Add support for importing certificates via the policy engine

VERIFIED FIXED in Firefox -esr60

Status

()

enhancement
P1
normal
VERIFIED FIXED
Last year
9 months ago

People

(Reporter: mkaply, Assigned: mkaply)

Tracking

Trunk
Firefox 64
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr6064+ verified, firefox63 wontfix, firefox64 verified)

Details

Attachments

(2 attachments)

We need to provide a way to import certificates, particularly on Mac.

This will really only be a policies.json thing, not a GPO thing.

After discussion with the cert folks, here's the plan.

Some directory created under the directory containing policies.json contains the certs (this could be different on Linux(.

Certs are listed in the policies file by name - Certificates->Install.

I'm leaning towards naming the directory "resources" so it can contain other things.

I'm open to other thoughts/naming.
Hi Mike, 

That would be great to have that added as that is one of the missing policies that our company would definitely need. We use internet proxies and internal sites with our own certificates so we used to use your CCK to incorporate these in. 

What other things are you thinking of going in to the 'resources' directory?
Thanks for the input, Rob. Just curious, does the Windows cert stuff not work for you or are you on Mac?

As far as other things in the resources directory, I'm not sure yet, but I know there are other things from the CCK2.
Just to add a 'me too' ... we're using Linux, so will need support for importing certificates

Not quite sure why the location of the "resources" directory needs to be different on Linux ? - having it under the directory containing the policies.json would work fine for us ...
> Not quite sure why the location of the "resources" directory needs to be different on Linux ? - having it under the directory containing the policies.json would work fine for us ...

It will actually be both.

I was planning to enable a second location for the policies.json file on Linux consistent with how Chrome does it:

https://bugzilla.mozilla.org/show_bug.cgi?id=1469629
(In reply to Mike Kaply [:mkaply] from comment #4)
> I was planning to enable a second location for the policies.json file on
> Linux consistent with how Chrome does it:

OK - as long as both locations are supported, that will be fine (for us!) - thanks
(In reply to Mike Kaply [:mkaply] from comment #2)
> Thanks for the input, Rob. Just curious, does the Windows cert stuff not
> work for you or are you on Mac?
> 
> As far as other things in the resources directory, I'm not sure yet, but I
> know there are other things from the CCK2.

Hi Mike, 

Correct,  I was thinking of Mac deployments. I suppose under 'resources' could be 'extensions' but that's getting a bit off topic in this bug report.
Hi Mike,

we will be using this way of certificate import on Windows also, because enabling the Windows certificate store has a startup penalty of several seconds, i.e. the browser freezes for several seconds during every startup. So, please don't make this Mac/Linux only. Thanks!
bug 1487258 was opened to for your Windows cert problem.

This will not be Mac/Linux only.
Priority: -- → P1
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Getting basic function working.

Deciding on location of certs.
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/8b15bab9cde9
Add support for importing certificates. r=flod,Felipe
https://hg.mozilla.org/mozilla-central/rev/8b15bab9cde9
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 64
(In reply to Mike Kaply [:mkaply] (on PTO until Nov 5) from comment #9)
> Created attachment 9015389 [details] [diff] [review]
> Very early patch
> 
> Getting basic function working.
> 
> Deciding on location of certs.

Hi Mike, 

It's good to hear this has got traction and will be released shortly. Was a decision made on where the certs should be located?

Thanks.

Rob
(In reply to Rob from comment #13)

> Hi Mike, 
> 
> It's good to hear this has got traction and will be released shortly. Was a
> decision made on where the certs should be located?


Mac: USERDIR/Library/Application Support/Mozilla
or /Library/Application Support/Mozilla

Windows:

%USERNAME\AppData\Local\Mozilla
(In reply to Mike Kaply [:mkaply] (on PTO until Nov 5) from comment #14)
> 
> Mac: USERDIR/Library/Application Support/Mozilla
> or /Library/Application Support/Mozilla
> 
> Windows:
> 
> %USERNAME\AppData\Local\Mozilla

... and for Linux ?

Thanks

James Pearson
(In reply to James Pearson from comment #15)

> Thanks
> 
> James Pearson

I believe that is:
Linux: /home/user/.mozilla/certificates
Depends on: 1501954
(In reply to Emil Ghitta, QA [:emilghitta] from comment #16)
> 
> I believe that is:
> Linux: /home/user/.mozilla/certificates

That doesn't seem very useful - as I guess it means each user needs to have the certs in that location before running firefox ???

Shouldn't the certs be obtained from the same directory as where the policies.json exists ?

Or, can the certs be added as text strings to the policies.json file ?

... or am I missing something here ?
My goal was to allow the certificates to be placed on the machine independent of Firefox. I'm also going to do that with the policies file on Linux (similar to what Chrome does). I've had folks say that putting files in the install location doesn't make as much sense on Linux.

I'm open to any other ideas as to where to place the certificates (I can add additional locations).

As far as certificates in the JSON file itself, i thought about that, but I think that would get unwieldy fast.

Honetsly, I probably don't know enough about Linux in this context. I would love your thoughts as to what the right thing to do there is.
Depends on: 1504691
I would prefer that the certificates could be somewhere relative to where the policies.json file is (as one possible location)
This issue is verified fixed using Firefox 64.0b8(BuildId:20181108141956) on Windows 10 64bit, macOS 10.14 and Ubuntu 16.04 64bit.
Status: RESOLVED → VERIFIED
> I would prefer that the certificates could be somewhere relative to where the policies.json file is (as one possible location)

Would that still be true if the policies.json on Linux was in etc similar to Chrome?

Other folks are saying that on Linux, there are established locations for client certs:

https://github.com/mozilla/policy-templates/issues/282#issuecomment-435983922

I guess I always felt I made the wrong decision by putting policies.json in the same directory as the executable on Linux since things are updated differently there (not by us) and the distribution directory could get wiped out.

Plus if you use something like a Snap, you can't manage it at all.
I don't use Chrome - so have no idea where they put stuff - we (unsurprisingly) use Firefox, which I'm sure will please Mozilla :-)

We install firefox in a central, shared, version controlled, read-only, non-standard location (on an NFS filer - so only one 'copy' is installed - i.e. nothing installed locally) - and it makes (our) life easier to bundle everything in the same directory tree

To me, it makes sense to have the policies.json and things it references (e.g. certificates) in the same location/subdirectory
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1506734 as a followup for additional locations.
Depends on: 1506734
[Tracking Requested - why for this release]: This is new certificate work especially on Windows where using the system cert doesn't work. I haven't requested uplift yet because I'm waiting for QA to verify 1506734. It should be tomorrow.

This is very self contained from a policy perspective. There are two other fixes as a result of this, so I'll be creating one patch with everything.
Comment on attachment 9016045 [details]
Bug 1474683 - Add support for importing certificates.

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a policy only change to workaround the fact that we aren't importing intermediate certs (so some enterprises aren't able to use their certs)

User impact if declined: Certs don't work

Fix Landed on Version: 64

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Self contained in policies. Well tested.

Also needs https://bugzilla.mozilla.org/show_bug.cgi?id=1504691

(Sorry for the lateness of this, was trying to get bug 1506734 in but didn't.

String or UUID changes made by this patch:
Attachment #9016045 - Flags: approval-mozilla-esr60?
Comment on attachment 9016045 [details]
Bug 1474683 - Add support for importing certificates.

Policy only change, verified in nightly. OK for ESR.
Attachment #9016045 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
https://hg.mozilla.org/releases/mozilla-esr60/rev/e3557a7b598a2baae7dc38fd18a2b648748d65ff

This was built locally on the ESR branch and tested.

Emil, can you test when landed?
Flags: needinfo?(emil.ghitta)
This is verified fixed using Firefox 60.3.1esr (provided in comment 27) on Windows 10 64bit and macOS 10.14.
Flags: needinfo?(emil.ghitta)
You need to log in before you can comment on or make changes to this bug.