Menu
▾
▴
#1119 Firefox root certificate installation
After following the root certificate installation script over on the wiki (http://nsis.sourceforge.net/Import_Root_Certificate) it appears the Firefox information is dated or missing some content.
I've updated it to properly detect Firefox on 64-bit platforms, however I'm having a hard time figuring out how to get this line to work properly:
System::Call 'smime3::CERT_DecodeCertFromPackage(i $CertData, i $CertSize) i .R2'
I believe this to be a call to library smime3.dll, but that file doesn't appear to exist with Firefox 34.
Since this script is offered out of courtesy of the NSIS project, it's not actually a bug, but the mailing list doesn't seem to have a place for general help, so I'm hoping that reaching out here might be a good place to start.
P.S. For those still keeping this project alive, thanks! NSIS is a great product! I chain NSIS with both CMake and ANT and it works great. :)
-Tres
The forums and/or StackOverflow are the best places to get help.
If smime3 was removed, you'd have to find another way of importing the certificates. A quick StackOverflow search shows there is now a utility called CERTUTIL that you can use for that. Will probably be simpler code too.
More info at:
http://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla
Thank you kindly Amir.
CertUtil is probably the inevitable course. Unfortunately for us -- as well as many others trying to achieve this -- the certutil tool and its libraries are available from Mozilla in source code only, thus requiring additional building and bundling to achieve something that at one time appeared to be trivial, and built-in. It also puts an unnecessary burden from a compat perspective since it adds a bit of volatility to the API.
If this is the only avenue, the RootCA article on the wiki will need to be modified to reflect this.
Please feel free to close this out as "not our bug" but I invite others searching this similar problem to offer advice on the topic. :)
Last edit: Tres Finocchiaro 2015-04-27
Both that StackOverflow page and another SuperUser one have links to pre-built binaries. Some of them even official. I'm sure there are more. No need to waste time building them :)
It's probably not the only avenue, and I'm sure a bit of research can be done to find where CERT_DecodeCertFromPackage moved. Honestly, might be as simple as dumping all DLL exports in the Firefox folder. CertUtil.exe can just be quicker and simpler. I think it's probably going to even be less volatile than using not 100% documented API (the functions might be somewhat documented, but as in this example, they can move around or change).
If you do find a better solution, it would be great if you can update the Wiki as well with it so others can use it in the future.
@Amir,
Thanks. Yes, I've reviewed these and I have a hard time taking any of them seriously from a deployment perspective. The link most people seem to be relying on is felixrr's domain article. The issue I have with his tutorial is it requires Visual Studio 2010 runtime.
The other links I come across seem to date back quite a while.
The official Mozilla FTP locations are likely the best to use, but the links seem to be dated, so I'll have to click around to find one.
I'm tempted to try to build this library with mingw and script it into the package but that might prove to be more work than it is worth. :)
I'll take care of the wiki if I get this working. Thanks for the nudge. :)
So it appears the Mozilla FTP no longer contains any binary releases for Windows. Furthermore, these NSS tools require a copy of of the NSS Portable Runtime (NSPR) which is offered in binary form (or via package manager) for all platforms except Windows via:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR
So the felixrr's pre-compiled solution is starting to look quite attractive -- when compared to the alternative options -- but I'd rather not rely on an unofficial source for a binary since Firefox (and hopefully the installer I'm looking to offer) is going to be around for years to come. :)
Last edit: Tres Finocchiaro 2015-04-27
Some more research on this has landed me here:
https://mike.kaply.com/2015/02/10/installing-certificates-into-firefox/
I haven't created a working example yet, but wanted to supply a status update. :)
Mike Kaply's approach works.
This is how I did it:
Step 1. Create a file nsis-cert.cfg, place it in "%PROGRAMFILES%\Mozilla Firefox"
...
Step 2. Create a file nsis-pref.js, place it in "%PROGRAMFILES%\Mozilla Firefox\defaults\pref"
...
That's it. The caveat is that the cert data needs to be read in without linebreaks or extra characters, so for the standard RFC formatted base64 certs, some cleanup needs to occur and the base64 data needs to be echoed into this script.
@Amir,
I chose not to use NSIS to do the work here, I wrote the logic in another language that I am more familiar with. I would be happy to work with someone to get this converted over and have the wiki updated, but I would need some assistance with the NSIS syntax, especially the part which needs to read/write the parsed certificate data.
Last edit: Tres Finocchiaro 2015-04-30
Nice clean Firefox-approved solution :)
It's perfectly reasonable to require a pre-step of formatting the certificate with another language. You should put it in the Wiki as a second option for newer Firefox versions as-is. It will definitely be useful for other people. And someone will probably improve on it eventually to remove the second language requirement (hopefully I'll get some time for that soon ;) ).
Ok, I've updated the wiki with some warning signs and links to those trying to achieve this. I'd be happy to work with someone better with the NSIS scripting language to reproduce the work I've already done.
This can probably be closed unless you'd prefer to leave it open as a documentation task.
http://nsis.sourceforge.net/Import_Root_Certificate
Last edit: Tres Finocchiaro 2015-05-12