[kmf-discuss] Re: bfu problems with on-closed-bins-20070409.i386.tar.bz2 [Heads Up: elfs
Jürgen Keil
jk at tools.de
Mon Apr 23 01:57:24 PDT 2007
Seems I found something; I wrote
> Problem is that after the bfu, elfsign fails verification
> for the kernel module /kernel/crypto/arcfour. This
> breaks WEP support for the wlan driver "ipw", and it seems
> as a result of this, my machine was unable to boot into
> multiuser mode (the kernel complains about /kernel/crypto/arcfour
> module verification errors).
>
>
> I'm seeing errors like this:
>
> # elfsign verify -v /kernel/crypto/arcfour
> elfsign: verification of /kernel/crypto/arcfour failed.
> format: rsa_md5_sha1.
> signer: O=Sun Microsystems Inc, OU=Solaris Cryptographic Framework, CN=SunOS 5.10.
..
> Question is: how do we bfu upgrade to newer onnv
> bits? Is the certificate file /etc/crypto/certs/SUNWObjectCA
> invalid?
The problem is that the opensolaris mercurial repository
doesn't have the SCCS keywords expanded any more:
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA
Note the ident "%Z%%M% %I% %E% SMI" line in this
file. Problem is that /usr/lib/libelfsign.so.1 has the
MD5 checksum of both /etc/crypto/certs/CA and
/etc/crypto/certs/SUNWObjectCA compiled into
the libelfsign.so shared library and the code refuses to
use these certs if their MD5 checksum doesn't match
the compiled-in values:
% strings - /usr/lib/libelfsign.so.1 | /usr/xpg4/bin/grep -E '^[0-9a-f]{32}$'
4ede9ecb4868c0d2683b602f71596085 <<--- MD5: "SUNWObjectCA"
2646d63d62617aeae629d85cbd5daefc <<--- MD5: "CA"
% gmd5sum /etc/crypto/certs/CA /etc/crypto/certs/SUNWObjectCA
2646d63d62617aeae629d85cbd5daefc /etc/crypto/certs/CA
a8e0f35c570d3b379424f99f8ef5d409 /etc/crypto/certs/SUNWObjectCA
I had to use the following patch, which restores the original expanded
SCCS keyword values, so that the MD5 checksum for SUNWObjectCA
matches the value that is compiled into libelfsign.so.1:
diff -r 4c31c5bc2389 usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA
--- a/usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA Fri Apr 20 06:09:57 2007 -0700
+++ b/usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA Sat Apr 21 14:36:43 2007 +0200
@@ -20,7 +20,7 @@ Copyright 2007 Sun Microsystems, Inc. A
Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
-ident "%Z%%M% %I% %E% SMI"
+ident "@(#)SUNWObjectCA 1.1 07/01/08 SMI"
Subject: O=Sun Microsystems Inc, OU=VeriSign Trust Network,
OU=Class 2 OnSite Subscriber CA, CN=Object Signing CA
This message posted from opensolaris.org
More information about the kmf-discuss
mailing list