Ubuntu
nss package

Rebuild NSS with support for system-wide config file

Bug #2016303 reported by Andreas Hasenack
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

NSS should be rebuilt with this patch:

diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/libnss3.dirs
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_dh_auto_build:
                NSS_USE_SYSTEM_SQLITE=1 \
                NSS_ENABLE_ECC=1 \
                CHECKLOC= \
+ POLICY_FILE=pkcs11.txt \
+ POLICY_PATH=/etc/nss \
                $(TOOLCHAIN)

 override_dh_auto_clean:

The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module.

The upstream documentation is quite poor and outdated, unfortunately:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/
https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html

The current source code is the best documentation, and has a ton of tests that show how to use the policy module:

- allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144
- versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437
- other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451
- tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy

Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"

The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this build option: to have just one place):
- firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt
- thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt
- chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt

Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too).

See original description
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nss (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the policy file location change.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This should get sent to debian too.

Quick question: is pkcs11.txt a default filename used anywhere else? Where did the filename come from?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Quick question: is pkcs11.txt a default filename used anywhere else? Where did the filename come from?

¯\_(ツ)_/¯

There is a lot (a lot) of history here, buried deep somewhere in the internet...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The only curious thing with using "pkcs11.txt" is that is usually used with the security databases. Per some of the manpages:

       In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkeleyDB. These new databases provide more accessibility and performance:
       • cert9.db for certificates
       • key4.db for keys
       • pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory

Red Hat decided to use "nss.config" in Fedora for the system-wide policy file, and the test at nss/tests/policy/policy.sh calls it "nss-policy".

Perhaps we should call it something different too? I don't really understand the whole impact of this filename though, so my suggestion may be unnecessary.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.