Re: Suggested roadmap for updating OpenSSL on Fremantle
 

Going over the list of differences between Maemo and Debian, I think we can ignore #2, #4, #7 and #27 since they just remove things that get autogenerated by the build process.
We can ignore #20 and #21 also as those 2 patches only touch things related to x86_64.
We can ignore #16, #17 and #18 because they are already in the latest OpenSSL
We can ignore #12 and #13 and #22 because they are just changing the patch format
We can ignore #10 since its clearly never used in building the Maemo OpenSSL
We can ignore #6 since its just adding changelog entries
We can ignore #14 since its looking for a library that doesn't exist (and also I doubt any file with the right filename is going to get passed to X509_load_cert_file or X509_load_cert_crl_file)
We can probably ignore #9 (in that whatever we need to set debian/config to in the new OpenSSL will be whatever we need to set it to and what the old code does doesn't matter)

No idea about the CRYPTO_MDEBUG stuff (#5, #6 & #25), the PERL changes (#1 and #3), the postinst change (#11), the cflags patch (#15), the include symlinks (#23 and #24) or the jpaketest.c changes (#25)

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

Ok so we need someone who knows how the maemo-security-certman stuff works to take a look at http://mxr.mozilla.org/nss/source/li...s/certdata.txt (mozilla root certificate list) and figure out what needs to be done to the root CAs in https://github.com/community-ssu/maemo-security-certman

I dont know how the maemo-security-certman certificate stuff works otherwise I would give this a go myself :)

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

List of things that link to (but may not actually call) the maemosec libs: (this relates to the discussion earlier in IRC about certificate stuff). Not counting maemosec-certman-tools in this list.

libmaemosec.so.0:
as-daemon (as-daemon-0, closed source)
browser.launch (tablet-browser-ui, closed source)
eapd (osso-wlan-security, closed source)
libconnui_iapsettings.so.0.0.0 (connui-iapsettings, closed source)
libiap_dialog_gtc_challenge.so (connui-conndlgs-wlan, open source)
libiap_dialog_mschap_change.so (connui-conndlgs-wlan, closed source)
libiap_dialog_private_key_pw.so (connui-conndlgs-wlan, open source)
libiap_dialog_server_cert.so (connui-conndlgs-wlan, open source)
libiap_dialog_wps.so (connui-conndlgs-wlan, closed source)
libiap_wizard_wlan.so (connui-iapsettings-wlan, closed source)
libinternetsettings.so (connui-iapsettings, closed source)
location-proxy (location-proxy, closed source)

libmaemosec_certman.so.0:
as-daemon (as-daemon-0, closed source)
browser.launch (tablet-browser-ui, closed source)
eapd (osso-wlan-security, closed source)
libconnui_iapsettings.so.0.0.0 (connui-iapsettings, closed source)
libiap_dialog_gtc_challenge.so (connui-conndlgs-wlan, open source)
libiap_dialog_mschap_change.so (connui-conndlgs-wlan, closed source)
libiap_dialog_private_key_pw.so (connui-conndlgs-wlan, open source)
libiap_dialog_server_cert.so (connui-conndlgs-wlan, open source)
libiap_dialog_wps.so (connui-conndlgs-wlan, closed source)
libiap_wizard_wlan.so (connui-iapsettings-wlan, closed source)
libinternetsettings.so (connui-iapsettings, closed source)
location-proxy (location-proxy, closed source)

libmaemosec_certman_dialogs.so.0:
browser.launch (tablet-browser-ui, closed source)
libconnui_iapsettings.so.0.0.0 (connui-iapsettings, closed source)
libiap_dialog_gtc_challenge.so (connui-conndlgs-wlan, open source)
libiap_dialog_mschap_change.so (connui-conndlgs-wlan, closed source)
libiap_dialog_private_key_pw.so (connui-conndlgs-wlan, open source)
libiap_dialog_server_cert.so (connui-conndlgs-wlan, open source)
libiap_dialog_wps.so (connui-conndlgs-wlan, closed source)
libiap_wizard_wlan.so (connui-iapsettings-wlan, closed source)
libinternetsettings.so (connui-iapsettings, closed source)

As for NSS, libmaemosec-certman0 postinst diverts libnssckbi.so (normally part of NSS source tree) and replaces it with a symlink to libmaemosec_certman.so.0. The only user of libnssckbi.so is libnss3.so.

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

Looks like the source for the ca-certificates package from debian contains python script to convert mozilla certificates file to the format we need (certdata2pem.py) so that should make things easier.

The last commit from anyone Nokia (the Nov 27 2011 commit) matches the Mozilla NSS certificates file as of mozilla-central changeset 2432457fa32b

Does anyone know where the filenames for the certificates (e.g. 00d85a4c25c122e58b31ef6dbaf3cc5f29f10d61-1.pem) come from? What is that string of numbers?

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

It's the x509 Subject Key Identifier, which AFAIK, is a way to identify the public key of the certificate.

openssl x509 -in <cert.pem> -text -noout

will show you that information (and a bunch more).

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

Ok, my suggestion for how to proceed with updating the certificates is as follows:
1.Take certdata2pem.py from the debian ca-certificates package
2.Modify certdata2pem.py so it spits out files named as required for maemo (creating files in either the blacklist and common-ca directories as appropriate as well as adding the certificates to certman.blacklist and certman.common-ca files via cmcli)
3.Run the result on the certdata.txt as of mozilla-central commit 2432457fa32b (which should match the fc21ae95be7f44189be2360d445f4fe3f10ab712 commit in maemo-security-certman)
4.Make sure the output matches the fc21ae95be7f44189be2360d445f4fe3f10ab712 commit in maemo-security-certman (this will verify that there are no special certs in there that Maemo has but Mozilla does not as well as verifying that we get the expected output from the modified python script)
5.Run the script on the latest certdata.txt from Mozilla.
6.If step 4 showed any special certificates that are only found in Maemo (or for that matter, any certificates Mozilla no longer trusts but that Maemo needs to trust for some reason), add those manually
7.Verify that it correctly blacklisted the certificates from maemo-security-certman 0be038825a98dae2d80fd411a02cb4c86ed1b36a and correctly ordered the certificates from maemo-security-certman 2cbd96e89d7529e1ce25801824fb76f39b05b836
8.Stick all the results into Git and the new maemo-security-certman into CSSU
and 9.Stick the tools and notes into Git somewhere so we can keep maemo-security-certman up to date with the latest Mozilla certs going forward

I would do this except I dont know the first thing about Python...

Or of course we can try and track down Juhani Mäkelä and ask him to share whatever tools and tricks he used to update the certificates :P

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

I was able to track down Juhani Mäkelä (original Nokia developer for maemo-security-certman) who sent me a parse-certdata-txt.c file that parses the Mozilla certdata.txt file. Now I am waiting to see if he can help me with the exact steps to take the output of parse-certdata-txt and get it into the right place in the maemosec-certman-common-ca package.

So it looks like there should be no problem getting the latest set of root CAs into CSSU

Re: Suggested roadmap for updating OpenSSL on Fremantle
 

In future you can use http://deriv.debian.net/Maemo/patches/ website. E.g. here is debian diff for openssl: http://deriv.debian.net/Maemo/patches/o/openssl/