Add testing root certs to an nssdb on the rootfs.

After discussing with drewry, we can't come up with a better way to inject these root certs. We considered putting them on the stateful partition, but that opens up an avenue of attack (if you can get a root cert into the magic directory, then you can MITM login). Thus, we put it on the rootfs instead. The script that sets up the hashes for vboot will verify that this directory is not present in production images. That work is tracked here: http://code.google.com/p/chromium-os/issues/detail?id=2693 Review URL: http://codereview.chromium.org/1566055
2026-05-05 04:06:33 +02:00 · 2010-04-19 14:26:14 -07:00 · 2010-04-19 14:26:14 -07:00 · 127c3bfa2b
commit 127c3bfa2b
parent 3c8023380e
1 changed files with 10 additions and 2 deletions
--- a/mod_for_test_scripts/710enableAuthTesting
+++ b/mod_for_test_scripts/710enableAuthTesting
@ -6,12 +6,20 @@

 echo "Adding mock Google Accounts server certs."

-# TODO(cmasone): Generate these on the fly?
+# TODO(cmasone): Generate certs/keys on the fly from a CSR?
 CERT_DIR="${GCLIENT_ROOT}/src/platform/login_manager"
 CERT_NAME="mock_server"
+FAKE_CA_DIR="${ROOT_FS_DIR}/etc/fake_root_ca"
+FAKE_NSSDB="${FAKE_CA_DIR}/nssdb"

-cat "${CERT_DIR}/${CERT_NAME}.key" > "${ROOT_FS_DIR}/etc/${CERT_NAME}.key"
+mkdir -p "${FAKE_NSSDB}"
+cat "${CERT_DIR}/${CERT_NAME}.key" > "${FAKE_CA_DIR}/${CERT_NAME}.key"
+echo "DO NOT MOVE THIS DATA OFF OF THE ROOTFS!" > "${FAKE_CA_DIR}/README"
+nsscertutil -A -n FakeCA -t "C,C,C" -a -i "${CERT_DIR}/${CERT_NAME}.pem" \
+  -d "${FAKE_NSSDB}"
+chmod -R 0644 "${FAKE_NSSDB}"

+# TODO(cmasone): get rid of this once we're off pam_google for good.
 # Sadly, our fake cert HAS to be first in this file.
 TMPFILE=$(mktemp)
 CERT_FILE="${ROOT_FS_DIR}/etc/login_trust_root.pem"