Cert import Firefox about qz-print HOT 12 CLOSED

The irony of this wss:// problem is that Firefox is the browser which by default blocks mixed content pages and it appears to be the hardest to get wss:// working on....

NSIS appears to have some support for this, but I'm not sure how....

http://nsis.sourceforge.net/Import_Root_Certificate

from qz-print.

@lukas-w, do you have a moment to look into the feasibility of using NSIS to install the Firefox certificate, at least on windows? I think we can use this same method for the OS certificate on Windows.

from qz-print.

@lukas-w I have a moment so I'm going to start this now. No need to look at it.

from qz-print.

All right. :)

from qz-print.

From what I'm seeing Nullsoft's installer does this much better than any hacked attempt using the official certutil command, but it only installs to the currently logged in user, which I really dislike. It appears this cert8.db database is created for each Firefox profile and not something that can be edited for the entire system meaning the installer would have to be re-run for each user, which I don't particularly care for (this would generate a new cert and a new password).

So it looks like I'll have to change the entire strategy for cert generation to only generate if it doesn't already exist, modifying the Apple, Linux and Windows installer scripts.

Another advantage to NSIS is it appears to import the system certificate for Windows XP which wasn't an option through the previous method, so I'll likely utilize that over my Vista-or-higher command line method.

from qz-print.

OK @lukas-w I'd like to ask for some help... NSIS appears to be calling some C++ nss3 components to import the certificate. Mozilla's NSS library is pretty straight forward, but I'm not very good at this stuff... I've marked where the script is erroring out below.

Here's a chunk of the NSIS example script for importing a cert into Firefox...

  ${If} $0 != 0
    MessageBox MB_OK|MB_ICONSTOP "Password database initialization failed."
    Return
  ${EndIf}

  # get slot
  System::Call 'nss3::PK11_GetInternalKeySlot() i .R1'

  ${If} $R1 = 0
    MessageBox MB_OK|MB_ICONSTOP "Unable to get certificate slot."
    Return
  ${EndIf}

  # load certificate
  System::Call 'smime3::CERT_DecodeCertFromPackage(i $CertData, i $CertSize) i .R2'

  ${If} $R2 = 0
    MessageBox MB_OK|MB_ICONSTOP "Unable to decode certificate."

     #################################  ^--------------------- ERROR

    System::Call 'nss3::PK11_FreeSlot(i R1)'
    Return
  ${EndIf}

What I'm not sure of is whether or not this is simply due to the certificate format. We use X509 DER (PEM) base64 formatted certificates.

Documentation and examples on this type of stuff is pretty lacking. Could you take a glance?

P.S. Slightly unrelated, but __CertificateFindFirefox function needed a patch on Win64
Edit: Wiki page updated with 64-bit os support http://nsis.sourceforge.net/Import_Root_Certificate

P.P.S. Ok... I think this is a classic case of it expecting base64 data and the -----BEGIN CERTIFICATE----- breaks the import per https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/6npi0AiNw-c`
Edit: False alarm. Removing the BEGIN/END doesn't fix this.

from qz-print.

So after reading the NSIS usage, it appears CERT_DecodeCertFromPackage is offered with the smime3.dll per:

System::Call 'YourDllName::YourDllFunction(i, *i, t) i(r0, .r1, r2) .r3'

But smime3.dll isn't distributed with Firefox. If there is a replacement DLL, then the script should be updated to reflect that. Unfortunately, finding recent documentation on this is very difficult.

from qz-print.

I filed an upstream bug report with NSIS to see if they could help. https://sourceforge.net/p/nsis/bugs/1119/

In the mean time, I'll see what other methods are available.

from qz-print.

I reached out to a plugin author for Firefox and he send me this link...

https://mike.kaply.com/2015/02/10/installing-certificates-into-firefox/

from qz-print.

Thanks

On Wed, Apr 29, 2015 at 2:37 PM, Tres Finocchiaro [email protected]
wrote:

I reached out to a plugin author for Firefox and he send me this link...

https://mike.kaply.com/2015/02/10/installing-certificates-into-firefox/

Reply to this email directly or view it on GitHub
#18 (comment).

Robert Casto
Owner | SellersToolbox
p: 1-513-847-4942
c: 1-513-886-1550
e: [email protected]
www.sellerstoolbox.com
Tools for Amazon Sellers

from qz-print.

After following Mike Kaply's instructions, I believe I have an import for Firefox working using the preferences file and installs to all users.

Issues:

• Requires a restart of the Firefox browser (minor)

Todo:

• Determine a way to dynamically feed the base64 certificate data (no newlines or special delimiters) into a firefox config file.
• Find out how to remove the certificate on uninstall

Note, this DOES NOT fix the problem with the endpoint certificate (server certificate). That is a separate issue per #19 bullets 1.1 and 1.2.

from qz-print.

Closed via 8d61a68. Will track Mac and Linux in #15

from qz-print.