 |
Newsgroups: mozilla.dev.security
From: Aditya Ivaturi <ivat...@gmail.com>
Date: Fri, 7 Aug 2009 11:29:30 -0700 (PDT)
Local: Fri, Aug 7 2009 2:29 pm
Subject: cert_override.txt format
If my question doesn't belong in this group, please let me know which
one I should post in, thanks. We use Selenium for web testing automation. And one of the biggest Another simple & probably effective solution is to populate the You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Johnathan Nightingale <john...@mozilla.com>
Date: Fri, 7 Aug 2009 14:47:09 -0400
Local: Fri, Aug 7 2009 2:47 pm
Subject: Re: cert_override.txt format
I suspect you want to base64 encode the binary value of the serial,
not the ASCII representation output by openssl. That is, you don't want to base64 the _string_ "08 BE 4F..." you want to base64 encode the binary byte array with values 0x08, 0xBE, 0x4F, etc. Does that help? Cheers, Johnathan On 7-Aug-09, at 2:29 PM, Aditya Ivaturi wrote: Johnathan Nightingale Human Shield john...@mozilla.com You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Sid Stamm <s...@mozilla.com>
Date: Fri, 07 Aug 2009 11:50:24 -0700
Local: Fri, Aug 7 2009 2:50 pm
Subject: Re: cert_override.txt format
On 8/7/09 11:47 AM, Johnathan Nightingale wrote:
>> - "Certificate's serial number and the issuer name as a base64 encoded Johnathan is right on. I think you need to generate a base64-encoded >> string". I can get the cert's serial number& issuer name usign >> openssl, but a simple base64 encoding of those values doesn't seem to >> be right. Can any one please tell me (or point me to a location) how >> this magic string is generated? > I suspect you want to base64 encode the binary value of the serial, not > the ASCII representation output by openssl. That is, you don't want to > base64 the _string_ "08 BE 4F..." you want to base64 encode the binary > byte array with values 0x08, 0xBE, 0x4F, etc. version of the binary values (not the textual serializations). I did something similar when playing with EV certificates, and the method I used to get these encoded values involved patching NSS tools to spit them out. I wrote up some rough "how to install an ev root" instructions a while http://evssl-trust.sidstamm.com/firefox-evca.html#patch-source http://evssl-trust.sidstamm.com/firefox-evca.html#build-nss http://evssl-trust.sidstamm.com/firefox-evca.html#install-ca-and-ev Hope this is helpful. -Sid You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Aditya Ivaturi <ivat...@gmail.com>
Date: Sun, 9 Aug 2009 15:24:25 -0700 (PDT)
Local: Sun, Aug 9 2009 6:24 pm
Subject: Re: cert_override.txt format
> Johnathan is right on. I think you need to generate a base64-encoded Based on this blog post here http://www.jessies.org/~car/blog/200907081926-for-firefox-sake.php, > version of the binary values (not the textual serializations). it is actually base64 encoding of a block of memory - a long int containing the der representation of serial number and the issuer name. Chris's (the author of that blog post) hack produces the exact notation of the string that you see in the cert_override.txt under your profile directory. So it is the nsNSSCertificate::GetDbKey() that actually generates that string for you. > I did I did try your patch and it produced the base64 output as you > something similar when playing with EV certificates, and the method I > used to get these encoded values involved patching NSS tools to spit > them out. mentioned. But it was different from the format that you see in cert_override.txt, where that magic string starts with a sequence of "AAAA...". But interestingly enough, your string also worked. When I injected the self-signed cert in to cert8.db & populated the cert_override.txt with your magic string output from pp, firefox accepted it! So now, this throws another wrench in my understanding of how FF actually deals with cert_override. Does the exact format the magic string actually matter? Or does firefox just check for the certificate in its cert store (cert8.db) & verify cert fingerprint in cert_override.txt and allow access to the site? You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Sid Stamm <s...@mozilla.com>
Date: Mon, 10 Aug 2009 15:32:06 -0700
Local: Mon, Aug 10 2009 6:32 pm
Subject: Re: cert_override.txt format
> I did try your patch and it produced the base64 output as you http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/sr... > mentioned. But it was different from the format that you see in > cert_override.txt, where that magic string starts with a sequence of > "AAAA...". But interestingly enough, your string also worked. When I > injected the self-signed cert in to cert8.db& populated the > cert_override.txt with your magic string output from pp, firefox > accepted it! So now, this throws another wrench in my understanding of > how FF actually deals with cert_override. Does the exact format the > magic string actually matter? Or does firefox just check for the > certificate in its cert store (cert8.db)& verify cert fingerprint in > cert_override.txt and allow access to the site? This is a bit of NSS that reads the cert_override.txt file in case you I'm not an expert in this bit of code, however, so I'm just making a -Sid You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
Date: Wed, 12 Aug 2009 08:25:40 -0700
Local: Wed, Aug 12 2009 11:25 am
Subject: Re: cert_override.txt format
On 2009-08-10 15:32 PDT, Sid Stamm wrote:
> http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/sr... It's not NSS. If it was NSS, you would see /nss/ in the path name above. > This is a bit of NSS that reads the cert_override.txt file It's PSM, and the format of the file is a private interface, which means that it could change at any time in any release or any update. So, just be aware of that, and don't be upset if it changes. You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Sid Stamm <s...@mozilla.com>
Date: Wed, 12 Aug 2009 09:43:49 -0700
Local: Wed, Aug 12 2009 12:43 pm
Subject: Re: cert_override.txt format
On 8/12/09 8:25 AM, Nelson Bolyard wrote:
> On 2009-08-10 15:32 PDT, Sid Stamm wrote: Oops... my bad, sorry Nelson. >> http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/sr... >> This is a bit of NSS that reads the cert_override.txt file > It's not NSS. If it was NSS, you would see /nss/ in the path name above. -Sid You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Aditya Ivaturi <ivat...@gmail.com>
Date: Wed, 12 Aug 2009 10:50:57 -0700 (PDT)
Local: Wed, Aug 12 2009 1:50 pm
Subject: Re: cert_override.txt format
> It's not NSS. If it was NSS, you would see /nss/ in the path name above. There is an active feature request in Selenium project to handle the > It's PSM, and the format of the file is a private interface, which means > that it could change at any time in any release or any update. So, just > be aware of that, and don't be upset if it changes. self-signed certificate issue. So this is more or less an interim solution for us. You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
Date: Fri, 07 Aug 2009 16:26:14 -0700
Local: Fri, Aug 7 2009 7:26 pm
Subject: Re: cert_override.txt format
On 2009-08-07 11:29 PDT, Aditya Ivaturi wrote:
> If my question doesn't belong in this group, please let me know which Why not set yourself up with a little CA, and issue all your certs from > one I should post in, thanks. > We use Selenium for web testing automation. And one of the biggest it? That's what NSS QA test scripts do. It's no harder to issue real certs from your real CA than to issue self-signed certs, and the results are infinitely simpler to deal with. You probably use a single command line command to issue your self signed certs. With a different single comment (probably using the very same tool) you could be issuing certs that have NO need of any invalid cert overrides. You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||
|
Newsgroups: mozilla.dev.security
From: Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
Date: Fri, 07 Aug 2009 16:35:45 -0700
Local: Fri, Aug 7 2009 7:35 pm
Subject: Re: cert_override.txt format
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||