The only curious thing with using "pkcs11.txt" is that is usually used
with the security databases. Per some of the manpages:
In 2009, NSS introduced a new set of databases that are SQLite databases
rather than BerkeleyDB. These new databases provide more accessibility and
performance:
• cert9.db for certificates
• key4.db for keys
• pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a
new subdirectory in the security databases directory
Red Hat decided to use "nss.config" in Fedora for the system-wide policy
file, and the test at nss/tests/policy/policy.sh calls it "nss-policy".
Perhaps we should call it something different too? I don't really
understand the whole impact of this filename though, so my suggestion
may be unnecessary.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/2016303
Title:
Rebuild NSS with support for system-wide config file
Status in nss package in Ubuntu:
Confirmed
Bug description:
NSS should be rebuilt with this patch:
diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/libnss3.dirs
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_dh_auto_build:
NSS_USE_SYSTEM_SQLITE=1 \
NSS_ENABLE_ECC=1 \
CHECKLOC= \
+ POLICY_FILE=pkcs11.txt \
+ POLICY_PATH=/etc/nss \
$(TOOLCHAIN)
override_dh_auto_clean:
The directory could be another one, of course. This will allow us to
create a system-wide /etc/nss/pkcs11.txt file which could load the NSS
policy module.
The upstream documentation is quite poor and outdated, unfortunately:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/
https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html
The current source code is the best documentation, and has a ton of
tests that show how to use the policy module:
- allow/disallow options:
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144
- versions and key sizes:
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437
- other qualifiers for algorithms (which types of signatures):
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451
- tons of policy tests:
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt
and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy
Here is a sample /etc/nss/pkcs11.txt which enables the policy module with
certain values:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or
in any of the other many places we have a pkcs11.txt file on the system (hence
the need for this build option: to have just one place):
- firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt
- thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt
- chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt
Note thunderbird ships its own libnss3 (zomg), and would not be
affected by this build change (unless it's done in the thunderbird
source package too).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2016303/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
