Description of problem: CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser. This will make it annoying to say the least for anyone deploying this application to a large user base. It would be much better if it could use the trust chain imported already into the browser instead of having it's own copy. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
That would be a RFE: FF and ESC are 2 different applications that use their own NSS database. On Linux, ESC uses ~/.redhat/esc/<string>.<profile-name>/ for its NSS database path. FF uses ~/.mozilla/firefox/<string>.<profile-name>/
Created attachment 439220 [details] ESC portion of patch to address issue
Created attachment 439222 [details] New ESC file for this issue.
Created attachment 439227 [details] TPS portion of fix to issue.
Created attachment 439228 [details] New TPS file for this issue.
Created attachment 439241 [details] Makefile changes for TPS portion of fix.
Created attachment 439829 [details] ESC Windows Installer fix for this issue. This patch provides enhancement to the ESC Windows Installer to make it easier to change ESC's configuration parameters at install time through simple command line parameters.
The addressing if this issue will come in a two way approach: 1. Provide a relatively simple means by which the user of ESC can be given the chance to download and install the CA Certificate Trust Chain. - TPS will support an optional URL value to be sent back to the client during it's phone home process. This URL will then allow the client to be passed through to the CA's facility to download and trust the CA Cert chain. The optional change to the file "/usr/lib/pki-tps/cgi-bin/home/index.cgi will look like as follows: print "Content-type: text/xml\n\n"; print "<\?xml version=\"1.0\" encoding=\"UTF-8\"\?>"; print "<ServiceInfo>"; print "<IssuerName>"; print "Fedora Project"; # Vendor print "</IssuerName>\n"; print "<Services>"; print "<Operation>"; print "http://test.host.com:7888/nk_service"; print "</Operation>"; print "<UI>"; print "http://test.host.com:7888/cgi-bin/home/enroll.cgi"; print "</UI>"; print "<EnrolledTokenBrowserURL>"; print "http://www.fedora.redhat.com"; # Company URL print "</EnrolledTokenBrowserURL>"; print "<EnrolledTokenURL>"; print "</EnrolledTokenURL>"; print "<TokenType>"; print "userKey"; print "</TokenType>"; #print "<CAChainUI>"; #print "http://test.host.com:7888/cgi-bin/home/cachain.cgi"; #print "</CAChainUI>"; print "</Services>"; print "</ServiceInfo>"; The commented out lines above can be activated so the latest ESC can obtain the URL and make use of it. Note the http port must be used or ESC can not even get to the new URL. - A new cgi perl script called "cachain.cgi" will be there to actually make sure the client gets access to the CA's servlet that downloads and trusts the cert chain. 2. The esc client already supports the following preference: esc.global.alt.nss.db=<path to another db to trust> - This allows the user of ESC to take advantage to all the cert trust relationships already contained in this alternate NSS database. This has already been used in the field. - The simple improvement here is that now the Windwos ESC installer will support a means to accept custom command line switches as follows: ./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db - Note that this command line switch can be used multiple times with different values to set other ESC perferences. - The end result is once ESC is intalled on the Windows system, the file "esc/defaults/preferences/esc-prefs.js will have the desired values set as requested by the command line parameters discussed above. - Usage Example: ./SmartCardManagerSetup-1.1.0-11.win32.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db /EscConfig=esc.test.boolean.pref=fals
attachment 439220 [details] attachment 439222 [details] attachment 439227 [details] attachment 439228 [details] attachment 439241 [details] attachment 439829 [details] +mharmsen
Checkins ESC: Checking in setup.iss; /cvs/dirsec/esc/win32/setup.iss,v <-- setup.iss new revision: 1.16; previous revision: 1.15 done Running syncmail... Mailing relnotes... ...syncmail done. Running syncmail... Mailing cvsdirsec... ...syncmail done. Checking in src/app/xul/esc/chrome/content/esc/ESC.js; /cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/ESC.js,v <-- ESC.js new revision: 1.33; previous revision: 1.32 done Running syncmail... Mailing relnotes... ...syncmail done. Running syncmail... Mailing cvsdirsec... ...syncmail done. Checking in src/app/xul/esc/chrome/locale/en-US/esc.dtd; /cvs/dirsec/esc/src/app/xul/esc/chrome/locale/en-US/esc.dtd,v <-- esc.dtd new revision: 1.8; previous revision: 1.7 done Running syncmail... Mailing relnotes... ...syncmail done. Running syncmail... Mailing cvsdirsec... ...syncmail done. Checking in src/app/xul/esc/defaults/preferences/esc-prefs.js; /cvs/dirsec/esc/src/app/xul/esc/defaults/preferences/esc-prefs.js,v <-- esc-pr efs.js new revision: 1.8; previous revision: 1.7 done Running syncmail... Checking in getcachain.xul; /cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/getcachain.xul,v <-- getcac hain.xul initial revision: 1.1 done Mailing relnotes... ...syncmail done. Running syncmail... Mailing cvsdirsec... ...syncmail done.
Checkins: TPS: Branch: svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser." Enter passphrase for key '/home/jmagne/.ssh/id_rsa': Sending base/tps/Makefile.am Sending base/tps/Makefile.in Adding base/tps/forms/esc/cgi-bin/home/cachain.cgi Sending base/tps/forms/esc/cgi-bin/home/index.cgi Transmitting file data .... Committed revision 1234. Trunk: svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser." Makefile.am Makefile.in Sending Makefile.am Sending Makefile.in Transmitting file data .. Committed revision 1235. svn commit -m "Fix Bug 497931 - CS 8.0 -- Have to download and stall the trust chain through ESC even if it was already installed in the browser." Enter passphrase for key '/home/jmagne/.ssh/id_rsa': Adding forms/esc/cgi-bin/home/cachain.cgi Sending forms/esc/cgi-bin/home/index.cgi Transmitting file data .. Committed revision 1236.
Feature can be tested with the next build of TPS and the next Windows build of ESC.
Tested case #1 in the comment 11 on a Win XP 32 machine with ESC-1.1.0-12. Burning a phone home url throws error "The file chrome://esc/content/getchain.xul cannot be found. Please check the location and try again". Jack looked into the issue, the file is missing - need a ESC build respin with this fix.
Local respin confirmed the simple problem. Official bits on the way.
Latest build addresses this.
Tested with ESC-1.1.0-13 on a Win XP 64 bit machine. -Configured /usr/lib/pki-tps/cgi-bin/home/index.cgi to include cachain.cgi, CA Certificate Trust Chain is download and can be trusted during phone home process. -Tested esc-prefs.js file with esc.global.alt.nss.db=<path to another db to trust>, certificate trust is populated successfully in ESC. -Tested ESC installation with command line switches, ./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:\common-nss-db /EscConfig=esc.test.boolean.pref=false This does not populate certificate and trust into ESC security database. Certificate and the trust is populated only when the path to nss db has forward slash like this: ./esc-intaller.exe /EscConfig=esc.global.alt.nss.db=c:/common-nss-db Verified that command line switch used multiple times with different values sets the values correctly in esc/defaults/preferences/esc-prefs.js. Marking the bug verified.