Notary

From MozillaWiki
Jump to navigation Jump to search

Notary

A XULRunner application for signing extensions.

Planned

  • Allow self-signed certificates. This could be for people who may choose not to use AMO
  • Create certificate requests? (I don't know what this is exactly. I only came across it. I have not been able to create one yet). I think this could be very useful if Mozilla can find an arrangement with a certificate authority.
  • I think this should be more of an application rather than a wizard. Maybe include information about a certificate and certificate authorities (this will probably be more/less the same you get when open up the certificate manager in firefox.)

Questions that get answered in time

  • How do we load certificates. From a file? From a website (can you do it from a website?)? I have only used self-signed certificates, and those usually come from files.
  • How should this be related to Mozilla products (Firefox/thunderbird). From my understanding, Firefox and Thunderbird have different certificate files, for different profiles. Should we just use Firefox's? Should this be for a particular profile? Maybe I am not understanding this correctly.

Hurdles

  • I am finding it difficult to get information on loading certificates. I think the function I am using is unable to do what I expect it to do. That is nsIX509CertDB doesn't actually handle databases (eg. cert8.db in firefox), but rather many individual certificates.
    While trying to find answers to whether nsIX509CertDB can handle the cert8.db file, I got the following response :
    “cesar: there are probably fewer than 3 people who might be able to answer your question w/o reading the sources. and they probably areds”

    While reading the source, it seems that *.db files aren't really accepted, but rather .crt and .cert (and more) files. So it looks like it only accepts individual files which it compiles into a database.
  • Learning about security and how it works around FF should give me a better understanding of how to better accomplish my goals. I am not a security expert, just paranoid :)

Timeline

Task Priority Status
List all known certificate authorities Done / Low Done. See notes. This was done first, even though it is low priority.
Check if a certificate is already signed High
Sign a certificate High
  • I am looking into signtool to see how it does it.
  • It looks like the only way I can do this is to make my own XPCOM objects in C++. This makes me sad (see below)
  • signtool doesn't seem to use NSS lib functions. Directly at least. It seems to be using its own functions to create the META-INF and subfiles. These translates into a lot more work for me.
Import Certificates Medium
  • For self-signed certificates
  • I think this is the intention of nsIX509CertDB
Blog about this; promote it High This project is worthless without promotion
  • I started a blog to keep that of this as well as other projects
Differentiate between public certificates and signing certificates Low
  • This is easy. There is a function that checks for it.

More to come later.

Notes

This is stuff that I write down because it took me many wasted hours to get it.

Regarding importing/loading Certificates into XULRunner

File What is this
secmod.db PKCS #11 module information (I think this is hardware related. Hardware sucks, so forget this.)
key3.db keys database (whatever this means)
cert8.db certificates (.crt files?), This is a Berkley DB file according to the file command
  • Unlike the name suggest, nsIX509CertDB.importCertsFromFile() is not for importing Certs from a Database file. It is rather for importing a single CA certificate (stupid plural) from a file. XPCShell will crash and burn even if you are loading a valid certificate. XULRunner will not however. Important note to keep in mind while developing.
  • It is also good to note that cert8.db, key3.db, and secmod.db do not exist until you use the function for the first time. XULRunner 1.8.1.3 does not create these files when creating a profile. You can copy over *.db certificate files from a firefox directory instead.
  • The latest trunk version at the time of writing (1.9a I guess. 2007-05-30) do create *.db files. However, despite being 64/128/128 KB in size, there is nothing in them. So when you first load notary, there is 0 rows. I created a test certificate and put it in, and that seemed to load it. You cannot copy over certificates from firefox. I do not know how to fix this.
  • Importing certificates using nsIX509CertDB.importCertsFromFile() saves automatically.

Regarding Certificates in trees

I thought I could get away with empty <tree></tree> and loading it similar to how the browser does it. But this needs more work.

The process goes something like this :

  1. Cache your certificates using nsscertcache
  2. Create an nsCertTree and loadCertsFromCache (In my situation, I passed nsIX509Cert.CA_CERT for Certificate Authorities)
  3. Take the XUL tree object, grab treeBoxObject.view, and set it to your nsCertTree that you created above.

This, at minimum requires tree, treecol, and an empty treechildren. It will fill up with 100+ rows of Certificate authorities. Which is correct, but there all blank.

Once again, mxr to the rescue. It seems that your treecol need very specific ID's for this to work, which isn't documented as far as I know. These are :

ID What is this
certcol Certificate Name
tokencol Security Device

I think those are the only two. So there should be two cols, with those ids. The tree will show two types of certificates

  1. public keys from Certificate Authorities
  2. certificates used for signing

I think it would be nice to differentiate between the two. I don't think there is an automated way to differentiate them yet.

ZIP files

The zipreader is too basic for what we need. Thankfully, someone took the initiative and wrote a zipwriter, which I am hoping to use. You need the latest version of XULRunner (trunk build, or the next release which is 1.9 to the best of my knowledge) to build it, not 1.8.*; good luck!

XPCOM and NSS

XPCOM has some limitations right now in regards to security and nss. While I have been able to display and retrieve CA certificates, that has only been a small part of the process, and perhaps the easiest part as well. The problem I will be facing is signing an xpi, in which there are no XPCOM components to create the zigbert.sf or sign the extension.

There are a few possible workarounds, starting with most desirable :

  1. Use PSM
  2. Do some C++ to work with NSS' API (can I do this?) and build on top of PSM
  3. use nsIProcess to call each tool

The last one being probably the least amount of work, but where's the fun in that? PSM documentation also scattered. Some parts seem to be in XULPlanet.

Public Key Encryption

Maybe this doesn't belong here, but whatever. Public key encryption, as I found out today can work two ways. The method I learned was how users send encrypted information to websites. It turns out that public key encryption can work the other way too. The private key can be used to encrypt the data (which I knew as well), and the public key can be used to decrypt. This is how certificates work. The CA uses their private key to encrypt the data and openly releases their public key. The browser uses the public key to decrypt. Thankfully I came across a very.. thorough explanation of public key cryptography.

Feedback

I appreciate any comments/suggestions/criticisms. But please post anything in the discussion page.