Code is checked in and Running
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.