Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pesign uses older dbm format nssdb #34

Open
halfline opened this issue Aug 9, 2017 · 2 comments
Open

pesign uses older dbm format nssdb #34

halfline opened this issue Aug 9, 2017 · 2 comments

Comments

@halfline
Copy link

halfline commented Aug 9, 2017

pesign currently ships with an old format nssdb.

it can convert to the newer format with:

certutil -K -d sql:etc/pki/pesign -X

and the source code should probably be changed to something like:

- char *certdir = "/etc/pki/pesign"
+ char *certdir = "sql:/etc/pki/pesign"

(or set NSS_DEFAULT_DB_TYPE=sql in environment)

@dvzrv
Copy link

dvzrv commented Apr 26, 2020

As e.g. the test certs provided by Fedora are incompatible with nss 3.51.1 (currently the default on Arch Linux), I am unable to reproduce in what way I would actually have to create a database, that can then be used by pesign/pesign-client.

I have tried to do an upgrade of those files, but to no avail:

$ certutil --upgrade-merge --source-dir sql:pki/pesign --upgrade-id 0
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

I don't know if the database files can be updated or not and also don't know what the correct upgrade-id would be.

Therefore I have tried getting things running with the new format from the start.
For testing purposes I have used this to create an NSS database that is actually usable by certutil:

certutil -N -d sql:certs --empty-password

The created files I have installed to /etc/pki/pesign and gave proper access rights, so that pesign could modify them.
Afterwards I attempted to import a test key based on the man page examples of pesign

pesign/src/pesign.1

Lines 102 to 138 in cbc37d9

.SH EXAMPLES
1.If you have a certificate file and private key file, the following steps
may be used to sign a PE image:
.RS 4
# Create a pkcs12 file from private key and
.RE
.RS 4
# certificate file.
.RE
.RS 4
host:~$ openssl pkcs12 \-export \-out foo_key.p12 \\
.RE
.RS 20
\-inkey signing_key.pem \\
.RE
.RS 20
\-in xyz_cert.x509.pem
.LP
.RE
.RS 4
# Import pkcs12 file into pesign db
.RE
.RS 4
host:~$ pk12util \-i foo_key.p12 \-d /etc/pki/pesign
.LP
.RE
.RS 4
# Do the signing
.RE
.RS 4
host:~$ pesign \-i <input\-file> \-o <output\-file> \\
.RE
.RS 19
\-c <cert nickname> \-s
.RE
.LP

The key was created as follows:

openssl req -x509 -newkey rsa:4096 -days 365 -keyout signing_key.pem -out xyz_cert.x509.pem

and I made sure, that the key was imported with a token name specified (i.e. -h "pkcs11:token=NSS%20Certificate%20DB")

The import works fine, but whatever I choose as Organization Name during creation (e.g. test) is not found in the database when running pesign-client on a test file

$ pesign-client -s -i test_file -o test_file.signed -c 'test'
# pesign output:
attempting to sign with key "NSS Certificate DB:test"
cms_common.c:find_certificate:471: could not find certificate in list: Unrecognized Object Identifier.

However, the cert is found in the database by certutil:

$ certutil -L -d sql:/etc/pki/pesign
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

test                                                         u,u,u

I wonder what I'm doing wrong here and where I can find further documentation on this.
What does pesign understand as "token"? Why is it not able to retrieve the certificate to use by nickname?

@rjrelyea
Copy link

Hi, so I can help with some of the your questions:

  1. certutil --upgrade-merge is used to merge one database into another on a one-time basis. You need 2 existing databases for it to work. This was envisioned to help merge multiple NSS databases automatically into one so that, say Firefox and Thunderbird could share the same database. Automatic merging turned out to be non-trivial because we need two database passwords, and presenting the UI to ask for each one turned out to be non-trivial.

  2. How to upgrade a database then: This normally happens automatically when you open the new database, but there are caviats: 1) you need to open the database R/W and 2) you need to supply the database password (login). If there is no password, then 1) is sufficient. If you want to do it by hand, the following command will trigger an update:
    certutil -K -X -d sql:{database_directory}

  3. pesign-client failure: are you running on a platform where dbm is the default database? Try setting NSS_DEFAULT_DB_TYPE=sql and rerunning the pesign command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants