Security project | > | Component Security | > | Using a Master Certificate |
Using a Master Certificate for Remote Trust Grants
Mitch StoltzThis page describes a feature available to distributors of Mozilla which allows establishing a "master certificate." This certificate can grant trust to other code-signing certificates without user interaction. These directions assume a basic familiarity with the concept of code signing. See the links in the provided documentation at the Component Security main page for more information.
The Need for this Feature
In general, if a script wishes to read a user's personal data or perform other sensitive operations, the user must give permission to the script, normally by answering Yes to a dialog box. For some Mozilla embedders and distributors, this dialog box detracts from the user experience, and another method of granting trust while still ensuring security must be used. By distributing a master certificate with the browser, a distributor can allow Web developers to perform sensitive operations in the browser without confirmation from the user.
Official mozilla.org software releases do not have a master certificate installed. The features described below will not work with releases from mozilla.org. These features can be activated at the discretion of individual Mozilla embedders/distributors.
The Master Certificate
The master certificate in Mozilla is defined as the
signature on the systemSignature.jar
file. On Windows and Unix systems, this file must be installed in the same
directory as the Mozilla binary, and on Macintoshes, in the Essential Files
directory. This file can be generated using SignTool, a Mozilla
utility for signing code files.
[Download Signtool]
[Complete Documentation]
Assuming the certificate you want to use as a master certificate is installed in your certificate database, a master certificate file can be generated with a command like this:
signtool -k "MyMasterCertNickname" -Z systemSignature.jar emptyDir
... where myMasterCertNickname
is the name of your master
certificate as it is installed in your certificate database, and emptyDir
is an empty directory, which indicates that no files besides the signature file
itself should be placed in the jar. This command will create a file called
systemSignature.jar
which can be distributed with a Mozilla-based
browser. Without this file present in the browser distribution, the master
certificate features will not work.
Protect the private key to your master certificate very carefully. Remember that anyone who can sign scripts with your master certificate could gain unauthorized access to any browser distributed with that certificate.
The API
A script signed by the currently installed master certificate can call two functions which no other scripts can call. They are:
netscape.security.PrivilegeManager.setCanEnablePrivilege(certificateID, privilegeList)
which can grant trust to other certificates, andnetscape.security.PrivilegeManager.invalidate(certificateID)
which permanently revokes all trust from a certificate.
The first function, setCanEnablePrivilege
, takes two arguments.
The first is the certificate fingerprint, a cryptographic hash of
the certificate to which you want to grant trust. The fingerprint is a
hexadecimal number which uniquely identifies the certificate. For example, "85:2B:C1:7D:52:63:80:9E:62:02:47:4C:B2:17:BF:29
." To find the
fingerprint of a certificate in your database, open the Personal Security
Manager (under the Tools menu in Mozilla), click the Certificates tab,
select your certificate from the list, and click View.
The second argument to setCanEnablePrivilege
is a
space-separated list of the privileges you
want the certificate to be able to use, for example
UniversalPreferencesRead
for access to browser preferences.
The complete list of built-in privileges can be found in the
Signed Script Policy documentation.
The Two-Certificate Model
It is important to understand that there are two certificates involved in this process. One is the master certificate which is installed by the distributor of a Mozilla-based browser, and the other is the certificate that will be used by the content creator to sign their own scripts, which I will call the website certificate. The process works like this:
- The ABC Company distributes a product based on Mozilla code
which includes a
systemSignature.jar
file. - Foobar.com, a Web content developer, obtains a digital certificate for code signing (the website certificate) and sends the certificate's fingerprint number to ABC.
- ABC writes a script which looks like this
netscape.security.PrivilegeManager.setCanEnablePrivilege(
"85:2B:C1:7D:52:63:80:9E:62:02:47:4C:B2:17:BF:29",
"UniversalPreferencesRead UniversalBrowserRead")
where the fingerprint number on the second line is replaced with the fingerprint of Foobar's site certificate. ABC signs this script with the master certificate and gives the signed script to Foobar.com. Note that the script above enables Foobar's certificate to use two privileges. - Foobar.com creates a website and includes the signed script they received from ABC. When the site needs to access the user's browser privileges, Foobar signs its scripts with the certificate it obtained in step (1).
- When a user visits Foobar's site using ABC's browser, the
"enabling" script that was signed by ABC runs first. After this script
runs, any scripts signed by Foobar's website certificate can call
netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead")
followed by (for example)
var homepage = navigator.preference("browser.startup.homepage")
which reads from the user's browser preferences. The user will not be presented with a confirmation dialog in this case. In fact, this script can be run without the user's knowledge.
The setCanEnablePrivilege
script need only be run once on
a user's browser. The privileges granted to Foobar's site certificate are
stored in browser preferences and will be remembered for future visits to
Foobar's site.
Why Two Certificates?
The two-certificate model allows the Mozilla distributor to decide
which content creators can enable privileges silently, and to revoke
trust from content creators if necessary. Using the companies from the
example above, suppose Foobar.com's website certificate is compromised,
or a security problem is found in their code. ABC, the Mozilla-based
software distributor, can distribute a script signed with their master
certificate which looks like this:
netscape.security.PrivilegeManager.invalidate(
"85:2B:C1:7D:52:63:80:9E:62:02:47:4C:B2:17:BF:29")
The invalidate
function takes a single argument, the
fingerprint of a certificate from which trust should be revoked. This
script, when run, permanently revokes all trust from Foobar.com's website
certificate, ensuring that scripts signed with this certificate can no
longer perform dangerous actions. As with
setCanEnablePrivilege
, invalidate
can only be
called from a script signed with the master certificate. The
invalidate
function allows for a "flu shot" script to
render harmless a compromised certificate or a dangerous signed script.
If the master certificate, which is pre-installed in the browser,
were used to sign website scripts, correcting a compromised certificate
would require a browser upgrade.
Security project | > | Component Security | > | Using a Master Certificate |