Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SecureSocket.initialize should be able to load in-memory certificate stores #8227

Closed
nex3 opened this issue Jan 31, 2013 · 14 comments
Closed
Assignees
Labels
area-library library-io P2 A bug or feature request we're likely to work on type-enhancement A request for a change that isn't a bug
Milestone

Comments

@nex3
Copy link
Member

nex3 commented Jan 31, 2013

Currently SecureSocket.initialize can only load certificate data from a file that's physically present on the filesystem. This makes it very awkward to configure SecureSocket, especially in programs distributed to third-party users. It would be preferable to be able to manipulate the certificate store in memory, especially for the relatively common use case of adding a few certificates to the store.

@madsager
Copy link
Contributor

I agree that it would be handy to be able to add a couple of certificates to the default database in Dart code.

We were trying to avoid having to make certificate management available in dart:io because there are external tools available to manage databases. Shipping a dart program to users involves shipping the dart files already and shipping a custom database directory as a resource seems reasonable.

Having to get familiar with an external tool just to add a couple of certificates is painful though, so we should have a look at making that common case possible directly.


Set owner to @whesse.
Removed Type-Defect label.
Added Type-Enhancement, Accepted labels.

@whesse
Copy link
Member

whesse commented Jul 11, 2013

Added Started label.

@whesse
Copy link
Member

whesse commented Jul 11, 2013

It is more difficult to add a certificate with a corresponding private key, than it is to just add a certificate. So I'll start with just the code to add a certificate to the in-memory certificate store, from various certificate encodings.

@sgjesse
Copy link
Contributor

sgjesse commented Jul 24, 2013

Added this to the M6 milestone.

@sgjesse
Copy link
Contributor

sgjesse commented Aug 15, 2013

This was done in https://code.google.com/p/dart/source/detail?r=25610 (certificate) and https://code.google.com/p/dart/source/detail?r=26002 (certificate with private key).

However as the might cause issues when running multiple isolates as changes in one isolate will affect other isolates and could lead to unexpected results. This was removed again in https://code.google.com/p/dart/source/detail?r=26194.

For now use the NSS certutil program (https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil) to manage the certificate database. certutil can be run from Dart as a separate process to set up the certificate database before SecureSocket.initialize is called.


Added AsDesigned label.

@nex3
Copy link
Member Author

nex3 commented Aug 15, 2013

It also seems like a problem that multiple isolates share the same certificate store. I've filed issue #12491 to track that. Can we mark this blocked on that issue rather than marking it AsDesigned?

@sgjesse
Copy link
Contributor

sgjesse commented Aug 19, 2013

Currently NSS does not support initialization more that once, and the database is process wide. There might be some work on changing this, see https://wiki.mozilla.org/NSS_Library_Init.


Removed the owner.
Removed this from the M6 milestone.
Added this to the Later milestone.
Removed Priority-Medium label.
Added Priority-Low, Waiting labels.
Marked this as being blocked by #12491.

@kevmoo
Copy link
Member

kevmoo commented May 14, 2014

Removed Area-IO label.
Added Library-IO, Area-Library labels.

@kasperl
Copy link

kasperl commented Jul 10, 2014

Removed this from the Later milestone.
Added Oldschool-Milestone-Later label.

@kasperl
Copy link

kasperl commented Aug 4, 2014

Removed Oldschool-Milestone-Later label.

@whesse
Copy link
Member

whesse commented Sep 2, 2015

I am now working on adding SecurityContext.setTrustedCertificatesFromString , .setCertificateChainFromString, and .setPrivateKeyFromString, to supplement the existing methods (new in 1.13, with the shift to BoringSSL) that read these from files.

That will resolve this issue. The issue about separate stores for separate isolates is already solved by BoringSSL in 1.13.

@whesse whesse added this to the 1.13 milestone Sep 2, 2015
@whesse whesse added Priority-Medium and removed P3 A lower priority bug or feature request Waiting labels Sep 2, 2015
@whesse whesse modified the milestones: 1.14, 1.13 Oct 6, 2015
@whesse whesse modified the milestones: 1.15, 1.14 Jan 14, 2016
@whesse
Copy link
Member

whesse commented Jan 26, 2016

This issue is not dead, and should be fixed when possible.

@whesse whesse assigned zanderso and unassigned whesse Jan 26, 2016
zanderso added a commit that referenced this issue Jan 29, 2016
This is the first step toward removing blocking IO calls from
the implementation of the SecurityContext API.

Using a buffer rather than a file name API will probably be needed
for implementing SecurityContext and SecureSocket with platform
specific built-in APIs on iOS/Mac/Windows rather than BoringSSL.

related #8227

R=whesse@google.com

Review URL: https://codereview.chromium.org/1616073004 .
@kevmoo kevmoo added P2 A bug or feature request we're likely to work on and removed Priority-Medium labels Mar 1, 2016
@mit-mit
Copy link
Member

mit-mit commented Mar 1, 2016

@zanderso what is the status?

@zanderso
Copy link
Member

zanderso commented Mar 1, 2016

This was fixed by the above commit.

@zanderso zanderso closed this as completed Mar 1, 2016
@kevmoo kevmoo added type-enhancement A request for a change that isn't a bug and removed type-enhancement labels Mar 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-library library-io P2 A bug or feature request we're likely to work on type-enhancement A request for a change that isn't a bug
Projects
None yet
Development

No branches or pull requests

8 participants