From 3a626bff6cf98acafdc8d797ede0e2adf5c6c964 Mon Sep 17 00:00:00 2001 From: mcnesium Date: Fri, 21 Nov 2014 16:01:53 +0100 Subject: [PATCH] original data as seen on pending.io --- README.md | 19 +++++++++++ add-certificates-to-phone.sh | 61 ++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 add-certificates-to-phone.sh diff --git a/README.md b/README.md index aea2589..4db1feb 100644 --- a/README.md +++ b/README.md @@ -2,3 +2,22 @@ b2g-certificates ================ A shell script to add root certificates to Firefox OS + +*The script originates at Enrico's [pending.io](http://www.pending.io/add-cacert-root-certificate-to-firefox-os/) where the discussion came up to enhance the script. The following is the initial documentation taken from that page as well. Anyone is welcome to contribute.* + +While being quite happy with my new Firefox OS phone so far, the biggest stopper for me was that, like all Mozilla products, the root certificate of [CAcert](https://www.cacert.org) was not included and so I could not access sites using certificates assured by CAcert. + +Recent versions of [Gaia](https://github.com/mozilla-b2g/gaia) allow to accept untrusted site certificates in the browser but in case you want to use an IMAP server or Caldav server which is using a CAcert assured certificate, you are still stuck. + +Based on a post by [Carmen Jiménez Cabezas](https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.b2g/B57slgVO3TU), I wrote a script to read the certificate database from the phone (via adb), add some certificates and then write the database back to the phone. After this procedure, the CAcert root certificate (or any other) are known by the phone and can be used. This enabled me to access my own IMAP server via SSL from the Email app and also use a self-hosted groupware as Caldav server for the Calendar app via HTTPS. + +How-to +------ + +Save the script somewhere on your system. + +Once done, add a new directory in the directory where you stored the script and place the certificates in this directory which you want to add to the phone's database. For CAcert, this would be the class 3 root certificate in PEM format as found on the [CAcert website](https://www.cacert.org/index.php?id=3). + +Then simply run the script. + +Note: before running the script you need to enable 'Remote debugging' in the Developer settings menu and connect your phone with your PC using a USB cable (or more general: get adb working). \ No newline at end of file diff --git a/add-certificates-to-phone.sh b/add-certificates-to-phone.sh new file mode 100644 index 0000000..e32fa7c --- /dev/null +++ b/add-certificates-to-phone.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +CERT_DIR=certs +ROOT_DIR_DB=/data/b2g/mozilla +CERT=cert9.db +KEY=key4.db +PKCS11=pkcs11.txt +DB_DIR=`adb shell "ls -d ${ROOT_DIR_DB}/*.default 2>/dev/null" | sed "s/default.*$/default/g"` + +if [ "${DB_DIR}" = "" ]; then + echo "Profile directory does not exists. Please start the b2g process at +least once before running this script." + exit 1 +fi + +function log +{ + GREEN="\E[32m" + RESET="\033[00;00m" + echo -e "${GREEN}$1${RESET}" +} + +# cleanup +rm -f ./$CERT +rm -f ./$KEY +rm -f ./$PKCS11 + +# pull files from phone +log "getting ${CERT}" +adb pull ${DB_DIR}/${CERT} . +log "getting ${KEY}" +adb pull ${DB_DIR}/${KEY} . +log "getting ${PKCS11}" +adb pull ${DB_DIR}/${PKCS11} . + +# clear password and add certificates +log "set password (hit enter twice to set an empty password)" +certutil -d 'sql:.' -N + +log "adding certificats" +for i in ${CERT_DIR}/* +do + log "Adding certificate $i" + certutil -d 'sql:.' -A -n "`basename $i`" -t "C,C,TC" -i $i +done + +# push files to phone +log "stopping b2g" +adb shell stop b2g + +log "copying ${CERT}" +adb push ./${CERT} ${DB_DIR}/${CERT} +log "copying ${KEY}" +adb push ./${KEY} ${DB_DIR}/${KEY} +log "copying ${PKCS11}" +adb push ./${PKCS11} ${DB_DIR}/${PKCS11} + +log "starting b2g" +adb shell start b2g + +log "Finished." \ No newline at end of file