How to Patch the nss package
We patch the nss packages to insert the local CAs - the ones that aren't signed by any globally recognised certification authority. If we don't do this, when firefox encounters local certificates it will flash up a scary-looking security warning, which we don't want.
This is roughly what happens. When a new version of the
nss packages appears in the OS updates:
- take a note of the version number.
- get the source RPM for that RPM and install it.
- Make these changes to the spec file:
- Change the release number
- Add e.g. '.inf.1' to the RPM's release number to reflect the local modification you're doing
- addbuiltin
- The 'addbuiltin' package will be needed to compile the local nss package. We get this from a previous version of the locally hacked nss package that we already have lying around. So require one. For example:
# we need the following because redhat don't ship addbuiltin
# so we need to have a version of nss with addbuiltin installed
BuildRequires: nss-tools = 3.12.6-1.el5.inf.2
BuildRequires: nss = 3.12.6-1.el5.inf.2
-
- EUCS Certificate
- Add the EUCS Certificate RPM:
# This RPM contains the EUCS CA
BuildRequires: eucs-sslcerts
-
- Extract the DER certificates
- Add the following magic to the %build section after the declaration of variables but before any 'make' lines. This takes all the _CA.pem files in that directory and adds them to a datafile in the nss source:
for I in /etc/pki/tls/certs/*_CA.pem ; do
if [ -r "$I" ]; then
basename=`basename $I '.pem'`
/usr/bin/openssl x509 -in $I -out $basename.DER -outform DER
/usr/bin/addbuiltin -n $basename -t "C,C,C" < ./$basename.DER >>./mozilla/security/nss/lib/ckfw/builtins/certdata.txt
fi
done
-
- Build the CAs into the source
- add these lines just below the last lot of magic to take the datafiles and generate C from them:
# Build CAs into the source
pushd ./mozilla/security/nss/lib/ckfw/builtins
gmake generate
popd
-
- Install 'addbuiltin'
- Add 'addbuiltin' to the list of binaries to be installed into $RPM_BUILD_ROOT/%{_bindir} - this list can be found in the %install section of the spec file.
- Install the previous local version of the 'nss' packages, if it's not installed already.
- Upgrade manually to the new version of the 'nspr' packages. This should have been released at the same time as the new 'nss' packages that you're modifying.
- Build the RPM.
Here are the relevant bits from the nss 3.12.7 spec file to give you the idea. Local changes and additions are
bold and red.
At the top of the spec file:
Summary: Network Security Services
Name: nss
Version: 3.12.7
Release: 2.el5.inf.1
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
Requires: nspr >= %{nspr_version}
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: nspr-devel >= %{nspr_version}
BuildRequires: pkgconfig
BuildRequires: gawk
BuildRequires: zlib-devel
# we need the following because redhat don't ship addbuiltin
# so we need to have a version of nss with addbuiltin installed
BuildRequires: nss-tools = 3.12.6-1.el5.inf.2
BuildRequires: nss = 3.12.6-1.el5.inf.2
# This RPM contains the EUCS CA
BuildRequires: eucs-sslcerts
BuildRequires: openssl
Lower down in the middle of the %build section:
export NSPR_INCLUDE_DIR
export NSPR_LIB_DIR
%ifarch x86_64 ppc64 ia64 s390x
USE_64=1
export USE_64
%endif
# extract DER certs from pem files
for I in /etc/pki/tls/certs/*_CA.pem ; do
if [ -r "$I" ]; then
basename=`basename $I '.pem'`
/usr/bin/openssl x509 -in $I -out $basename.DER -outform DER
/usr/bin/addbuiltin -n $basename -t "C,C,C" < ./$basename.DER >>./mozilla/security/nss/lib/ckfw/builtins/certdata.txt
fi
done
# Build CAs into the source
pushd ./mozilla/security/nss/lib/ckfw/builtins
gmake generate
popd
# NSS_ENABLE_ECC=1
# export NSS_ENABLE_ECC
And finally in the %install section we have:
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a
do
%{__install} -p -m 644 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
# Copy the binaries we want
# We also need addbuiltin to add the CAs we want
for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap addbuiltin
do
%{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
done
# Copy the binaries we ship as unsupported
for file in atob btoa derdump ocspclnt pp selfserv shlibsign strsclnt symkeyutil tstclnt vfyserv vfychain
do
%{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
--
ChrisCooke - 10 Sep 2010