After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 585214 - Support PKCS12 certificates
Support PKCS12 certificates
Status: RESOLVED FIXED
Product: seahorse
Classification: Applications
Component: general
2.26.x
Other All
: Normal enhancement
: 2.26.0
Assigned To: Seahorse Maintainer
Seahorse Maintainer
Depends on:
Blocks:
 
 
Reported: 2009-06-09 05:00 UTC by Craig Ringer
Modified: 2012-03-15 10:17 UTC
See Also:
GNOME target: ---
GNOME version: Unversioned Enhancement


Description Craig Ringer 2009-06-09 05:00:56 UTC 
It'd be extremely useful for Seahorse to support PKCS#12 certificates, perhaps by managing NSS (network security services) cert8.db and key3.db or by providing apps a way to obtain access to the certs to add to their NSS databases.

In particular, this would help Evolution users manage client certificates for IMAP/POP3/SMTP use with SSL/TLS where the server demands a client certificate to proceed with SSL/TLS negotiation.
Comment 1 Craig Ringer 2009-06-09 05:01:37 UTC 
Related to bug #573499 , bug #270893 .
Comment 2 Craig Ringer 2009-06-09 05:39:49 UTC 
Much of GNOME also uses gnutls and/or OpenSSL instead of, or in some cases as well as, NSS. So providing helpers and callbacks for those as part of libgnome-keyring would be very handy.
Comment 3 Craig Ringer 2009-06-09 05:47:29 UTC 
It turns out, by the way, that gnome-keyring ALREADY supports PKCS#12 certificates, though it appears to provide no key management UI, and the gnome-keyring documentation doesn't mention it or provide examples for it. However:

$ gnome-keyring import craig_at_postnewspapers_dot_com_dot_au.p12

presents UI to (a) set a keyring passphrase, and (b) present the import passphrase of the key. After correct input of the key passphrase, the following is output in my example:

Imported certificate: Craig Ringer
	ID: XXXXXX7CB12B351D69C6436CE6A4C5C9C7XXXXXX
Imported private key: (null)
	ID: XXXXXX7CB12B351D69C6436CE6A4C5C9C7XXXXXX

(parts of the ID masked with Xs manually for public display)

Seahorse would be a very useful place to put the PKCS#12 key management UI, since apps like Evolution (via libsoup?) already use it for IMAP passwords and the like.
Comment 4 Craig Ringer 2009-06-10 03:31:13 UTC 
See bug 585300 for a use of the gnome-keyring PKCS#11 provider.
Comment 5 Craig Ringer 2009-06-10 06:58:25 UTC 
NSS is working on a shared keystore with multi-application access to help with this:

https://wiki.mozilla.org/NSS:Roadmap#SQLite-Based_Multiaccess_Certificate_and_Key_Databases

See also Fedora's crypto consolidation efforts:

http://fedoraproject.org/wiki/FedoraCryptoConsolidation
Comment 6 Jean-Michel Pouré 2009-12-31 11:58:31 UTC 
I don't know if this is related, but supporting PKCS#12 certificates may allow storing keys in smartcards. IMHO, this seems to me a more interesting feature than NSS. 

It would allow to store the keys of a wallet in a smartcard. There is no real crypto without some hardware.

I wrote this simple howto, which explains howto buy, install and configure a smartcard reader: http://wiki.strongswan.org/wiki/strongswan/SmartCards

Anyway, my knowledge are very little. I will be 100% pleased with seahorse when it supports smartcards. Until then, I don't trust it because passwords/keys may be sniffeds by a trojan or any keybord sniffer around.
Comment 7 Jean-Michel Pouré 2010-01-01 11:40:05 UTC 
I am going to add a seperate entry for smartcards support, as this is an important feature.
Comment 8 Stef Walter 2012-03-15 10:17:43 UTC 
We have support for opening and importing pkcs#12 files now. A few more tweaks necessary to load the correct key stores (such as NSS) by defualt. But closing this bug.