From 127c3bfa2bb9e5ed607c126518e019194c8f3309 Mon Sep 17 00:00:00 2001 From: Chris Masone Date: Mon, 19 Apr 2010 14:26:14 -0700 Subject: [PATCH] Add testing root certs to an nssdb on the rootfs. After discussing with drewry, we can't come up with a better way to inject these root certs. We considered putting them on the stateful partition, but that opens up an avenue of attack (if you can get a root cert into the magic directory, then you can MITM login). Thus, we put it on the rootfs instead. The script that sets up the hashes for vboot will verify that this directory is not present in production images. That work is tracked here: http://code.google.com/p/chromium-os/issues/detail?id=2693 Review URL: http://codereview.chromium.org/1566055 --- mod_for_test_scripts/710enableAuthTesting | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/mod_for_test_scripts/710enableAuthTesting b/mod_for_test_scripts/710enableAuthTesting index fb00cff181..b623b0902b 100755 --- a/mod_for_test_scripts/710enableAuthTesting +++ b/mod_for_test_scripts/710enableAuthTesting @@ -6,12 +6,20 @@ echo "Adding mock Google Accounts server certs." -# TODO(cmasone): Generate these on the fly? +# TODO(cmasone): Generate certs/keys on the fly from a CSR? CERT_DIR="${GCLIENT_ROOT}/src/platform/login_manager" CERT_NAME="mock_server" +FAKE_CA_DIR="${ROOT_FS_DIR}/etc/fake_root_ca" +FAKE_NSSDB="${FAKE_CA_DIR}/nssdb" -cat "${CERT_DIR}/${CERT_NAME}.key" > "${ROOT_FS_DIR}/etc/${CERT_NAME}.key" +mkdir -p "${FAKE_NSSDB}" +cat "${CERT_DIR}/${CERT_NAME}.key" > "${FAKE_CA_DIR}/${CERT_NAME}.key" +echo "DO NOT MOVE THIS DATA OFF OF THE ROOTFS!" > "${FAKE_CA_DIR}/README" +nsscertutil -A -n FakeCA -t "C,C,C" -a -i "${CERT_DIR}/${CERT_NAME}.pem" \ + -d "${FAKE_NSSDB}" +chmod -R 0644 "${FAKE_NSSDB}" +# TODO(cmasone): get rid of this once we're off pam_google for good. # Sadly, our fake cert HAS to be first in this file. TMPFILE=$(mktemp) CERT_FILE="${ROOT_FS_DIR}/etc/login_trust_root.pem"