Bug 351858 – x509 Key Support

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 351858 - x509 Key Support


Summary:	x509 Key Support


Status:	RESOLVED FIXED

Product:	seahorse
Classification:	Applications
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal enhancement
Target Milestone:	2.28.0
Assigned To:	Seahorse Maintainer
QA Contact:	Seahorse Maintainer

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2006-08-18 00:07 UTC by Stef Walter
Modified:	2012-03-15 09:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Stef Walter 2006-08-18 00:07:07 UTC

We need to support x509 certificates. 

There are many choices of libraries to use. It's more than likely that we'll need to support two or more at once:

 * GnuTLS
 * NSS
 * OpenSSL

We'd list the CA certificates under 'Keys I Trust', and personal certificates under 'Personal Keys'. 

Once we have all these key types we need options to allow people to turn off display of key types they're not interested in.

Comment 1 Stef Walter 2006-09-01 02:14:15 UTC

I've done some work with NSS which is an important library for us to support. Evolution uses NSS for it's S/MIME support.

Commited some work to the seahorse-x509 branch.

However after a good deal of work I've hit a brick wall. NSS does not support concurrent access to it's key store. So that puts an end to that idea for now. 

It seems that NSS 3.13 will support concurrent access. However that's not due for at least another year or so:

http://wiki.mozilla.org/NSS:Roadmap

Comment 2 Stef Walter 2006-09-11 14:15:44 UTC

Hmmm, NSS has different methods of initializing it. In particular:

NSS_Init
NSS_InitReadWrite

I wonder if the key manager (seahorse) could use the latter and the key consumers (evolution) could use the former and thus have concurrent access to the NSS db files. 

I'll ask on mozilla.dev.tech.crypto.

Comment 3 Christian Persch 2006-09-11 14:45:47 UTC

Maybe https://bugzilla.mozilla.org/show_bug.cgi?id=178806#c64 and #c68, #c69 are helpful too.

Comment 4 Stef Walter 2006-09-14 23:35:11 UTC

That plan (in  comment #2) won't work:

http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/baac989e722e9538/41a0415237486f6a

Comment 5 Stef Walter 2007-04-16 18:25:15 UTC

Hopefully, once GnomeKeyring becomes a PKCS#11 provider, we can use that to manage the user's X509 certificates:

http://live.gnome.org/GnomeKeyring/Cryptoki

Comment 6 Adam Schreiber 2008-12-19 01:06:44 UTC

Stef, Is this now complete?

Comment 7 Stef Walter 2008-12-19 03:05:26 UTC

Yes and now. There's some support complete. This is an ongoing project to try and complete. gnome-keyring now has a PKCS#11 provider. I'm spending some time this cycle modularizing this for better testing and solid functionality. I'll be posting something about this to the gnome-keyring list shortly. 

I've also done some work more work on the PKCS#11 support in seahorse. I hope to do more work on it this release. 

These are my two top main focuses. All the other refactoring of seahorse was to this end. To try and get seahorse to the point where we can add functionality like this smoothly and easily.

As far as this bug... It represents a vast amount of ongoing work. It may not make sense as a single bug.

Comment 8 André Klapper 2009-03-15 16:47:11 UTC

I don't consider this a GNOME 2.28 target blocker. Setting the module specific target milestone instead.

Comment 9 Stef Walter 2012-03-15 09:51:24 UTC

Seahorse in 3.4 now has the ability to view, delete, and import X509 certificates and keys.