Thursday, September 29, 2011

Introspecting Certificates

Today I merged in a contribution from Evan Nemerson for GObject introspection support into the Gcr and Gck libraries. I ended up tweaking thousands of lines of comments and code, filed some bugs and so forth.

But the end result is you use PKCS#11 and stuff like the Gcr certificate widgets, from languages like python and javascript (although not your browser). For example this:

const Gck = imports.gi.Gck;
const Gcr = imports.gi.Gcr;
const Gtk = imports.gi.Gtk;

/* TODO: From pkcs11.h */
const CKA_CLASS = 0;
const CKO_CERTIFICATE = 1;
const CKA_VALUE = 17;

const URI = "pkcs11:object-type=cert";

Gtk.init(null, null);
var dialog = new Gtk.Dialog();

var viewer = new Gcr.ViewerWidget();
dialog.get_content_area().pack_start(viewer, true, true, 0);

var modules = Gck.modules_initialize_registered(null);
var objects = Gck.modules_objects_for_uri(modules, URI, Gck.SessionOptions.READ_ONLY);

objects.forEach(function(object) {
 viewer.load_data(null, object.get_data(CKA_VALUE, null));
});

viewer.show();
dialog.run();

... will pop up a window show up with every certificate on every smart card and key storage you have configured. All of this goodness is in gnome-keyring git master.

Friday, September 23, 2011

Smart card icons

I've been working on smart card integration into Seahorse, and as part of that we need icons for smart cards. I had fun putting together something today:


Obviously not perfect, but I'm happy with the result. The tools and info in gnome-icon-theme are really nice.

At some point when the illustrious icon designers get a chance, it'd be cool to have a smart card icon in gnome-icon-theme. I imagine they'd want to fix it up or replace it. But for now this will live in the gcr library.

NLnet is sponsoring my employer Collabora to work on basic smart card viewing and simple management in Seahorse. Shortly I'll be posting more goodies coming related to this, including stuff that fixes up Seahorse for casual users as well.

Tuesday, September 6, 2011

Ditching Certificate Authorities with Convergence

Listened to Moxie's talk about Trust Agility and 'Convergence'. Sounds like a viable candidate for ditching the Certificate Authority mess, or at least part of a solution. Go watch the video if you haven't already.

I was thinking about how we could implement support for Convergence in GNOME. The local cache of discovered valid certificates would work far better across an entire desktop, rather than each application (browser or otherwise) including code, configuration, and storage to do it on their own.

In fact it fits in nicely with the Trust Assertion stuff I've been playing with. It'd be relatively straightforward to build a PKCS#11 Trust Assertion module which used Convergence to seed Trust Assertions. That would plug in easily to GLib, GCR, NSS etc. (modulo a few patches not yet merged).

But a few things popped into my mind while watching the video. Stuff that it seems would need to be solved before this can be implemented as general purpose solution. This is just off the top of my head, and perhaps I'm woefully mistaken about something:

  1. Protocols and Options: Since I work for Collabora and we have a thing for XMPP, the first thing that stood out to me, is that the protocol is limited to HTTP, and more specifically SSL. Nearly every other protocol uses TLS for security.

    So for starters this means that when the Notary wants to retrieve the certificate it'll need to know how to speak a given protocol. I guess different notaries could know speak different protocols when fetching the certificate from the target server?

    Then the Convergence protocol would need to be changed to allow the caller to specify a well known protocol. Perhaps the protocol would also need some sort of capabilities support so that clients can know which Notaries can do what?
     
  2. TLS Options, Extensions: Taking this a step further, the Notary would need to provide the same TLS options and extensions that are used in the handshake. Most obviously: SNI
     
  3. Hash Algorithm: The protocol currently hardcodes things like SHA-1, which isn't aging very well. And as we've learned, it's often better to pass the entire certificate around. Or at least, have it extensible where you can specify a hash algorithm to use.
     
  4. Obviously Convergence doesn't (and probably can't) work if the server is requiring client certificates. I guess it's not meant to solve this use case though.
     
  5. The installing of Notaries by downloading them as files from websites (including the certificate) smells sort of wrong, at first whiff. But if you figure that several Notaries would be distributed with a distribution (and could later be updated as necessary) and the certificates of websites hosting additional .notary files could be checked using the initial set of Notaries, then I guess it sort of makes sense.
     
  6. Protocol Specification: Last but not least, the protocol needs to be documented and reviewed.
About usability: Obviously most users will never care about checking which Notaries they use. I have a hard time expecting most people to care. But they don't have to.

The Trust Agility comes with the fact that a distributor like GNOME could easily ship a default set of Notaries, and then update them as needed without affecting functionality. As Moxie points out the browser vendors can't even disable screwballs like Comodo because it would disable a quarter of the web. So that's where this is different. You can replace screwed up Notaries without affecting functionality.

And no more self-signed certificate warnings. Seriously, that dialog (wherever it's implemented) is the worst security cop-out ever.

Thursday, September 1, 2011

Viewer for Certificate and Key files

So a lot of the work I do doesn't have any user interface. The best user interface is no user interface, well one that isn't needed. But recently I've been working some tools to view the plethora of certificate and key formats out there. So I couldn't resist blogging about this, because I get to use screenshots, heh.

The NLnet Foundation has been sponsoring Collabora to do some smart card work, and this is part of that. This work is part of the GCR library, and is merged into gnome-keyring master.

Here's a certificate viewer showing a certificate:


Details can then be expanded:



And here's what a key looks like.



When the file is locked (like a PKCS#12 file) it can be unlocked like this video shows. It also shows the appalling state of affairs with hundreds of certificate authoritities, dubious and otherwise.



In the next release, we'll have an "Import" button in the bottom right corner, so that the certificates and keys being viewed can be imported and used into common locations. Hopefully we'll also get able to view PGP keys in files (before importing them).

The widgets you see displaying the certificates can be used by any application from the GCR library.