pull/1/head
liaronce 2021-10-07 16:02:48 +08:00
parent 9b2063adf8
commit cd685d128d
19 changed files with 194 additions and 12 deletions

3
.gitignore vendored 100644
View File

@ -0,0 +1,3 @@
cert9.db
key4.db
pkcs11.txt

23
README-original.md 100644
View File

@ -0,0 +1,23 @@
b2g-certificates
================
A shell script to add root certificates to Firefox OS
*The script originates at Enrico's [pending.io](http://www.pending.io/add-cacert-root-certificate-to-firefox-os/) where the discussion came up to enhance the script. The following is the initial documentation taken from that page as well. Anyone is welcome to contribute.*
While being quite happy with my new Firefox OS phone so far, the biggest stopper for me was that, like all Mozilla products, the root certificate of [CAcert](https://www.cacert.org) was not included and so I could not access sites using certificates assured by CAcert.
Recent versions of [Gaia](https://github.com/mozilla-b2g/gaia) allow to accept untrusted site certificates in the browser but in case you want to use an IMAP server or Caldav server which is using a CAcert assured certificate, you are still stuck.
Based on a post by [Carmen Jiménez Cabezas](https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.b2g/B57slgVO3TU), I wrote a script to read the certificate database from the phone (via adb), add some certificates and then write the database back to the phone. After this procedure, the CAcert root certificate (or any other) are known by the phone and can be used. This enabled me to access my own IMAP server via SSL from the Email app and also use a self-hosted groupware as Caldav server for the Calendar app via HTTPS.
How-to
------
Save the script somewhere on your system.
Once done, add a new directory in the directory where you stored the script and place the certificates which you want to add to the phone's database in the sub directory 'certs'. For CAcert, this would be the class 3 root certificate in PEM format as found on the [CAcert website](https://www.cacert.org/index.php?id=3).
Then simply run the script.
Note: before running the script you need to enable 'Remote debugging' in the Developer settings menu and connect your phone with your PC using a USB cable (or more general: get adb working).

View File

@ -1,23 +1,32 @@
b2g-certificates
================
# b2g-certificates
A shell script to add root certificates to Firefox OS
*The script originates at Enrico's [pending.io](http://www.pending.io/add-cacert-root-certificate-to-firefox-os/) where the discussion came up to enhance the script. The following is the initial documentation taken from that page as well. Anyone is welcome to contribute.*
[Original README](README-original.md)
While being quite happy with my new Firefox OS phone so far, the biggest stopper for me was that, like all Mozilla products, the root certificate of [CAcert](https://www.cacert.org) was not included and so I could not access sites using certificates assured by CAcert.
Linux (Debian & Ubuntu):
Recent versions of [Gaia](https://github.com/mozilla-b2g/gaia) allow to accept untrusted site certificates in the browser but in case you want to use an IMAP server or Caldav server which is using a CAcert assured certificate, you are still stuck.
```bash
sudo apt-get install libnss3-tools adb wget
git clone https://github.com/openGiraffes/b2g-certificates
cd b2g-certificates
Based on a post by [Carmen Jiménez Cabezas](https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.b2g/B57slgVO3TU), I wrote a script to read the certificate database from the phone (via adb), add some certificates and then write the database back to the phone. After this procedure, the CAcert root certificate (or any other) are known by the phone and can be used. This enabled me to access my own IMAP server via SSL from the Email app and also use a self-hosted groupware as Caldav server for the Calendar app via HTTPS.
chmod +x ./add-certificates-to-phone.sh
./add-certificates-to-phone.sh
How-to
------
# If you are using WSL, please run this (Need to set Android Platform Tools as an environment variable)
chmod +x ./add-certificates-to-phone-wsl.sh
./add-certificates-to-phone-wsl.sh
```
Save the script somewhere on your system.
Windows Batch(Testing and NSS `certutil` reported an error):
Once done, add a new directory in the directory where you stored the script and place the certificates which you want to add to the phone's database in the sub directory 'certs'. For CAcert, this would be the class 3 root certificate in PEM format as found on the [CAcert website](https://www.cacert.org/index.php?id=3).
```batch
add-certificates-to-phone.bat
```
Then simply run the script.
NSS (Windows, 3.35.0, fron AdGuard) `certutil` reported an error:
```
certutil.exe: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
```
Note: before running the script you need to enable 'Remote debugging' in the Developer settings menu and connect your phone with your PC using a USB cable (or more general: get adb working).

View File

@ -0,0 +1,61 @@
#!/bin/bash
CERT_DIR=certs
ROOT_DIR_DB=/data/b2g/mozilla
CERT=cert9.db
KEY=key4.db
PKCS11=pkcs11.txt
DB_DIR=`adb.exe shell "ls -d ${ROOT_DIR_DB}/*.default 2>/dev/null" | sed "s/default.*$/default/g"`
if [ "${DB_DIR}" = "" ]; then
echo "Profile directory does not exists. Please start the b2g process at
least once before running this script."
exit 1
fi
function log
{
GREEN="\E[32m"
RESET="\033[00;00m"
echo -e "${GREEN}$1${RESET}"
}
# cleanup
rm -f ./$CERT
rm -f ./$KEY
rm -f ./$PKCS11
# pull files from phone
log "getting ${CERT}"
adb.exe pull ${DB_DIR}/${CERT} .
log "getting ${KEY}"
adb.exe pull ${DB_DIR}/${KEY} .
log "getting ${PKCS11}"
adb.exe pull ${DB_DIR}/${PKCS11} .
# clear password and add certificates
log "set password (hit enter twice to set an empty password)"
certutil -d 'sql:.' -N
log "adding certificats"
for i in ${CERT_DIR}/*
do
log "Adding certificate $i"
certutil -d 'sql:.' -A -n "`basename $i`" -t "C,C,TC" -i $i
done
# push files to phone
log "stopping b2g"
adb.exe shell stop b2g
log "copying ${CERT}"
adb.exe push ./${CERT} ${DB_DIR}/${CERT}
log "copying ${KEY}"
adb.exe push ./${KEY} ${DB_DIR}/${KEY}
log "copying ${PKCS11}"
adb.exe push ./${PKCS11} ${DB_DIR}/${PKCS11}
log "starting b2g"
adb.exe shell start b2g
log "Finished."

View File

@ -0,0 +1,55 @@
@echo off
:: Set environment variable
set CERT_DIR=certs
set CERT=cert9.db
set KEY=key4.db
set PKCS11=pkcs11.txt
for /f %%i in ('adb shell "ls -d /data/b2g/mozilla/*.default 2>/dev/null" ^|^| "bin/sed.exe" "s/default.*$/default/g"') do set DB_DIR=%%i
if DB_DIR == "" (
echo "Profile directory does not exists. Please start the b2g process at least once before running this script."
pause
)
:: Cleanup
del /f %CERT%
del /f %KEY%
del /f %PKCS11%
:: Pull files from phone
@echo Getting %CERT%
adb pull %DB_DIR%/%CERT% .
@echo Getting %KEY%
adb pull %DB_DIR%/%KEY% .
@echo Getting %PKCS11%
adb pull %DB_DIR%/%PKCS11% .
:: Clear password and add certificates
@echo Set password (hit enter twice to set an empty password)
"bin/nss/certutil.exe" -d 'sql:.' -N
@echo Adding certificats
for %%i in (%CERT_DIR%/*) do (
echo Adding certificate %%i
"bin/nss/certutil.exe" -d 'sql:.' -A -n "`basename %%i`" -t "C,C,TC" -i %CERT_DIR%/%%i
)
:: Push files to phone
@echo Stopping B2G
adb shell stop b2g
@echo copying %CERT%
adb push ./%CERT% %DB_DIR%/%CERT%
@echo copying %KEY%
adb push ./%KEY% %DB_DIR%/%KEY%
@echo copying %PKCS11%
adb push ./%PKCS11% %DB_DIR%/%PKCS11%
@echo Starting B2G
adb shell start b2g
@echo Finished.
pause

Binary file not shown.

BIN
bin/nss/freebl3.dll 100644

Binary file not shown.

Binary file not shown.

BIN
bin/nss/libplc4.dll 100644

Binary file not shown.

Binary file not shown.

BIN
bin/nss/nss3.dll 100644

Binary file not shown.

BIN
bin/nss/nssckbi.dll 100644

Binary file not shown.

BIN
bin/nss/nssdbm3.dll 100644

Binary file not shown.

Binary file not shown.

BIN
bin/nss/smime3.dll 100644

Binary file not shown.

Binary file not shown.

BIN
bin/nss/sqlite3.dll 100644

Binary file not shown.

BIN
bin/sed.exe 100644

Binary file not shown.

View File

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----