Notary: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| Line 16: | Line 16: | ||
=Timeline= | =Timeline= | ||
<table style="width:100%" border="1"> | |||
<tr> | |||
<th>Task</th> | |||
<th>Priority</th> | |||
<th>Status</th> | |||
</tr> | |||
<tr> | |||
<td>List all known certificate authorities</td> | |||
<td style="background-color:green;text-align:center;">Done / Low</td> | |||
<td>Done. See notes. This was done first, even though it is low priority.</td> | |||
</tr> | |||
<tr> | |||
<td>Check if a certificate is already signed</td> | |||
<td style="background-color:red;text-align:center;">High</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td>Sign a certificate</td> | |||
<td style="background-color:red;text-align:center;">High</td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td>Import Certificates</td> | |||
<td style="background-color:orange;text-align:center;">Medium</td> | |||
<td> | |||
* For self-signed certificates | |||
</td> | |||
</tr> | |||
<tr> | |||
<td>Blog about this; promote it</td> | |||
<td style="background-color:red;text-align:center;">High</td> | |||
<td>This project is worthless without promotion</td> | |||
</tr> | |||
</table> | |||
More to come later. | |||
=Notes= | =Notes= | ||
Revision as of 23:06, 28 May 2007
Notary
A XULRunner application for signing extentions.
Planned
- Allow self-signed certificates. This could be for people who may choose not to use AMO
- Create certificate requests? (I don't know what this is exactly. I only came across it. I have not been able to create one yet). I think this could be very useful if Mozilla can find an arrangement with a certificate authority.
- I think this should be more of an application rather than a wizard. Maybe include information about a certificate and certificate authorities (this will probably be more/less the same you get when open up the certificate manager in firefox.)
Questions that get answered in time
- How do we load certificates. From a file? From a website (can you do it from a website?)? I have only used self-signed certificates, and those usually come from files.
- How should this be related to Mozilla products (Firefox/thunderbird). From my understanding, Firefox and Thunderbird have different certificate files, for different profiles. Should we just use Firefox's? Should this be for a particular profile? Maybe I am not understanding this correctly.
Hurdles
- I am finding it difficult to get information on loading certificates. I think the function I am using is unable to do what I expect it to do. That is nsIX509CertDB doesn't actually handle databases (eg. cert8.db in firefox), but rather many individual certificates.
While trying to find answers to whether nsIX509CertDB can handle the cert8.db file, I got the following response :
“cesar: there are probably fewer than 3 people who might be able to answer your question w/o reading the sources. and they probably areds”
While reading the source, it seems that *.db files aren't really accepted, but rather .crt and .cert (and more) files. So it looks like it only accepts individual files which it compiles into a database. - Learning about security and how it works around FF should give me a better understanding of how to better accomplish my goals. I am not a security expert, just paranoid :)
Timeline
| Task | Priority | Status |
|---|---|---|
| List all known certificate authorities | Done / Low | Done. See notes. This was done first, even though it is low priority. |
| Check if a certificate is already signed | High | |
| Sign a certificate | High | |
| Import Certificates | Medium |
|
| Blog about this; promote it | High | This project is worthless without promotion |
More to come later.
Notes
This is stuff that I write down because it took me many wasted hours to get it.
Regarding importing/loading Certificates into XULRunner
| File | What is this |
|---|---|
| secmod.db | PKCS #11 module information (I think this is hardware related. Hardware sucks, so forget this.) |
| key3.db | keys database (whatever this means) |
| cert8.db | certificates (.crt files?), This is a Berkley DB file according to the file command |
- Unlike the name suggest, nsIX509CertDB.importCertsFromFile is not for importing Certs from a Database file. It is rather for importing a single CA certificate (stupid plural) from a file. XPCShell will crash and burn even if you are loading a valid certificate. XULRunner will not however. Important note to keep in mind while developing.
- It is also good to note that cert8.db, key3.db, and secmod.db do not exist until you use the function for the first time. XULRunner does not create these files when creating a profile.
- Importing saves automatically.
- The best solution (IMO) is to copy over certificates from firefox, and use them.
Regarding Certificates in trees
I thought I could get away with empty <tree></tree> and loading it similar to how the browser does it. But this needs more work.
The process goes something like this :
- Cache your certificates using nsscertcache
- Create an nsCertTree and loadCertsFromCache (In my situation, I passed nsIX509Cert.CA_CERT for Certificate Authorities)
- Take the XUL tree object, grab treeBoxObject.view, and set it to your nsCertTree that you created above.
This, at minimum requires tree, treecol, and an empty treechildren. It will fill up with 100+ rows of Certificate authorities. Which is correct, but there all blank.
Once again, mxr to the rescue. It seems that your treecol need very specific ID's for this to work, which isn't documented as far as I know. These are :
| ID | What is this |
|---|---|
| certcol | Certificate Name |
| tokencol | Security Device |
I think those are the only two. So there should be two cols, with those ids.
Feedback
I appreciate any comments/suggestions/criticisms. But please post anything in the discussion page.