Author: jbeich Date: Sat Feb 2 18:09:16 2013 New Revision: 1157 Log: apply a workaround to build Nightly with system nss
Added: trunk/security/nss/files/patch-bug834091 Modified: trunk/www/firefox-nightly/Makefile Added: trunk/security/nss/files/patch-bug834091 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/security/nss/files/patch-bug834091 Sat Feb 2 18:09:16 2013 (r1157) @@ -0,0 +1,150 @@ +commit 8d8975b +Author: Carmen Jiménez Cabezas <[email protected]> +Date: Fri Jan 25 15:36:36 2013 -0800 + + Bug 834091: Verify certificate chain for signed B2G apps as of the current time (now) instead of the signing time, r=bsmith + + --HG-- + extra : amend_source : 86d8ca2b28259aaf41983740b809ef8a51befc4f + extra : rebase_source : e5a1c1199756e929f14852f5c83ba28d097449f4 +--- + .../manager/ssl/src/JARSignatureVerification.cpp | 6 +- + security/nss/lib/pkcs7/p7decode.c | 41 +++- + security/nss/lib/pkcs7/secpkcs7.h | 17 ++ + security/nss/lib/smime/smime.def | 6 + + security/patches/README | 4 + + security/patches/bug-834091.patch | 216 +++++++++++++++++++++ + 6 files changed, 281 insertions(+), 9 deletions(-) + +diff --git lib/pkcs7/p7decode.c lib/pkcs7/p7decode.c +index d0d02d7..dc3339a 100644 +--- lib/pkcs7/p7decode.c ++++ lib/pkcs7/p7decode.c +@@ -1281,7 +1281,8 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, +- PRBool keepcerts) ++ PRBool keepcerts, ++ PRTime atTime) + { + SECAlgorithmID **digestalgs, *bulkid; + const SECItem *digest; +@@ -1299,7 +1300,8 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, + SECItem *content_type; + PK11SymKey *sigkey; + SECItem *encoded_stime; +- int64 stime; ++ PRTime stime; ++ PRTime verificationTime; + SECStatus rv; + + /* +@@ -1436,8 +1438,10 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, + * in a time (and for non-S/MIME callers to pass in nothing, or + * maybe make them pass in the current time, always?). + */ ++ verificationTime = atTime ? atTime ++ : (encoded_stime ? stime : PR_Now()); + if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, +- encoded_stime != NULL ? stime : PR_Now(), ++ verificationTime, + cinfo->pwfn_arg, NULL) != SECSuccess) + { + /* +@@ -1757,7 +1761,7 @@ SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo, + PRBool keepcerts) + { + return sec_pkcs7_verify_signature (cinfo, certusage, +- NULL, HASH_AlgNULL, keepcerts); ++ NULL, HASH_AlgNULL, keepcerts, 0); + } + + /* +@@ -1779,9 +1783,34 @@ SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, + { + return sec_pkcs7_verify_signature (cinfo, certusage, + detached_digest, digest_type, +- keepcerts); ++ keepcerts, 0); + } + ++/* ++ * SEC_PKCS7VerifyDetachedSignatureAtTime ++ * Look at a PKCS7 contentInfo and check if the signature matches ++ * a passed-in digest (calculated, supposedly, from detached contents). ++ * The verification checks that the signing cert is valid and trusted ++ * for the purpose specified by "certusage" at time "atTime" ++ * if "atTime" is non-zero, or at the current time (as returned by ++ * PR_Now) otherwise. ++ */ ++PRBool ++SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, ++ SECCertUsage certusage, ++ const SECItem *detached_digest, ++ HASH_HashType digest_type, ++ PRBool keepcerts, ++ PRTime atTime) ++{ ++ if (!atTime) { ++ atTime = PR_Now(); ++ } ++ ++ return sec_pkcs7_verify_signature (cinfo, certusage, ++ detached_digest, digest_type, ++ keepcerts, atTime); ++} + + /* + * Return the asked-for portion of the name of the signer of a PKCS7 +@@ -1844,7 +1873,7 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector) + * some valid usage to pass in. + */ + (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner, +- NULL, HASH_AlgNULL, PR_FALSE); ++ NULL, HASH_AlgNULL, PR_FALSE, 0); + signercert = signerinfos[0]->cert; + if (signercert == NULL) + return NULL; +diff --git lib/pkcs7/secpkcs7.h lib/pkcs7/secpkcs7.h +index a50f5ae..d1dd7b9 100644 +--- lib/pkcs7/secpkcs7.h ++++ lib/pkcs7/secpkcs7.h +@@ -133,6 +133,23 @@ extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, + HASH_HashType digest_type, + PRBool keepcerts); + ++ ++/* ++ * SEC_PKCS7VerifyDetachedSignatureAtTime ++ * Look at a PKCS7 contentInfo and check if the signature matches ++ * a passed-in digest (calculated, supposedly, from detached contents). ++ * The verification checks that the signing cert is valid and trusted ++ * for the purpose specified by "certusage" at time "atTime" ++ * if "atTime" is non-zero, or at the current time (as returned by ++ * PR_Now) otherwise. ++ */ ++extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, ++ SECCertUsage certusage, ++ const SECItem *detached_digest, ++ HASH_HashType digest_type, ++ PRBool keepcerts, ++ PRTime atTime); ++ + /* + * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress + * The passed-in contentInfo is espected to be Signed, and these +diff --git lib/smime/smime.def lib/smime/smime.def +index 623eaa4..b205d1c 100644 +--- lib/smime/smime.def ++++ lib/smime/smime.def +@@ -267,3 +267,9 @@ NSSSMIME_GetVersion; + ;+ local: + ;+ *; + ;+}; ++;+NSS_3.14.2 { # NSS 3.14.2 release ++;+ global: ++SEC_PKCS7VerifyDetachedSignatureAtTime; ++;+ local: ++;+ *; ++;+}; Modified: trunk/www/firefox-nightly/Makefile ============================================================================== --- trunk/www/firefox-nightly/Makefile Sat Feb 2 13:13:23 2013 (r1156) +++ trunk/www/firefox-nightly/Makefile Sat Feb 2 18:09:16 2013 (r1157) @@ -14,18 +14,18 @@ COMMENT= Web browser based on the browser portion of Mozilla BUILD_DEPENDS= nspr>=4.9.4:${PORTSDIR}/devel/nspr \ + nss>=3.14.2:${PORTSDIR}/security/nss \ sqlite3>=3.7.14.1:${PORTSDIR}/databases/sqlite3 \ ${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 \ cairo>=1.10.2_1,1:${PORTSDIR}/graphics/cairo \ unzip:${PORTSDIR}/archivers/unzip -# bug808224 nss>=3.14.2:${PORTSDIR}/security/nss \ USE_AUTOTOOLS= autoconf213:env USE_PYTHON_BUILD=2.7 OBJDIR_BUILD= # in-tree build broken after bug 789837 USE_GECKO= gecko MOZ_PKGCONFIG_FILES= # empty -USE_MOZILLA= -nss +USE_MOZILLA= # empty MOZILLA_NAME= Nightly MOZILLA_SUFX= -nightly MOZILLA= ${PORTNAME}${MOZILLA_SUFX} _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-gecko To unsubscribe, send any mail to "[email protected]"
