Re: Extrace Mozilla trusted certs into PEM files?
On 2009-08-06 03:47, Michael Ströder wrote: > Eddy Nigg wrote: >>> Quite a while ago, I read a message from someone saying he had devised, >>> or was going to devise, a scheme to extract all of Mozilla's trusted root >>> certs from NSS and make PEM files from them, and use them as trusted >>> certs >>> in some other non-NSS-based product. >>> >>> Does anyone remember that? >>> Can you point me to the person(s) who did that? >>> I'd like to ask them about it, and maybe reuse it. >>> >> Yes, that was Curl and here the link to the page >> http://curl.netmirror.org/docs/caextract.html and this is the tool: >> http://curl.netmirror.org/docs/parse-certs.txt > > It's about trust after all... > So I wonder whether there's a chance to verify the integrity of > http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt Compare it to the master copy at http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
Michael Ströder wrote: Any list of fingerprints of the CA certs therein one could obtain (out-of-band)? Going to all the CA's web sites will not be overly effective I guess... :-/ We have SHA-1 fingerprints for a number of included roots on the included page: http://www.mozilla.org/projects/security/certs/included/ The underlying source for this is an XML file, so it should be reasonably straightforward to parse. The page above is not complete. However Kathleen Wilson is working on doing a complete list of all roots included in NSS (and thus in Firefox, et.al.): http://www.mozilla.org/projects/security/certs/BuiltIn-CAs/ She did not include fingerprints in that list, but it sounds like a reasonable thing to add. I suggest bringing this up in the discussion thread about this: http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/791684fa7b490e96# Also, like the list above this list is generated from an XML file. Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On 08/06/2009 01:54 PM, Daniel Stenberg: On Thu, 6 Aug 2009, Eddy Nigg wrote: Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt Please don't use that site. It is an outdated mirror with old contents. :-( The current page is at http://curl.haxx.se/docs/caextract.html and you'll note that it features a different script. The old one was so kludgy, slow and hard to read we had to let it go. Cool, thanks for the update! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On Thu, 6 Aug 2009, Eddy Nigg wrote: Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt Please don't use that site. It is an outdated mirror with old contents. :-( The current page is at http://curl.haxx.se/docs/caextract.html and you'll note that it features a different script. The old one was so kludgy, slow and hard to read we had to let it go. -- / daniel.haxx.se -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
Eddy Nigg wrote: >> Quite a while ago, I read a message from someone saying he had devised, >> or was going to devise, a scheme to extract all of Mozilla's trusted root >> certs from NSS and make PEM files from them, and use them as trusted >> certs >> in some other non-NSS-based product. >> >> Does anyone remember that? >> Can you point me to the person(s) who did that? >> I'd like to ask them about it, and maybe reuse it. >> > > Yes, that was Curl and here the link to the page > http://curl.netmirror.org/docs/caextract.html and this is the tool: > http://curl.netmirror.org/docs/parse-certs.txt It's about trust after all... So I wonder whether there's a chance to verify the integrity of http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt Any list of fingerprints of the CA certs therein one could obtain (out-of-band)? Going to all the CA's web sites will not be overly effective I guess... :-/ Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extract Mozilla trusted certs into PEM files?
On Thursday 06 August 2009 09:20:02 Nelson Bolyard wrote: > Hi all, > > Quite a while ago, I read a message from someone saying he had devised, > or was going to devise, a scheme to extract all of Mozilla's trusted root > certs from NSS and make PEM files from them, and use them as trusted certs > in some other non-NSS-based product. > > Does anyone remember that? > Can you point me to the person(s) who did that? > I'd like to ask them about it, and maybe reuse it. Justin Karneges did it for the QCA library - see http://websvn.kde.org/trunk/kdesupport/qca/tools/mozcerts/ I'm not sure you really want that approach though, and perhaps don't want to depend on Qt4. Brad -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On Wed, 5 Aug 2009, Wan-Teh Chang wrote: I inquired based on an inquiry from someone who does not use NSS. The users of this feature are OpenSSL users only. This is a very common question. And they need to get the certdata.txt file from NSS anyway. Why not put the script next to certdata.txt? The stuff I wrote is freely available. But the mk-ca-bundle.pl we have in the curl repository to convert from Mozilla's CA cert to PEM was mainly written by Guenter Knauf - under the same MIT license the rest of curl is available as: http://curl.haxx.se/lxr/source/lib/mk-ca-bundle.pl It is also possible to get the PEM out of Firefox by converting the db locally: http://curl.haxx.se/lxr/source/lib/firefox-db2pem.sh -- / daniel.haxx.se -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
