1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/build/b2g-certdata.mk Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,35 @@
1.4 +# This Source Code Form is subject to the terms of the Mozilla Public
1.5 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.7 +
1.8 +# On B2G, we need to remove the trust bits for code signing from all the
1.9 +# built-in CAs, because we are redefining the code signing bit to mean
1.10 +# "is trusted to issue certs that are trusted for signing apps," which none
1.11 +# of the normal built-in CAs are. This is a temporary hack until we can use
1.12 +# libpkix to verify the certificates. (libpkix gives the flexibility we need
1.13 +# to verify certificates using different sets of trust anchors per validation.)
1.14 +#
1.15 +# Whenever we change the B2G app signing trust anchor, we need to manually
1.16 +# update certdata-b2g.txt. To do so:
1.17 +#
1.18 +# 1. replace ./b2g-app-root-cert.der with the new DER-encoded root cert
1.19 +#
1.20 +# 2. In this directory run:
1.21 +#
1.22 +# PATH=$NSS/bin:$NSS/lib addbuiltin -n "b2g-app-root-cert" -t ",,Cu" \
1.23 +# < b2g-app-root-cert.der > b2g-certdata.txt
1.24 +#
1.25 +# Then, commit the changes. We don't do this step as part of the build because
1.26 +# we do not build addbuiltin as part of a Gecko build.
1.27 +
1.28 +# Distrust all existing builtin CAs for code-signing
1.29 +hacked-certdata.txt : $(srcdir)/../nss/lib/ckfw/builtins/certdata.txt
1.30 + sed -e "s/^CKA_TRUST_CODE_SIGNING.*CKT_NSS_TRUSTED_DELEGATOR.*/CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST/" \
1.31 + $< > $@
1.32 +
1.33 +combined-certdata.txt : hacked-certdata.txt $(srcdir)/b2g-certdata.txt
1.34 + cat $^ > $@
1.35 +
1.36 +libs-nss/lib libs-nss/lib/ckfw: combined-certdata.txt
1.37 +
1.38 +DEFAULT_GMAKE_FLAGS += NSS_CERTDATA_TXT='$(CURDIR)/combined-certdata.txt'
