Closed Bug 1522162 Opened 7 years ago Closed 2 years ago

Add an API (or policies json support) to import a trusted certificate into the geckoview browser

Categories

(GeckoView :: General, enhancement, P3)

Product:
GeckoView
Component:
General
Platform:
Unspecified
Android
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: rwood, Assigned: grant)

References

Details

Attachments

(1 obsolete file)

When running Raptor page-load tests on android geckoview (currently running on the geckoview example app) we need to manually create an NSS certificate db, and then import the mitmproxy ca certificate into that db, using the certutil tool.

This is quite tricky. We have it working in production by using the certutil tool that comes with 'hostutils'; the bitbar host is on linux and that works well.

However when attempting to run Raptor on android locally, the certutil tool that comes with the android build doesn't work. So a Firefox desktop build has to be done first, to get the certutil tool from there - and then that works locally (at least on OSX).

There is no tooltool manifest for hostutils on Windows; so even if we changed running locally to download hostutils from production, that wouldn't work on all platforms.

Ideally geckoview would have an API that would allow us to import a trusted certificate directly, and then we wouldn't need to use the certutil tool at all. That would definitely get rid of alot of issues/aggravation. When running Raptor on Firefox desktop, we just create a policies.json file (with the path to the mitmproxy ca cert) and that works great.

Any possible solution would be great and also required for future android projects like the reference browser. Thanks!

The GV team doesn't want to support client certs for end users, but we could use a solution for test automation. P3 for now because we have a test workaround.

OS: All → Android
Priority: -- → P3

I wanted to clarify that we're open to adding an API to GeckoView to support adding trusted roots for the right use case.

I believe that an API is needed for adding/ removing trusted roots.
What happens if I don't trust one specific certificate? or if I just only trust my own certificate and nothing else?
I know that you can trust third party root certificates using setEnterpriseRootsEnabled function but I believe that trusted roots should not depend on the underlying operating system and GeckoView users should have the last word about who they trust and who they don't.
Thanks!

I've developed a solution for this. It is possible to inject a root certificate (in either pem or der format) into the x508certdb during GeckoViewStartup. I've created a fork of gecko-dev on github and would like to figure out how to submit it as a patch to mozilla-central. The solution is largely copied from the Policies.jsm module for the desktop browser. I tried to generalize my solution as much as possible, but maybe there are still some open questions about my implementation, e.g. should adding multiple root certs at once be supported (this is how Policies.jsm for the browser works, but I didn't need this for my use case). Take a look at my solution here, https://github.com/paidforby/gecko-dev/commit/dac53477785787b933abd76a5c3d1c99d7023d27, as well as an example of how to utilize the changes with the GeckoEngine component, https://github.com/paidforby/reference-browser/commit/25e6ee22d3608f072fae56f0de278e7bdc54d7e2.

Needed to expose nsIX509CertDB via an XPCOMUtils service getter for this enhancement.
Largely a port of functionaility from the Certificates policy in browser/components/enterprisepolicies/Policies.jsm.
Adds GeckoView:SetRootCertificate listener to GeckoViewStartup. Access to listener exposed via GeckoViewRuntimeSettings, allows root certificate to be added during build of runtime settings.
Adds function to support both PEM and DER formatted certificates. Also adds error and debug logging during cert installation.

Assignee: nobody → grant
Status: NEW → ASSIGNED
Severity: normal → S3

Tasks and enhancements should have severity N/A.

Severity: S3 → N/A

Hello. Would be awesome to see my fix for this land!

FWIW, original patch I made might be stale? So I keep up-to-date a patch that applies my fix. See it here, https://gitlab.com/censorship-no/mozilla-build-scripts/-/blob/main/gecko-certinject.patch. It currently works with the 109.0.1 of geckoview.

Thanks!

Why can't you install your cert into Android itself, and then use the existing setEnterpriseRootsEnabled function that is already exposed in GeckoView? (either way, additional Fenix code would have to be written to call whichever approach is used.)

Comment 3 from juanan is the opposite concern. It's legit, but it should be filed as a separate enhancement request. We do have functionality like that in Desktop Firefox, although it's not the easiest thing in the world to use. In all honesty it might be faster to strip the certs you don't want from the source code and build your own custom Firefox than waiting for someone to get around to doing this. Hardly anyone wants to do that, and of the people who do try we hear from a lot of people who managed to really break themselves trying.

Attachment #9288673 - Attachment is obsolete: true

I talked to the performance team re: the original concern, and currently this is not a blocker or a major inconvenience for them. They are ok with me closing the bug.

As far as this proposal - I agree it would need a separate bug. Please feel free to open a bug in this component, and we as a team will discuss the proposal. Thank you so much!

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: