Access Firefox's certificate trust store from Java

4
votes

I'm almost losing hope on this one. I'm trying to access the Firefox trust store from Java 7 using the NSS libraries that come with the Firefox installation, via PKCS#11.

Here is the code:

import java.security.KeyStore;
import java.security.Security;
import java.util.Enumeration;
import sun.security.pkcs11.SunPKCS11;

public class Test {

    public static void main(String[] args) throws Exception {
        String configName = "pkcs11.cfg";
        SunPKCS11 p = new SunPKCS11(configName);
        Security.addProvider(p);
        KeyStore ks = KeyStore.getInstance("PKCS11", p);
        ks.load(null,  "apassword".toCharArray());
        System.out.println("Size: " + ks.size());
        Enumeration<String> aliases = ks.aliases();
        while (aliases.hasMoreElements()) {
            System.out.println(aliases.nextElement());
        }
    }
}

Here are the contents for the PKCS#11 config:

name = NSS
nssLibraryDirectory = /usr/lib/firefox/
nssSecmodDirectory = "/home/bogdan/.mozilla/firefox/x5d8wol9.default/"
nssModule =trustanchors
showInfo = true

When I run the application I also set the property -Djava.library.path=/usr/lib/firefox/

When I run the application I get the following:

NSS modules: [NSS Internal PKCS #11 Module (CRYPTO, /usr/lib/firefox/libsoftokn3.so, slot 0), NSS Internal PKCS #11 Module (KEYSTORE, /usr/lib/firefox/libsoftokn3.so, slot 1)]
Exception in thread "main" java.security.ProviderException: NSS module not available: trustanchors
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:271)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
    at Test.main(Test.java:11)

You can actually see that the "trustanchors" module is not loaded at the initialisation step, but I have no idea why. The documentation here: http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS says that

The trustanchors module enables access to NSS trust anchor certificates via the PKCS11 KeyStore, if secmod.db has been configured to include the trust anchor library.

but I have no idea what that means. It's worth noting that I get the same behaviour with both Windows XP 32 bit and Ubuntu 11.10 64-bit. It seems that the pkcs11.cfg is correct as if I change any of the paths the application will fail with other errors.

Any bright ideas?

1
javafirefoxcryptographynsspkcs#11
to find out what secmod.db is? mozilla.org/projects/security/pki/nss/tools/modutil.htmlmazaneicha
The Root certificate module does appear if I list it with modutil -list -dbdir /home/bogdan/.mozilla/firefox/x5d8wol9.default/Bogdan
I think the problem is related to the fact that it thinks that this module uses the library "/home/bogdan/.mozilla/firefox/x5d8wol9.default/libnssckbi.so", but this file doesn't exist. I tried to copy it there and now I get this failure: Exception in thread "main" java.security.ProviderException: Library /usr/lib/firefox/home/bogdan/.mozilla/firefox/x5d8wol9.default/libnssckbi.so does not exist (notice the weird path which is a concatenation with LD_LIBRARY_PATH)Bogdan

1 Answers

1
votes

I've managed to solve the problem in the end by using the JSS4 Mozilla library. If you want to use it make sure that you download the JSS4 JAR as well as native library implementation AND the other dependencies it has - the NSPR and NSS native libraries.

Make sure that on Linux the location of the native libraries is in LD_LIBRARY_PATH and on Windows their location is in the %PATH% variable. You might be tempted to use the DLLs/SOs that come with the Firefox distribution. This doesn't work on Windows I found (something to do with the fact that they were compiled for a WIN95 platform I think)

The rest of the information is in the documentation of the JSS4 library, but you basically need to use the org.mozilla.jss.CryptoManager class.