ronmac1
...@gmail.com wrote:
> My
>> question is how can I make an assigned set of CA certs be available
>> for any user that logs into the client. If I export these from IE,
>> then import them into Mozilla. I want them added so that the first time a user logs into the system, they are present. This is a classified system, so the certs are classified Thanks, Mac
Actually, the root certs are stored in a file called libnssckbi.so or
libnssckbi.dll depending on linux or windows (I can't speak to other
platforms). I have successfully built my own libnssckbi on Linux. You
cannot actually delete the certs from that file as it is read-only. If
you do try you will notice they all come back when you restart Mozilla.
They will, however, no longer be trusted. There's been some
discussion on here about this behavior and ultimately it's better for
the end user. I believe the changes you made in the trust status will
get stored in the profile's cert8.db.
I created the following "script" for regenerating the libnssckbi each
time I want to add/remove certs. I couldn't figure out how to in-line
the perl so I created a separate file called chop-dn.pl which contains
that part. You can see the attempt at calling "perl -e" on one of the
commented out lines. I am by no means a master scripter, but it does
the job for me. I run the script on a Fedora Core 4 box inside a
directory containing all of the base64 (PEM) encoded certs I want in the
libnssckbi and it does everything else for me.
Something I am doing that you probably won't want to is I am adding
non-root certs to the module (from the line "mv certdata.txt user" to
"cd ../". The script will set SSL and EMAIL trust bits on any ca that
has "root" in the CN. If you also want code signing trust you will have
to modify that line. You can easily remove the if block and just call
the same addbuiltins command on all the certs you have. I also add
intermediate CAs but I do not set the trust bit on them. I found out
that the addbuiltins command doesn't pay attention to all the trust
flags that it is supposed to so a stock NSS 3.11.2 addbuiltins command
will not correctly add any certs with the "c" trust flag. This bug
outlines that: https://bugzilla.mozilla.org/show_bug.cgi?id=348882.
Oh...and credit to this CACert blog entry which got me started (but
isn't completely up to date): http://wiki.cacert.org/wiki/NSSLib
Dave
main script:
#!/bin/bash
#
# Name of certdata file (this shouldn't really change)
#
CERTDATA="certdata.txt"
#
# Some directories we'll use later
#
#NSS_BASE=/usr/local/src/nss-3.10
NSS_BASE=/mnt/public/NSS/nss-3.11.2
NSS_BUILD_DIR=$NSS_BASE/mozilla/security/nss
BUILTINS=$NSS_BUILD_DIR/lib/ckfw/builtins
#
# Cleanup DER encoded cert files from previous run
#
for CERT in $( ls *.der ); do
rm -f $CERT
done
#
# Backup the last few libnssckbi's we built...
#
mv --force libnssckbi.so-2 libnssckbi.so-3
mv --force libnssckbi.so-1 libnssckbi.so-2
mv --force libnssckbi.so libnssckbi.so-1
#
# Prepare a new certdata.txt template
#
echo ""
echo "Preparing new certdata file"
echo 'CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.37 $ $Date:
2005/04/18 16:08:07 $"' > $CERTDATA
echo "#" >> $CERTDATA
echo "# The object to tell NSS that this is a root list and we don't" >>
$CERTDATA
echo "# have to go looking for others." >> $CERTDATA
echo "#" >> $CERTDATA
echo "BEGINDATA" >> $CERTDATA
echo "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST" >> $CERTDATA
echo "CKA_TOKEN CK_BBOOL CK_TRUE" >> $CERTDATA
echo "CKA_PRIVATE CK_BBOOL CK_FALSE" >> $CERTDATA
echo "CKA_MODIFIABLE CK_BBOOL CK_FALSE" >> $CERTDATA
echo 'CKA_LABEL UTF8 "Mozilla Builtin Roots"' >> $CERTDATA
echo "" >> $CERTDATA
#
# Convert certificates to DER and add to certdata file
#
echo ""
echo "Converting certificates to DER and adding to certdata file"
for CERT in $( ls *.crt | cut -d. -f1 ); do
#convert PEM cert to DER encoding
openssl x509 -in $CERT.crt -out $CERT.der -outform DER
#pretty-print cert, grep out the subject line, pass that line
to perl
#+ script which tokenizes the line and gives me back just the
CN=foo part
#+ then use cut to remove the CN=...this is the nickname we'll use
NICKNAME=`openssl x509 -in $CERT.der -inform DER -text | grep
-i subject: | perl chop-dn.pl | cut -d= -f2`
# NICKNAME=`openssl x509 -in $CERT.der -inform DER -text | grep -i
subject: | perl -e '@tokens = split(', ',<STDIN>); print
$tokens[$#tokens];' | cut -d= -f2`
echo $NICKNAME
#append the cert to the certdata.txt file which will end up being
#+ the built-in roots module
echo $NICKNAME | grep -Eiq "root"
if [ "$?" -eq 0 ]
then
addbuiltin -n "${NICKNAME}" -t "CT,C,c" < $CERT.der >>
certdata.txt
else
addbuiltin -n "${NICKNAME}" -t "c,c,c" < $CERT.der >>
certdata.txt
fi
done
mv certdata.txt user
cd user
echo ""
echo "Adding user certs with specific nicknames"
for CERT in $( ls *.crt | cut -d. -f1 ); do
openssl x509 -in $CERT.crt -out $CERT.der -outform DER
echo $CERT
addbuiltin -n "${CERT}" -t ",," < $CERT.der >> certdata.txt
done
mv certdata.txt ../
cd ../
#
# Move certdata file to builtins location
#
echo ""
echo "Moving certdata file to builtins location"
mv -f $CERTDATA $BUILTINS
#
# Process new certdata file
#
echo ""
echo "Processing new certdata file (ignore Perl warning...)"
cd $BUILTINS
make generate
cd -
#
# Rebuild NSS to create new libnssckbi.so file
#
echo ""
echo "Rebuilding NSS (quietly) to create new libnssckbi.so file"
cd $NSS_BUILD_DIR
make -s nss_build_all > /dev/null 2>&1
cd -
#
# Copy libnssckbi.so to current directory
#
echo ""
echo "Copying libnssckbi.so to current directory"
cp $BUILTINS/Linux2.6_x86_glibc_PTH_DBG.OBJ/libnssckbi.so .
echo "Copying libnssckbi.so to /mnt/public/linux-dev/nss"
cp libnssckbi.so /mnt/public/linux-dev/nss
echo ""
echo "*** All done ***"
and chop-dn.pl:
#!/usr/bin/perl
$line = <STDIN>;
@tokens = split(', ',$line);
print $tokens[$#tokens];
