TWiki> DICE Web>PatchingNss (10 Sep 2010, ChrisCooke)EditAttach

How to Patch the nss package

We patch the nss packages to insert the local CAs - the ones that aren't signed by any globally recognised certification authority. If we don't do this, when firefox encounters local certificates it will flash up a scary-looking security warning, which we don't want.

This is roughly what happens. When a new version of the nss packages appears in the OS updates:

  • take a note of the version number.
  • get the source RPM for that RPM and install it.
  • Make these changes to the spec file:
    Change the release number
    Add e.g. '.inf.1' to the RPM's release number to reflect the local modification you're doing
    addbuiltin
    The 'addbuiltin' package will be needed to compile the local nss package. We get this from a previous version of the locally hacked nss package that we already have lying around. So require one. For example: 
         # we need the following because redhat don't ship addbuiltin
         # so we need to have a version of nss with addbuiltin installed
         BuildRequires:    nss-tools = 3.12.6-1.el5.inf.2
         BuildRequires:    nss = 3.12.6-1.el5.inf.2
EUCS Certificate
Add the EUCS Certificate RPM: 
         # This RPM contains the EUCS CA
         BuildRequires:    eucs-sslcerts
Extract the DER certificates
Add the following magic to the %build section after the declaration of variables but before any 'make' lines. This takes all the _CA.pem files in that directory and adds them to a datafile in the nss source: 
         for I in /etc/pki/tls/certs/*_CA.pem ; do
           if [ -r "$I" ]; then
             basename=`basename $I '.pem'`
             /usr/bin/openssl x509 -in $I -out $basename.DER -outform DER
             /usr/bin/addbuiltin  -n $basename -t "C,C,C" < ./$basename.DER >>./mozilla/security/nss/lib/ckfw/builtins/certdata.txt
           fi
         done
Build the CAs into the source
add these lines just below the last lot of magic to take the datafiles and generate C from them: 
         # Build CAs into the source
         pushd ./mozilla/security/nss/lib/ckfw/builtins
         gmake generate
         popd
Install 'addbuiltin'
Add 'addbuiltin' to the list of binaries to be installed into $RPM_BUILD_ROOT/%{_bindir} - this list can be found in the %install section of the spec file.
  • Install the previous local version of the 'nss' packages, if it's not installed already.
  • Upgrade manually to the new version of the 'nspr' packages. This should have been released at the same time as the new 'nss' packages that you're modifying.
  • Build the RPM.

Here are the relevant bits from the nss 3.12.7 spec file to give you the idea. Local changes and additions are bold and red. At the top of the spec file: 

Summary:          Network Security Services
Name:             nss
Version:          3.12.7
Release:          2.el5.inf.1
License:          MPLv1.1 or GPLv2+ or LGPLv2+
URL:              http://www.mozilla.org/projects/security/pki/nss/
Group:            System Environment/Libraries
Requires:         nspr >= %{nspr_version}
BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires:    nspr-devel >= %{nspr_version}
BuildRequires:    pkgconfig
BuildRequires:    gawk
BuildRequires:    zlib-devel

# we need the following because redhat don't ship addbuiltin
# so we need to have a version of nss with addbuiltin installed
BuildRequires:    nss-tools = 3.12.6-1.el5.inf.2
BuildRequires:    nss = 3.12.6-1.el5.inf.2
# This RPM contains the EUCS CA
BuildRequires:    eucs-sslcerts
BuildRequires:    openssl
Lower down in the middle of the %build section: 
export NSPR_INCLUDE_DIR
export NSPR_LIB_DIR

%ifarch x86_64 ppc64 ia64 s390x
USE_64=1
export USE_64
%endif

# extract DER certs from pem files
for I in /etc/pki/tls/certs/*_CA.pem ; do
  if [ -r "$I" ]; then
    basename=`basename $I '.pem'`
    /usr/bin/openssl x509 -in $I -out $basename.DER -outform DER
    /usr/bin/addbuiltin  -n $basename -t "C,C,C" < ./$basename.DER >>./mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  fi
done
# Build CAs into the source
pushd ./mozilla/security/nss/lib/ckfw/builtins
gmake generate
popd

# NSS_ENABLE_ECC=1
# export NSS_ENABLE_ECC
And finally in the %install section we have: 
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a
do
  %{__install} -p -m 644 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done

# Copy the binaries we want
# We also need addbuiltin to add the CAs we want
for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap addbuiltin
do
  %{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
done

# Copy the binaries we ship as unsupported
for file in atob btoa derdump ocspclnt pp selfserv shlibsign strsclnt symkeyutil tstclnt vfyserv vfychain
do
  %{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
-- ChrisCooke - 10 Sep 2010
Edit | Attach | Print version | History: r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r1 - 10 Sep 2010 - 15:31:33 - ChrisCooke
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies