4 Apr 2004 16:05
NSS Install/Use on Linux
Bryan White <bryan-news <at> arcamax.com>
2004-04-04 14:05:16 GMT
2004-04-04 14:05:16 GMT
I am trying to get setup to produce signed JAR files on a linux box. This is for an internally developed and used application. I have looked over the section in 'Creating Applications with Mozilla' and stuff I found here: http://certs.mozdev.org/cadraft.html I have tried this several different ways but with no success. I am using the binary linux distribution found here: http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ NSS_3_9_RTM/Linux2.4_x86_glibc_PTH_OPT.OBJ/nss-3.9.tar.gz On a Fedora Core 1 box I did this: First I Installed the tar file to /usr/share: /usr/share/nss-3.9/(bin/lib/include) ---- # Setup the root CA # to be done as the admin of the CA NSS=/usr/share/nss-3.9 export LD_LIBRARY_PATH=$NSS/lib CADB=/home/arcamax/config/nss-ca CU="$NSS/bin/certutil -d $CADB -f $CADB/capass" mkdir -p $CADB chmod 700 $CADB /home/arcamax/bin/mkpass > $CADB/capass chmod 400 $CADB/capass # Creating the CA database $CU -N # Creating the root CA certificate $CU -S -s "CN=arcamax.com nss root CA, O=arcamax.com" -n "amirootca" -t ",,C" -v 120 -x -1 -2 -5 0 - Digital Signature ... Other to finish 5 0 - Digital Signature ... Other to finish 9 Is this a critical extension [y/n]? y Is this a CA certificate [y/n]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: 3 Is this a critical extension [y/n]? y 0 - SSL Client ... Other to finish 7 0 - SSL Client ... Other to finish 9 Is this a critical extension [y/n]? y # extract the root CA cert file $CU -L -n "amirootca" -a -o /home/arcamax/config/amirootca.cacert chmod 644 /home/arcamax/config/amirootca.cacert ---- ---- # Setup a Users Signing Database and Generate a CSR # This must be done as the individual user. # The csr.txt file will be created in the current directory. NSS=/usr/share/nss-3.9 export LD_LIBRARY_PATH=$NSS/lib SIGNDB=$HOME/nss-sign CU="$NSS/bin/certutil -d $SIGNDB -f $SIGNDB/signpass" mkdir -p $SIGNDB chmod 700 $SIGNDB /home/arcamax/bin/mkpass > $SIGNDB/signpass chmod 400 $SIGNDB/signpass # Create the signing database $CU -N # Add the root CA .cacert to the signing db $CU -A -n "amirootca" -t ",,C" -i /home/arcamax/config/amirootca.cacert # Generate the CSR $CU -R -o csr.txt -a -s "CN=$USER oject signing cert, O=arcamax.com" -v 100 ---- ---- # Issuing a Signing Certificate from a CSR # to be done as the admin of the CA # The csr.txt must be in the current directory. # A resulting cert.txt file will be created. NSS=/usr/share/nss-3.9 export LD_LIBRARY_PATH=$NSS/lib CADB=/home/arcamax/config/nss-ca CU="$NSS/bin/certutil -d $CADB -f $CADB/capass" $CU -C -c "arcamax.com" -i csr.txt -a -o cert.txt -1 -2 -5 ---- This is where is dies. Top shows 95% CPU usage. I let it run for about 10 minutes on an otherwise idle 466Mhz Celeron with 512MB Ram. I finally did control C to kill it. I also tried the proceedure on a RedHat 7.3 box. There it seg faults immediatly at the same point in the proceedure. In both cases a zero length cert.txt file has been created. I also attempted to compile from source on the RedHat 7.3 box. I did not find instructions on how to do this. I found this page: http://www.mozilla.org/projects/security/pki/nss/buildnss_31.html but it did not work when tried to translate the version numbers to 3.9. I tried to download and compile the source tar ball. Again I did not find much in the way of an install proceedure. I muddled through running ./configure where it seemed to be needed and the 'make'. I finally got to this error: gcc -o Linux2.4_x86_glibc_PTH_DBG.OBJ/quickder.o -c -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DXP_UNIX -DDEBUG -UNDEBUG -DDEBUG_bryan -D_REENTRANT -I../../../../dist/Linux2.4_x86_glibc_PTH_DBG.OBJ/include -I../../../../dist/public/nss -I../../../../dist/private/nss -I../../../../dist/public/dbm quickder.c In file included from quickder.c:40: secasn1.h:45:21: plarena.h: No such file or directory A Find shows this: [bryan <at> pg2 nss-3.9]$ find . -name plarena.h ./mozilla/nsprpub/lib/ds/plarena.h ./mozilla/nsprpub/dist/include/nspr/plarena.h At this point I am stumped. BTW: As I work on this I am developing a document of what needs to be done. I can make this available if there is interest.