Closed Bug 1817326 Opened 2 years ago Closed 1 year ago

Move Cert Data from PEM tool from TLS-Observatory to CCADB-Tools

Categories

(Core :: Security: PSM, task, P2)

task

Tracking

()

RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kkupelian)

References

Details

The "Cert Data from PEM" tool is used to create a root or intermediate certificate record in the CCADB. This tool parses the PEM of a certificate and outputs a JSON response that CCADB uses to fill in the data on the certificate record in the CCADB.

Currently this tool is in the TLS-Observatory:
https://github.com/mozilla/tls-observatory/tree/master/certificate
Example:
curl -X POST -F certificate=@certificate.pem https://tls-observatory.services.mozilla.com/api/v1/certificate

Please move it to the CCADB-Tools repository and remove dependencies on the TLS-Observatory.

Blocks: 1817332

Kathleen, it would help to know a bit more about what uses this? For example, if this is being called from javascript, there are libraries that can be used as a replacement rather than POSTing a certificate to a website API.

Flags: needinfo?(kwilson)

I think that currently we use this tool via https://www.apexhours.com/rest-api-in-salesforce/
But it may be possible to use javascript instead (?)
https://developer.salesforce.com/docs/component-library/documentation/en/lwc/js_intro

Poonam, Would it be possible do the PEM import via a javascript call instead of posting to a website API?

Flags: needinfo?(kwilson) → needinfo?(poonam)

Sorry for the delay in responding.

Are the libraries to parse PEM in JavaScript? If yes, we can use Apex along with Node.js to call the Javascript method(s).

Flags: needinfo?(poonam)

Poonam replied in email: "Salesforce can store Javascript libraries locally and execute them. Whenever any changes are done to the library we would fetch the latest copy and reload them in Salesforce. I think this approach will work for us."

I think that is the better option, because then we don't have to maintain something on GCP or such.

Rob, where can I take a look at these Javascript libraries?

Hi Poonam. I don't know what Dana had in mind in comment 1, although I see that https://github.com/mozkeeler/certsplainer uses https://github.com/digitalbazaar/forge.

If it was me I think I would look at https://github.com/PeculiarVentures/PKI.js first.

Yes, I recommend PKI.js.

Thanks for the shout out to PKI.js :)

We have another library we have been working on that will ultimately be the replacement for PKIjs, it’s well tested and used in production products. It’s much easier to use than PKIjs and as long as chaining isn’t needed it’s a better choice. It for example is also used by the PV certificate viewer which is included in a number of production applications: https://github.com/PeculiarVentures/pv-certificates-viewer

Here are a few examples on its use, I’ll have a PEM to DER and DER to PEM to aid those to looking to do that type of work.
https://webcrypto.dev/src/pki/peculiar_x509/

We would be happy to help with this work as well.

Email Ryan and microshine @ peculiarventures dot com if help is needed.

(In reply to ryan_hurst from comment #8)

I’ll have a PEM to DER and DER to PEM to aid those to looking to do that type of work.
https://github.com/PeculiarVentures/webcrypto.dev-examples/blob/main/src/pki/peculiar_x509/pem_to_der.ts

Thanks for sharing the libraries. They are ‘Typescript’ libraries. We could store Javascript/Typescript libraries in Salesforce and execute them, but Salesforce does not fully support Typescript. Also Salesforce will only allow us to call the these methods from LWC (UI). We cannot call directly from Apex. That means MicrosoftRootCertAPI (which needs to parse PEM) will not be able to use these methods.

Salesforce also has Functions As A Service (FAAS) which allows us to use languages and tools of our choice. But it’s an expensive feature (about 2k/mo).

Another thought is to host the Javascript/Typescript libraries on Heroku and then call them from our programs. This implementation will be the easiest and least expensive.

Thanks, Poonam, for looking into this.

Dana, I think the answer is that we should use GCP, like we do for some of our other tools. Reason: Mozilla already has GCP, and Ben and I already know how to redeploy the tools that are currently on GCP.

(In reply to Poonam Bhargava from comment #10)

Thanks for sharing the libraries. They are ‘Typescript’ libraries. We could store Javascript/Typescript libraries in Salesforce and execute them, but Salesforce does not fully support Typescript. Also Salesforce will only allow us to call the these methods from LWC (UI). We cannot call directly from Apex. That means MicrosoftRootCertAPI (which needs to parse PEM) will not be able to use these methods.

Typescript transpiles to JavaScript.

(In reply to ryan_hurst from comment #12)

(In reply to Poonam Bhargava from comment #10)

Thanks for sharing the libraries. They are ‘Typescript’ libraries. We could store Javascript/Typescript libraries in Salesforce and execute them, but Salesforce does not fully support Typescript. Also Salesforce will only allow us to call the these methods from LWC (UI). We cannot call directly from Apex. That means MicrosoftRootCertAPI (which needs to parse PEM) will not be able to use these methods.

Typescript transpiles to JavaScript.

Thanks Ryan. It's good to know.

Blocks: 1839533
Assignee: nobody → kkupelian
Status: NEW → ASSIGNED
Priority: -- → P2

The updated PEM import tool:
https://github.com/mozilla/CCADB-Tools/tree/master/certificate

Status: testing in CCADB Sandbox.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.