commit cef712e9a49502e669535675c9900b61751ac02b Author: Martin Sirringhaus Date: Mon Jul 29 23:22:41 2024 +0000 Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (r=nss-reviewers,rrelyea) Differential Revision: https://phabricator.services.mozilla.com/D217282 Index: nss/cmd/shlibsign/Makefile =================================================================== --- nss.orig/cmd/shlibsign/Makefile +++ nss/cmd/shlibsign/Makefile @@ -24,25 +24,7 @@ include $(CORE_DEPTH)/coreconf/config.mk # (4) Include "local" platform-dependent assignments (OPTIONAL). # ####################################################################### -ifeq ($(OS_ARCH), WINNT) - -EXTRA_LIBS += \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \ - $(NULL) - -else - -EXTRA_SHARED_LIBS += \ - -L$(NSPR_LIB_DIR) \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ - $(NULL) - -endif - +include ../platlibs.mk # sign any and all shared libraries that contain the word freebl ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) Index: nss/cmd/shlibsign/shlibsign.c =================================================================== --- nss.orig/cmd/shlibsign/shlibsign.c +++ nss/cmd/shlibsign/shlibsign.c @@ -55,6 +55,10 @@ /* nss headers for definition of HASH_HashType */ #include "hasht.h" +#include "basicutil.h" +#include "secitem.h" + + CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; static PRBool verbose = PR_FALSE; @@ -111,7 +115,7 @@ usage(const char *program_name) PR_fprintf(debug_out, "Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n" " [-F] [-p pwd] -[P dbprefix ] [-t hash]" - " [-D] [-k keysize] [-c]" + " [-D] [-k keysize] [-c] [-K key]" "-i shared_library_name\n", program_name); PR_fprintf(debug_out, "Valid Hashes: "); @@ -136,6 +140,7 @@ long_usage(const char *program_name) PR_fprintf(debug_out, "\t-t Hash for HMAC/or DSA\n"); PR_fprintf(debug_out, "\t-D Sign with DSA rather than HMAC\n"); PR_fprintf(debug_out, "\t-k size of the DSA key\n"); + PR_fprintf(debug_out, "\t-K key-material to use for hmac (hex-string, without leading 0x)\n"); PR_fprintf(debug_out, "\t-c Use compatible versions for old NSS\n"); PR_fprintf(debug_out, "\t-P database prefix\n"); PR_fprintf(debug_out, "\t-f password File : echo pw > file \n"); @@ -1069,7 +1074,7 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct CK_RV shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot, - CK_SESSION_HANDLE hRwSession, int keySize, PRFileDesc *ifd, + CK_SESSION_HANDLE hRwSession, int keySize, char* key, PRFileDesc *ifd, PRFileDesc *ofd, const HashTable *hash) { CK_MECHANISM hmacMech = { 0, NULL, 0 }; @@ -1100,40 +1105,78 @@ shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunc "Internal error:Could find sha256 entry in table.\n"); } - hmacKeyTemplate[0].type = CKA_TOKEN; - hmacKeyTemplate[0].pValue = &ckfalse; /* session object */ - hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse); - hmacKeyTemplate[1].type = CKA_PRIVATE; - hmacKeyTemplate[1].pValue = &cktrue; - hmacKeyTemplate[1].ulValueLen = sizeof(cktrue); - hmacKeyTemplate[2].type = CKA_SENSITIVE; - hmacKeyTemplate[2].pValue = &ckfalse; - hmacKeyTemplate[2].ulValueLen = sizeof(cktrue); - hmacKeyTemplate[3].type = CKA_SIGN; - hmacKeyTemplate[3].pValue = &cktrue; - hmacKeyTemplate[3].ulValueLen = sizeof(cktrue); - hmacKeyTemplate[4].type = CKA_EXTRACTABLE; - hmacKeyTemplate[4].pValue = &ckfalse; - hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse); - hmacKeyTemplate[5].type = CKA_VALUE_LEN; - hmacKeyTemplate[5].pValue = (void *)&hash->hashLength; - hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength); - hmacKeyTemplate[6].type = CKA_KEY_TYPE; - hmacKeyTemplate[6].pValue = (void *)&hash->keyType; - hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType); - hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN; - hmacMech.mechanism = hash->hmac; + if (key == NULL) { + hmacKeyTemplate[0].type = CKA_TOKEN; + hmacKeyTemplate[0].pValue = &ckfalse; /* session object */ + hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse); + hmacKeyTemplate[1].type = CKA_PRIVATE; + hmacKeyTemplate[1].pValue = &cktrue; + hmacKeyTemplate[1].ulValueLen = sizeof(cktrue); + hmacKeyTemplate[2].type = CKA_SENSITIVE; + hmacKeyTemplate[2].pValue = &ckfalse; + hmacKeyTemplate[2].ulValueLen = sizeof(cktrue); + hmacKeyTemplate[3].type = CKA_SIGN; + hmacKeyTemplate[3].pValue = &cktrue; + hmacKeyTemplate[3].ulValueLen = sizeof(cktrue); + hmacKeyTemplate[4].type = CKA_EXTRACTABLE; + hmacKeyTemplate[4].pValue = &ckfalse; + hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse); + hmacKeyTemplate[5].type = CKA_VALUE_LEN; + hmacKeyTemplate[5].pValue = (void *)&hash->hashLength; + hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength); + hmacKeyTemplate[6].type = CKA_KEY_TYPE; + hmacKeyTemplate[6].pValue = (void *)&hash->keyType; + hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType); + hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN; + + /* Generate a DSA key pair */ + logIt("Generate an HMAC key ... \n"); + crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech, + hmacKeyTemplate, + PR_ARRAY_SIZE(hmacKeyTemplate), + &hHMACKey); + } else { + SECItem keyitem = { 0 }; + if (SECU_HexString2SECItem(NULL, &keyitem, key) == NULL) { + pk11error("Reading HMAC key from commandline failed. Not a valid hex-key.", crv); + return crv; + } + + CK_OBJECT_CLASS secret_key_obj_class = CKO_SECRET_KEY; + CK_ATTRIBUTE hmacKeyObject[] = { + { + .type = CKA_CLASS, + .pValue = &secret_key_obj_class, + .ulValueLen = sizeof(CK_OBJECT_CLASS), + }, + { + .type = CKA_KEY_TYPE, + .pValue = (void *)&hash->keyType, + .ulValueLen = sizeof(hash->keyType), + }, + { + .type = CKA_VALUE, + .pValue = keyitem.data, + .ulValueLen = keyitem.len, + }, + { + .type = CKA_SIGN, + .pValue = &cktrue, + .ulValueLen = sizeof(cktrue), + }, + }; + logIt("Using static HMAC key ... \n"); + crv = pFunctionList->C_CreateObject(hRwSession, + hmacKeyObject, + PR_ARRAY_SIZE(hmacKeyObject), + &hHMACKey); + } - /* Generate a DSA key pair */ - logIt("Generate an HMAC key ... \n"); - crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech, - hmacKeyTemplate, - PR_ARRAY_SIZE(hmacKeyTemplate), - &hHMACKey); if (crv != CKR_OK) { pk11error("HMAC key generation failed", crv); return crv; } + hmacMech.mechanism = hash->hmac; /* compute the digest */ memset(sign, 0, sizeof(sign)); @@ -1258,6 +1301,7 @@ main(int argc, char **argv) static PRBool useDSA = PR_FALSE; PRBool successful = PR_FALSE; const HashTable *hash = NULL; + char *key = NULL; #ifdef USES_LINKS int ret; @@ -1281,7 +1325,7 @@ main(int argc, char **argv) program_name = strrchr(argv[0], '/'); program_name = program_name ? (program_name + 1) : argv[0]; - optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:p:P:vVs:t:Dc"); + optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:K:p:P:vVs:t:Dc"); if (optstate == NULL) { lperror("PL_CreateOptState failed"); return 1; @@ -1331,6 +1375,14 @@ main(int argc, char **argv) keySize = atoi(optstate->value); break; + case 'K': + if (!optstate->value) { + PL_DestroyOptState(optstate); + usage(program_name); + } + key = PL_strdup(optstate->value); + break; + case 'f': if (!optstate->value) { PL_DestroyOptState(optstate); @@ -1569,7 +1621,7 @@ main(int argc, char **argv) keySize, ifd, ofd, hash); } else { crv = shlibSignHMAC(pFunctionList, pSlotList[slotIndex], hRwSession, - keySize, ifd, ofd, hash); + keySize, key, ifd, ofd, hash); } if (crv == CKR_INTERNAL_OUT_FAILURE) { lperror(output_file);