[SVN-Commit] r1157 - in trunk: security/nss/files www/firefox-nightly

svn-freebsd-gecko at chruetertee.ch svn-freebsd-gecko at chruetertee.ch
Sat Feb 2 18:09:23 UTC 2013 

Author: jbeich
Date: Sat Feb  2 18:09:16 2013
New Revision: 1157

Log:
apply a workaround to build Nightly with system nss

Added:
   trunk/security/nss/files/patch-bug834091
Modified:
   trunk/www/firefox-nightly/Makefile

Added: trunk/security/nss/files/patch-bug834091
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ trunk/security/nss/files/patch-bug834091	Sat Feb  2 18:09:16 2013	(r1157)
@@ -0,0 +1,150 @@
+commit 8d8975b
+Author: Carmen Jiménez Cabezas <macajc at gmail.com>
+Date:   Fri Jan 25 15:36:36 2013 -0800
+
+    Bug 834091: Verify certificate chain for signed B2G apps as of the current time (now) instead of the signing time, r=bsmith
+    
+    --HG--
+    extra : amend_source : 86d8ca2b28259aaf41983740b809ef8a51befc4f
+    extra : rebase_source : e5a1c1199756e929f14852f5c83ba28d097449f4
+---
+ .../manager/ssl/src/JARSignatureVerification.cpp   |   6 +-
+ security/nss/lib/pkcs7/p7decode.c                  |  41 +++-
+ security/nss/lib/pkcs7/secpkcs7.h                  |  17 ++
+ security/nss/lib/smime/smime.def                   |   6 +
+ security/patches/README                            |   4 +
+ security/patches/bug-834091.patch                  | 216 +++++++++++++++++++++
+ 6 files changed, 281 insertions(+), 9 deletions(-)
+
+diff --git lib/pkcs7/p7decode.c lib/pkcs7/p7decode.c
+index d0d02d7..dc3339a 100644
+--- lib/pkcs7/p7decode.c
++++ lib/pkcs7/p7decode.c
+@@ -1281,7 +1281,8 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
+ 			   SECCertUsage certusage,
+ 			   const SECItem *detached_digest,
+ 			   HASH_HashType digest_type,
+-			   PRBool keepcerts)
++			   PRBool keepcerts,
++			   PRTime atTime)
+ {
+     SECAlgorithmID **digestalgs, *bulkid;
+     const SECItem *digest;
+@@ -1299,7 +1300,8 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
+     SECItem *content_type;
+     PK11SymKey *sigkey;
+     SECItem *encoded_stime;
+-    int64 stime;
++    PRTime stime;
++    PRTime verificationTime;
+     SECStatus rv;
+ 
+     /*
+@@ -1436,8 +1438,10 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
+      * in a time (and for non-S/MIME callers to pass in nothing, or
+      * maybe make them pass in the current time, always?).
+      */
++    verificationTime = atTime ? atTime
++			      : (encoded_stime ? stime : PR_Now());
+     if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
+-			 encoded_stime != NULL ? stime : PR_Now(),
++			 verificationTime,
+ 			 cinfo->pwfn_arg, NULL) != SECSuccess)
+ 	{
+ 	/*
+@@ -1757,7 +1761,7 @@ SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
+ 			 PRBool keepcerts)
+ {
+     return sec_pkcs7_verify_signature (cinfo, certusage,
+-				       NULL, HASH_AlgNULL, keepcerts);
++				       NULL, HASH_AlgNULL, keepcerts, 0);
+ }
+ 
+ /*
+@@ -1779,9 +1783,34 @@ SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
+ {
+     return sec_pkcs7_verify_signature (cinfo, certusage,
+ 				       detached_digest, digest_type,
+-				       keepcerts);
++				       keepcerts, 0);
+ }
+ 
++/*
++ * SEC_PKCS7VerifyDetachedSignatureAtTime
++ *      Look at a PKCS7 contentInfo and check if the signature matches
++ *      a passed-in digest (calculated, supposedly, from detached contents).
++ *      The verification checks that the signing cert is valid and trusted
++ *      for the purpose specified by "certusage" at time "atTime"
++ *      if "atTime" is non-zero, or at the current time (as returned by
++ *      PR_Now) otherwise.
++ */
++PRBool
++SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
++				       SECCertUsage certusage,
++				       const SECItem *detached_digest,
++				       HASH_HashType digest_type,
++				       PRBool keepcerts,
++				       PRTime atTime)
++{
++    if (!atTime) {
++	atTime = PR_Now();
++    }
++
++    return sec_pkcs7_verify_signature (cinfo, certusage,
++				       detached_digest, digest_type,
++				       keepcerts, atTime);
++}
+ 
+ /*
+  * Return the asked-for portion of the name of the signer of a PKCS7
+@@ -1844,7 +1873,7 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
+ 	 * some valid usage to pass in.
+ 	 */
+ 	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
+-					   NULL, HASH_AlgNULL, PR_FALSE);
++					   NULL, HASH_AlgNULL, PR_FALSE, 0);
+ 	signercert = signerinfos[0]->cert;
+ 	if (signercert == NULL)
+ 	    return NULL;
+diff --git lib/pkcs7/secpkcs7.h lib/pkcs7/secpkcs7.h
+index a50f5ae..d1dd7b9 100644
+--- lib/pkcs7/secpkcs7.h
++++ lib/pkcs7/secpkcs7.h
+@@ -133,6 +133,23 @@ extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
+ 					       HASH_HashType digest_type,
+ 					       PRBool keepcerts);
+ 
++
++/*
++ * SEC_PKCS7VerifyDetachedSignatureAtTime
++ *      Look at a PKCS7 contentInfo and check if the signature matches
++ *      a passed-in digest (calculated, supposedly, from detached contents).
++ *      The verification checks that the signing cert is valid and trusted
++ *      for the purpose specified by "certusage" at time "atTime"
++ *      if "atTime" is non-zero, or at the current time (as returned by
++ *      PR_Now) otherwise.
++ */
++extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
++						     SECCertUsage certusage,
++						     const SECItem *detached_digest,
++						     HASH_HashType digest_type,
++						     PRBool keepcerts,
++						     PRTime atTime);
++
+ /*
+  * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
+  *      The passed-in contentInfo is espected to be Signed, and these
+diff --git lib/smime/smime.def lib/smime/smime.def
+index 623eaa4..b205d1c 100644
+--- lib/smime/smime.def
++++ lib/smime/smime.def
+@@ -267,3 +267,9 @@ NSSSMIME_GetVersion;
+ ;+    local:
+ ;+       *;
+ ;+};
++;+NSS_3.14.2 {    # NSS 3.14.2 release
++;+    global:
++SEC_PKCS7VerifyDetachedSignatureAtTime;
++;+    local:
++;+       *;
++;+};

Modified: trunk/www/firefox-nightly/Makefile
==============================================================================
--- trunk/www/firefox-nightly/Makefile	Sat Feb  2 13:13:23 2013	(r1156)
+++ trunk/www/firefox-nightly/Makefile	Sat Feb  2 18:09:16 2013	(r1157)
@@ -14,18 +14,18 @@
 COMMENT=	Web browser based on the browser portion of Mozilla
 
 BUILD_DEPENDS=	nspr>=4.9.4:${PORTSDIR}/devel/nspr \
+		nss>=3.14.2:${PORTSDIR}/security/nss \
 		sqlite3>=3.7.14.1:${PORTSDIR}/databases/sqlite3 \
 		${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3 \
 		cairo>=1.10.2_1,1:${PORTSDIR}/graphics/cairo \
 		unzip:${PORTSDIR}/archivers/unzip
-# bug808224 	nss>=3.14.2:${PORTSDIR}/security/nss \
 
 USE_AUTOTOOLS=	autoconf213:env
 USE_PYTHON_BUILD=2.7
 OBJDIR_BUILD=	# in-tree build broken after bug 789837
 USE_GECKO=	gecko
 MOZ_PKGCONFIG_FILES=	# empty
-USE_MOZILLA=	-nss
+USE_MOZILLA=	# empty
 MOZILLA_NAME=	Nightly
 MOZILLA_SUFX=	-nightly
 MOZILLA=	${PORTNAME}${MOZILLA_SUFX}

More information about the freebsd-gecko mailing list