Closed Bug 454036 Opened 16 years ago Closed 4 years ago

Add support for an administrator-editable system-wide certificate store

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: trs80, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080702 Iceape/1.1.11 (Debian-1.1.11-1) Build Identifier: With the switch to sqlite for softtoken, it should be possible to add support for a system-wide cert store that can be easily edited by administrators. Currently to add another CA cert requires a recompile of nssckbi, which requires a full build environment. Reproducible: Always Steps to Reproduce: 1. Want to edit the list of CA certificates for all applications that use NSS. Actual Results: Have to recompile nssckbi, possibly once for each application if the system NSS isn't used. Expected Results: Install the certificate into one database which is then used by all apps. The softtoken db could be stored in /etc/nss (Linux), %COMMONFILES%\Mozilla\NSS (Windows) or /Library/Mozilla/NSS (OS X). Loading it would happen in nss/lib/nss/nssinit.c, probably in nss_Init() just after the existing call to nss_FindExternalRoot(), but outside the if (!SECMOD_HasRootCerts()) {} block. I think PSM will require additional work in mozilla/security/manager/ssl/src/nsNSSComponent.cpp nsNSSComponent::InstallLoadableRoots() as bug 176501 causes all modules with root certs to be unloaded. For similar reasons (profile sharing across platforms) it's probably a good idea to follow a similar strategy and only load it temporarily, using SECMOD_LoadUserModule.
NSS already has a function by which an application can cause additional cert/key DB pairs to be opened and used simultaneously with the pair that is opened during NSS initialization. So, I'm not sure that any change to NSS is required here. If PSM wants to include more DB pairs, it just needs to call the existing NSS functions for doing that. Also, I think this is a very Linux platform specific request. I'm not at all sure that this should be done on other platforms. It strikes me as a good candidate to be a FF extension for Linux.
It's not platform-specific - I want it for my windows clients at work, where otherwise I have to install my CA in both firefox and thunderbird, for everyone's profile. (Or recompile both every time a new security release comes out, which is far too much work). It's also useful for apps ported from OpenSSL (eg the Fedora crypto consolidation), which provides SSL_CTX_set_default_verify_paths() to load the default set of CAs (which are easily managed by the administrator, as it's a directory full of PEM files). The reason I suggested putting it in nss_FindExternalRoot() is because this is always called, and so NSS always trusts the roots it ships with in nssckbi, regardless of whether the app wants them or not, so it seemed reasonable to me to always trust the administrator's CAs as well.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bob, doesn't Fedora already have the requested system-wide certificate store in /etc/pki/nssdb?
Changing to all all platforms since this was requested for all platforms in comment 2 .
OS: Linux → All
Hardware: PC → All
probably relates to bug 449498
For the trusted CAs, there is a solution for this — p11-kit-trust.so is a drop-in replacement for libnssckbi.so, and basically extended a solution like Debian's "update-ca-certificates" so that it actually *works*, as a system-wide way of managing the trusted certificates. For Windows, the system trust store you want to use is different, so you'd need a different solution. I don't know if something based on nss_capi could be used to replace libnssckbi.dll instead.

This is more for osclientcerts today

Status: NEW → RESOLVED
Closed: 4 years ago
QA Contact: jjones
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.