Allow additional locations for certificate policy import

VERIFIED FIXED in Firefox -esr60

Status

()

defect
P1
normal
VERIFIED FIXED
5 months ago
4 months ago

People

(Reporter: mkaply, Assigned: mkaply)

Tracking

Trunk
Firefox 65
Points:
---

Firefox Tracking Flags

(firefox-esr6065+ verified, firefox64 wontfix, firefox65 verified)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 months ago
For Linux, we need to allow support for full paths and distribution directory.

Comment 2

5 months ago
Would be good for the Mac platform if there was somewhere in the 'distribution' folder that we could store the certificates. 

i.e if we're distributing the policies.json file and any extensions etc and certificates if we're referencing everything else from the 'distribution' folder in the json file, why not also have the certificates in there if that is part of the companies distributed management. 

How does that sound?
(Assignee)

Comment 3

5 months ago
(In reply to Rob from comment #2)
> Would be good for the Mac platform if there was somewhere in the
> 'distribution' folder that we could store the certificates. 
> 
> i.e if we're distributing the policies.json file and any extensions etc and
> certificates if we're referencing everything else from the 'distribution'
> folder in the json file, why not also have the certificates in there if that
> is part of the companies distributed management. 
> 
> How does that sound?

That's one of the things this patch adds. Certificates directory under distribution.

It also adds arbitirary paths as well.
(Assignee)

Updated

5 months ago
Priority: -- → P1

Comment 4

5 months ago
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/e96d9b255d52
Allow paths and distribution directory for certificates. r=Felipe

Comment 5

5 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/e96d9b255d52
Status: ASSIGNED → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
(Assignee)

Updated

5 months ago
Blocks: 1474683
(Assignee)

Comment 6

5 months ago
For QA:

This adds a new location - certificates directory under the the distribution directory
And allow for just paths in the certificates list.
Flags: qe-verify+
(Assignee)

Updated

5 months ago
Duplicate of this bug: 1501954
(Assignee)

Comment 8

5 months ago
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1474683

User impact if declined: On Linux in particular, more difficult to import certs.

Also needed for some Talos/Raptor changes

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: No

Needs manual test from QE?: Yes

If yes, steps to reproduce: Steps are in bug, QA has been contacted.

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Policy only, throughly vetted based on prior changes.

String changes made/needed:
Attachment #9024600 - Flags: approval-mozilla-beta?
I have tested this fix on all platforms, as instructed by Mike, using the latest Fx65.0a1 available. Here are my findings:

For Windows:
	- the certificates can only be installed from a 'Certificates' folder, created in either "%appdata%/Mozilla" or "%localappdata%/Mozilla"
	- creating a 'Certificates' folder anywhere else, containing a valid .crt and mentioning the path to that .crt does not install the certificate
	- even if the certificate is in for example in the downloads folder and the path is correctly mentioned, the certificate will not be installed in Firefox

For Linux:
	- besides the conventional folder (/home/svuser/.mozilla/certificates), the certificates could only be installed from a 'certificates' folder created in the 'distribution' folder where the policy resides, and the .crt file is placed there (the policy must mention the full path of the .crt file e.g: /home/cristianbaica/Desktop/Fx Builds/firefox-nightly/distribution/certificates/root.crt)

For Mac:
	-the certificates can be installed from EVERYWHERE without any issues, as long as the path to the .crt file is correctly mentioned

Are those the expected results after this fix or should the user be able to install certificates from wherever he has them saved as long as he provides the correct path to them (as is the case for mac platforms)?
Flags: needinfo?(mozilla)
(Assignee)

Comment 10

5 months ago
For Windows, did you use double slashes for the path? I have verification Windows works in another bug.

For Linux, the fully qualified path should work as long as the proper permissions are on the file.
Flags: needinfo?(mozilla)
For Windows:
- the double slash makes it possible to install the .crt from ".../firefox/distribution/certificates/.crt"
- however, using double slash does not make it possible to install the .crt from any place where the certificate is placed

For Linux:
- I don't think any permissions have changed between trying out different paths. the path that worked is /home/cristianbaica/Downloads/Fx Builds/firefox-nightly/distribution/certificates/root.crt and the path that didn't work /home/cristianbaica/Downloads/root.crt
- the file itself has not changed (I just used copy/paste commands to create the file in the desired places)
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.

I think this can ride the trains to 65.
Attachment #9024600 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
(Assignee)

Comment 13

5 months ago
Cristian: Can you ping me on slack when you get a chance (or if you are in Orlando next week).

Would love to get this figured out.
[ following up on Cristian's behalf, since he's on PTO ]

Emil, could you please have a look at this instead? When you got the time.
Flags: qe-verify+ → needinfo?(emil.ghitta)
QA Contact: emil.ghitta
This seems to work from my side (used Firefox 65.0b4).

Windows 
-  The certificate is successfully installed from the "certificates" or "Certificates" directory (placed under the "distribution" directory).

- The certificates can be installed from anywhere, if the full location path is being specified inside the policies.json file.

Linux
- The certificate is successfully installed from the "certificates" directory (placed under the "distribution" directory). Note: It seems that only "certificates" name is accepted. Using "Certificates" (with the capital "C") for the directory name leads to the following error : "Unable to find certificate -root.crt".

- The certificates can be installed from anywhere, if the full location path is being specified inside the policies.json file.


Mac
-  The certificate is successfully installed  from the "certificates" or "Certificates" directory (placed under the "distribution" directory).

- The certificates can be installed from anywhere, if the full location path is being specified inside the policies.json file.

Since the problem was raised by Cristian Baica, I would like to wait for Cristian (he will be back in office tomorrow) in order to confirm this with him as well.
Flags: needinfo?(emil.ghitta) → needinfo?(cristian.baica)
I have double checked the information with Emil.

I can confirm now that the certificates can be installed from anywhere, even on windows, by mentioning the full path of the certificate.

Closing the ticket as verified fixed.
Status: RESOLVED → VERIFIED
Flags: needinfo?(cristian.baica)
(Assignee)

Comment 17

4 months ago
[Tracking Requested - why for this release]: I'd like this for the next ESR to correspond to 65.

It's really the finishing touch on our cert code.
Please request uplift when you get a chance.
(Assignee)

Comment 19

4 months ago
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: Final piece of our certificate import code. Policy only

User impact if declined: Can't import certs primarily on Linux

Fix Landed on Version: Firefox 65

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Well tested, policy only.

String or UUID changes made by this patch:
Attachment #9024600 - Flags: approval-mozilla-esr60?
Comment on attachment 9024600 [details]
Bug 1506734 - Allow paths and distribution directory for certificates.

Policy Engine improvements for the certificate import code. Approved for 60.5.0esr to ship alongside Fx65.
Attachment #9024600 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+

This is verified fixed using Firefox 60.4.1esr (provided in comment 21) on Windows 10 64bit, macOS 10.14 and Ubuntu 16.04 64bit. The certificates can be successfully installed from different locations (as in comment 15).

You need to log in before you can comment on or make changes to this bug.