SecureSocket.initialize should be able to load in-memory certificate stores #8227
Comments
|
I agree that it would be handy to be able to add a couple of certificates to the default database in Dart code. We were trying to avoid having to make certificate management available in dart:io because there are external tools available to manage databases. Shipping a dart program to users involves shipping the dart files already and shipping a custom database directory as a resource seems reasonable. Having to get familiar with an external tool just to add a couple of certificates is painful though, so we should have a look at making that common case possible directly. Set owner to @whesse. |
|
Added Started label. |
|
It is more difficult to add a certificate with a corresponding private key, than it is to just add a certificate. So I'll start with just the code to add a certificate to the in-memory certificate store, from various certificate encodings. |
|
Added this to the M6 milestone. |
|
This was done in https://code.google.com/p/dart/source/detail?r=25610 (certificate) and https://code.google.com/p/dart/source/detail?r=26002 (certificate with private key). However as the might cause issues when running multiple isolates as changes in one isolate will affect other isolates and could lead to unexpected results. This was removed again in https://code.google.com/p/dart/source/detail?r=26194. For now use the NSS certutil program (https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil) to manage the certificate database. certutil can be run from Dart as a separate process to set up the certificate database before SecureSocket.initialize is called. Added AsDesigned label. |
|
It also seems like a problem that multiple isolates share the same certificate store. I've filed issue #12491 to track that. Can we mark this blocked on that issue rather than marking it AsDesigned? |
|
Currently NSS does not support initialization more that once, and the database is process wide. There might be some work on changing this, see https://wiki.mozilla.org/NSS_Library_Init. Removed the owner. |
|
Removed Area-IO label. |
|
Removed this from the Later milestone. |
|
Removed Oldschool-Milestone-Later label. |
nex3
added
Type-Enhancement
P3
|
I am now working on adding SecurityContext.setTrustedCertificatesFromString , .setCertificateChainFromString, and .setPrivateKeyFromString, to supplement the existing methods (new in 1.13, with the shift to BoringSSL) that read these from files. That will resolve this issue. The issue about separate stores for separate isolates is already solved by BoringSSL in 1.13. |
whesse
added
Priority-Medium
and removed
P3
|
This issue is not dead, and should be fixed when possible. |
This is the first step toward removing blocking IO calls from the implementation of the SecurityContext API. Using a buffer rather than a file name API will probably be needed for implementing SecurityContext and SecureSocket with platform specific built-in APIs on iOS/Mac/Windows rather than BoringSSL. related #8227 R=whesse@google.com Review URL: https://codereview.chromium.org/1616073004 .
kevmoo
added
P2
|
@zanderso what is the status? |
|
This was fixed by the above commit. |
kevmoo
added
type-enhancement
Currently SecureSocket.initialize can only load certificate data from a file that's physically present on the filesystem. This makes it very awkward to configure SecureSocket, especially in programs distributed to third-party users. It would be preferable to be able to manipulate the certificate store in memory, especially for the relatively common use case of adding a few certificates to the store.
The text was updated successfully, but these errors were encountered: