Move Cert Data from PEM tool from TLS-Observatory to CCADB-Tools
Categories
(Core :: Security: PSM, task, P2)
Tracking
()
People
(Reporter: kathleen.a.wilson, Assigned: kkupelian)
References
Details
The "Cert Data from PEM" tool is used to create a root or intermediate certificate record in the CCADB. This tool parses the PEM of a certificate and outputs a JSON response that CCADB uses to fill in the data on the certificate record in the CCADB.
Currently this tool is in the TLS-Observatory:
https://github.com/mozilla/tls-observatory/tree/master/certificate
Example:
curl -X POST -F certificate=@certificate.pem https://tls-observatory.services.mozilla.com/api/v1/certificate
Please move it to the CCADB-Tools repository and remove dependencies on the TLS-Observatory.
Comment 1•2 years ago
|
||
Kathleen, it would help to know a bit more about what uses this? For example, if this is being called from javascript, there are libraries that can be used as a replacement rather than POSTing a certificate to a website API.
Reporter | ||
Comment 2•2 years ago
|
||
I think that currently we use this tool via https://www.apexhours.com/rest-api-in-salesforce/
But it may be possible to use javascript instead (?)
https://developer.salesforce.com/docs/component-library/documentation/en/lwc/js_intro
Poonam, Would it be possible do the PEM import via a javascript call instead of posting to a website API?
Comment 3•2 years ago
|
||
Sorry for the delay in responding.
Are the libraries to parse PEM in JavaScript? If yes, we can use Apex along with Node.js to call the Javascript method(s).
Reporter | ||
Comment 4•2 years ago
•
|
||
Poonam replied in email: "Salesforce can store Javascript libraries locally and execute them. Whenever any changes are done to the library we would fetch the latest copy and reload them in Salesforce. I think this approach will work for us."
I think that is the better option, because then we don't have to maintain something on GCP or such.
Comment 5•2 years ago
|
||
Rob, where can I take a look at these Javascript libraries?
Comment 6•2 years ago
|
||
Hi Poonam. I don't know what Dana had in mind in comment 1, although I see that https://github.com/mozkeeler/certsplainer uses https://github.com/digitalbazaar/forge.
If it was me I think I would look at https://github.com/PeculiarVentures/PKI.js first.
Comment 7•2 years ago
|
||
Yes, I recommend PKI.js
.
Comment 8•2 years ago
|
||
Thanks for the shout out to PKI.js :)
We have another library we have been working on that will ultimately be the replacement for PKIjs, it’s well tested and used in production products. It’s much easier to use than PKIjs and as long as chaining isn’t needed it’s a better choice. It for example is also used by the PV certificate viewer which is included in a number of production applications: https://github.com/PeculiarVentures/pv-certificates-viewer
Here are a few examples on its use, I’ll have a PEM to DER and DER to PEM to aid those to looking to do that type of work.
https://webcrypto.dev/src/pki/peculiar_x509/
We would be happy to help with this work as well.
Email Ryan and microshine @ peculiarventures dot com if help is needed.
Comment 9•2 years ago
|
||
(In reply to ryan_hurst from comment #8)
I’ll have a PEM to DER and DER to PEM to aid those to looking to do that type of work.
https://github.com/PeculiarVentures/webcrypto.dev-examples/blob/main/src/pki/peculiar_x509/pem_to_der.ts
Comment 10•2 years ago
|
||
Thanks for sharing the libraries. They are ‘Typescript’ libraries. We could store Javascript/Typescript libraries in Salesforce and execute them, but Salesforce does not fully support Typescript. Also Salesforce will only allow us to call the these methods from LWC (UI). We cannot call directly from Apex. That means MicrosoftRootCertAPI (which needs to parse PEM) will not be able to use these methods.
Salesforce also has Functions As A Service (FAAS) which allows us to use languages and tools of our choice. But it’s an expensive feature (about 2k/mo).
Another thought is to host the Javascript/Typescript libraries on Heroku and then call them from our programs. This implementation will be the easiest and least expensive.
Reporter | ||
Comment 11•2 years ago
|
||
Thanks, Poonam, for looking into this.
Dana, I think the answer is that we should use GCP, like we do for some of our other tools. Reason: Mozilla already has GCP, and Ben and I already know how to redeploy the tools that are currently on GCP.
Comment 12•2 years ago
|
||
(In reply to Poonam Bhargava from comment #10)
Thanks for sharing the libraries. They are ‘Typescript’ libraries. We could store Javascript/Typescript libraries in Salesforce and execute them, but Salesforce does not fully support Typescript. Also Salesforce will only allow us to call the these methods from LWC (UI). We cannot call directly from Apex. That means MicrosoftRootCertAPI (which needs to parse PEM) will not be able to use these methods.
Typescript transpiles to JavaScript.
Comment 13•2 years ago
|
||
(In reply to ryan_hurst from comment #12)
(In reply to Poonam Bhargava from comment #10)
Thanks for sharing the libraries. They are ‘Typescript’ libraries. We could store Javascript/Typescript libraries in Salesforce and execute them, but Salesforce does not fully support Typescript. Also Salesforce will only allow us to call the these methods from LWC (UI). We cannot call directly from Apex. That means MicrosoftRootCertAPI (which needs to parse PEM) will not be able to use these methods.
Typescript transpiles to JavaScript.
Thanks Ryan. It's good to know.
Updated•1 year ago
|
Reporter | ||
Comment 14•1 year ago
|
||
The updated PEM import tool:
https://github.com/mozilla/CCADB-Tools/tree/master/certificate
Status: testing in CCADB Sandbox.
Reporter | ||
Comment 15•1 year ago
|
||
In CCADB production.
announcement: https://groups.google.com/a/ccadb.org/g/public/c/rJzftXhtWxA/m/Y5ozzUEjAgAJ
Description
•