Closed Bug 807890 Opened 13 years ago Closed 13 years ago

Add support for Microsoft Trust List Signing EKU

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.14.2

People

(Reporter: elio.maldonado.batiz, Assigned: elio.maldonado.batiz)

References

Details

Attachments

(5 files, 2 obsolete files)

Adds secure boot support: ms extended key usage oid for code signing
8.58 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
Support Microsoft Trust List Signing EKU
8.67 KB, patch
wtc
: review+
Details | Diff | Splinter Review
The patch as it was applied
9.33 KB, patch
Details | Diff | Splinter Review
Use consistent terms, and fix certutil usage etc.
5.69 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
Don't need to include both secoid.h and secoidt.h
558 bytes, patch
elio.maldonado.batiz
: review+
Details | Diff | Splinter Review
NSS lacks support for Secure Boot in the libraries and tools. This problem was identified and brought to our attention by Peter Jones, one of the developers working on Secure Boot support for fedora. In his message Peter states that "One of the things needed for SB is certificates generated with a specific extended key usage" field that currently isn't supported by certutil." The Fedora Secure Boot project page is https://fedoraproject.org/wiki/Secureboot You also find the blog at http://mjg59.dreamwidth.org/12368.html worth reading. Under guidance from Bob Relyea I have worked on modifications of Peter Jones original submission to adapt them for nss-3.14 and is done in a way where we don't break API. I will attach some patches as soon they get approval in fedora.
Replace API with ABI in the previous statement.
Attachment #681254 - Flags: review?(rrelyea)
Comment on attachment 681254 [details] [diff] [review] secure boot support - ms extended key usage oid for code signing r- Get rid of the NO_SECURE_BOOT_SUPPORT_IN_NSS_UTIL define... What was done in fedora is irrelevant for upstream here. szOID_KP_CTL_USAGE_SIGNING should be called SECOID_KP_CTL_USAGE_SIGNING Don't add the oid as dynamic in moreoids.c What was done in fedora is irrelevant for upstream here. When you update NSS you can simply drop the fedora patches.
Attachment #681254 - Flags: review?(rrelyea) → review-
Assignee: nobody → emaldona
Attachment #681254 - Attachment is obsolete: true
Attachment #683325 - Flags: review?(rrelyea)
Attachment #683325 - Attachment is obsolete: true
Attachment #683325 - Flags: review?(rrelyea)
Attachment #683327 - Flags: review?(rrelyea)
Comment on attachment 683327 [details] [diff] [review] Adds secure boot support: ms extended key usage oid for code signing r+ rrelyea
Attachment #683327 - Flags: review?(rrelyea) → review+
Comment on attachment 683327 [details] [diff] [review] Adds secure boot support: ms extended key usage oid for code signing >+ OD( msExtendedKeyUsageCodeSigning, >+ SEC_OID_KP_CTL_USAGE_SIGNING, >+ "Microsoft Authenticode Code Signing", >+ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ) Please come up with a better name than EC_OID_KP_CTL_USAGE_SIGNING. The "KP_CTL" part makes no sense to me, and the "SIGNING" part does not clarify it is code signing, as opposed to, for example, cert signing, CRL signing, OCSP signing, etc.
Wan-Teh: This matches Microsoft's naming for the variable, which I think is compelling, given that the OID variable names tend to follow their vendor-assigned names. See http://support.microsoft.com/kb/287547 for the list of Microsoft OIDs. That said, I do think the OID should have a "Microsoft" name in it, much like other variables have NIST/PKIX/ns/ansi/secg/ev/etc SEC_OID_MS_KP_CTL_USAGE_SIGNING perhaps.
The original https://bugzilla.redhat.com/attachment.cgi?id=634839 had this + /* Microsoft Authenticode OIDs */ + /* using the terrible microsoft name here... */ <------------- + szOID_KP_CTL_USAGE_SIGNING = 314, Perhaps I should have left Peter's editorial remarks :-)
(In reply to Wan-Teh Chang from comment #7) > Please come up with a better name than EC_OID_KP_CTL_USAGE_SIGNING. > The "KP_CTL" part makes no sense to me, and the "SIGNING" part It's "Key Purpose Certificate Trust List", I think. AFAICT the patch mixes up two different OID arcs: 1.3.6.1.4.1.311.10 Crypto 2.0 1.3.6.1.4.1.311.2 Authenticode The patch obviously wants to add a key purpose from the former arc, but the text description and the comment refer to "Authenticode" (which is obsolete stuff). In the Windows GUI, the 1.3.6.1.4.1.311.10.3.1 EKU is shown as "Microsoft Trust List Signing".
Thanks for all the comments. I also looked into this before reading your comments. I think the new OID tag name must contain _MS_, as Ryan suggested. If this OID is only used in the Microsoft Windows "ecosystem", I also think it can be helpful for the OID tag name to be similar to szOID_KP_CTL_USAGE_SIGNING. The "KP" part that I couldn't figure out can be explained with a comment like "KP stands for Key Purpose". NSS already has several OID tags named SEC_OID_EXT_KEY_USAGE_xxx: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/secoidt.h&rev=1.36&mark=204-208#204 so SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING would also be a good OID tag.
Status: NEW → ASSIGNED
OS: Linux → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → 3.14.2
Version: 3.14.1 → trunk
Changing the summary to more accurately reflect what the bug is really about.
Summary: Add support for Secure Boot → Add support for Microsoft Trust List Signing EKU
Changed the OID naming and added comments as follows: $ interdiff ~/Downloads/secureboot.patch MicrosoftTrustListSigningEKU.patch diff -u ./mozilla/security/nss/lib/util/secoidt.h ./mozilla/security/nss/lib/util/secoidt.h --- ./mozilla/security/nss/lib/util/secoidt.h 19 Nov 2012 23:07:13 -0000 +++ ./mozilla/security/nss/lib/util/secoidt.h 18 Dec 2012 18:51:50 -0000 @@ -436,8 +436,11 @@ SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST = 314, SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST = 315, - /* Microsoft Authenticode oid */ - SEC_OID_KP_CTL_USAGE_SIGNING = 316, + /* Microsoft Trust List Signing + * szOID_KP_CTL_USAGE_SIGNING + * where KP stands for Key Purpose + */ + SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING = 316, SEC_OID_TOTAL } SECOidTag;
Attachment #693511 - Flags: review?(wtc)
Attachment #693511 - Attachment description: Suuport Microsoft Trust List Signing EKU → Support Microsoft Trust List Signing EKU
Comment on attachment 693511 [details] [diff] [review] Support Microsoft Trust List Signing EKU Review of attachment 693511 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc. I only reviewed lib/util/{secoidt.h,secoid.c}. I assume Bob already reviewed the rest of the patch. ::: ./mozilla/security/nss/lib/util/secoid.c @@ +1644,5 @@ > "DSA with SHA-256 Signature", > + CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION), > + OD( msExtendedKeyUsageCodeSigning, > + SEC_OID_KP_CTL_USAGE_SIGNING, > + "Microsoft Authenticode Code Signing", Should we also change this string to "Microsoft Trust List Signing"?
Attachment #693511 - Flags: review?(wtc) → review+
(In reply to Wan-Teh Chang from comment #14) > > r=wtc. I only reviewed lib/util/{secoidt.h,secoid.c}. I assume > Bob already reviewed the rest of the patch. That's correct, Bob did and he gave it an r+. > > ::: ./mozilla/security/nss/lib/util/secoid.c > @@ +1644,5 @@ > > "DSA with SHA-256 Signature", > > + CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION), > > + OD( msExtendedKeyUsageCodeSigning, > > + SEC_OID_KP_CTL_USAGE_SIGNING, > > + "Microsoft Authenticode Code Signing", > > Should we also change this string to "Microsoft Trust List Signing"? Yes, we should. I'll make this change and check it in.
Find two other files that needed changes. $ interdiff ~/Downloads/secureboot.patch MicrosoftTrustListSigningEKU.patch diff -u ./mozilla/security/nss/cmd/certutil/certext.c ./mozilla/security/nss/cmd/certutil/certext.c --- ./mozilla/security/nss/cmd/certutil/certext.c 19 Nov 2012 23:07:12 -0000 +++ ./mozilla/security/nss/cmd/certutil/certext.c 19 Dec 2012 02:00:17 -0000 @@ -556,7 +556,7 @@ rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED); break; case 7: - rv = AddOidToSequence(os, SEC_OID_KP_CTL_USAGE_SIGNING); + rv = AddOidToSequence(os, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING); break; default: goto endloop; diff -u ./mozilla/security/nss/lib/util/secoid.c ./mozilla/security/nss/lib/util/secoid.c --- ./mozilla/security/nss/lib/util/secoid.c 19 Nov 2012 23:07:13 -0000 +++ ./mozilla/security/nss/lib/util/secoid.c 19 Dec 2012 02:00:17 -0000 @@ -1644,8 +1644,8 @@ "DSA with SHA-256 Signature", CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION), OD( msExtendedKeyUsageCodeSigning, - SEC_OID_KP_CTL_USAGE_SIGNING, - "Microsoft Authenticode Code Signing", + SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING, + "Microsoft Trust List Signing", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ) }; diff -u ./mozilla/security/nss/lib/util/secoidt.h ./mozilla/security/nss/lib/util/secoidt.h --- ./mozilla/security/nss/lib/util/secoidt.h 19 Nov 2012 23:07:13 -0000 +++ ./mozilla/security/nss/lib/util/secoidt.h 19 Dec 2012 02:00:17 -0000 @@ -436,8 +436,11 @@ SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST = 314, SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST = 315, - /* Microsoft Authenticode oid */ - SEC_OID_KP_CTL_USAGE_SIGNING = 316, + /* Microsoft Trust List Signing + * szOID_KP_CTL_USAGE_SIGNING + * where KP stands for Key Purpose + */ + SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING = 316, SEC_OID_TOTAL } SECOidTag;
Actually one file, certext.c, and an extra line on secoid.c.
Changes committed to the trunk for 3.14.2: Checking in mozilla/security/nss/cmd/certcgi/ca_form.html; /cvsroot/mozilla/security/nss/cmd/certcgi/ca_form.html,v <-- ca_form.html new revision: 1.5; previous revision: 1.4 done Checking in mozilla/security/nss/cmd/certcgi/certcgi.c; /cvsroot/mozilla/security/nss/cmd/certcgi/certcgi.c,v <-- certcgi.c new revision: 1.23; previous revision: 1.22 done Checking in mozilla/security/nss/cmd/certcgi/stnd_ext_form.html; /cvsroot/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html,v <-- stnd_ext_form.html new revision: 1.5; previous revision: 1.4 done Checking in mozilla/security/nss/cmd/certutil/certext.c; /cvsroot/mozilla/security/nss/cmd/certutil/certext.c,v <-- certext.c new revision: 1.13; previous revision: 1.12 done Checking in mozilla/security/nss/cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.163; previous revision: 1.162 done Checking in mozilla/security/nss/cmd/lib/moreoids.c; /cvsroot/mozilla/security/nss/cmd/lib/moreoids.c,v <-- moreoids.c new revision: 1.4; previous revision: 1.3 done Checking in mozilla/security/nss/cmd/lib/secutil.h; /cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v <-- secutil.h new revision: 1.51; previous revision: 1.50 done Checking in mozilla/security/nss/lib/util/secoid.c; /cvsroot/mozilla/security/nss/lib/util/secoid.c,v <-- secoid.c new revision: 1.68; previous revision: 1.67 done Checking in mozilla/security/nss/lib/util/secoidt.h; /cvsroot/mozilla/security/nss/lib/util/secoidt.h,v <-- secoidt.h new revision: 1.37; previous revision: 1.36
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
The patch from attachment 693708 [details] [diff] [review] is now using confusing terms, IMO. Code signing and trust list signing are different things (and a CTL isn't really code in the classic sense, cf. http://msdn.microsoft.com/en-us/library/windows/desktop/aa376545%28v=vs.85%29.aspx). I suggest to apply this additional patch - note that in addition to the naming fixes, it also addresses a bug in certcgi.c and shortcomings in certext.c and certutil.c.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #693907 - Flags: review?(rrelyea)
Attachment #693907 - Flags: review?(wtc)
Comment on attachment 693907 [details] [diff] [review] Use consistent terms, and fix certutil usage etc. r+ rrelyea
Attachment #693907 - Flags: review?(rrelyea) → review+
Additional changes committed to the truck for 3.12.4: Checking in ca_form.html; /cvsroot/mozilla/security/nss/cmd/certcgi/ca_form.html,v <-- ca_form.html new revision: 1.6; previous revision: 1.5 done Checking in certcgi.c; /cvsroot/mozilla/security/nss/cmd/certcgi/certcgi.c,v <-- certcgi.c new revision: 1.24; previous revision: 1.23 done Checking in stnd_ext_form.html; /cvsroot/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html,v <-- stnd_ext_form.html new revision: 1.6; previous revision: 1.5 done Checking in certext.c; /cvsroot/mozilla/security/nss/cmd/certutil/certext.c,v <-- certext.c new revision: 1.14; previous revision: 1.13 done Checking in certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.164; previous revision: 1.163 done Checking in secoid.c; /cvsroot/mozilla/security/nss/lib/util/secoid.c,v <-- secoid.c new revision: 1.69; previous revision: 1.68 done
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Many NSS headers follow the convention that xxx.h includes xxxt.h and xxxt.h defines the types while xxx.h declares the functions. So it is not necessary to include both secoid.h and secoidt.h. Patch checked in on the NSS trunk (NSS 3.14.2). Checking in secoid.c; /cvsroot/mozilla/security/nss/lib/util/secoid.c,v <-- secoid.c new revision: 1.70; previous revision: 1.69 done
Attachment #695285 - Flags: review?(emaldona)
Attachment #695285 - Flags: review?(emaldona) → review+
Attachment #693907 - Flags: review?(wtc)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: