mkcert/truststore_nss.go

// Copyright 2018 The mkcert Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package main

import (
	"bytes"
	"log"
	"os"
	"os/exec"
	"path/filepath"
	"runtime"
	"strings"
)

var (
	hasNSS       bool
	hasCertutil  bool
	certutilPath string
	nssDBs       = []string{
		filepath.Join(os.Getenv("HOME"), ".pki/nssdb"),
		filepath.Join(os.Getenv("HOME"), "snap/chromium/current/.pki/nssdb"), // Snapcraft
		"/etc/pki/nssdb", // CentOS 7
	}
	firefoxPaths = []string{
		"/usr/bin/firefox",
		"/usr/bin/firefox-nightly",
		"/usr/bin/firefox-developer-edition",
		"/snap/firefox",
		"/Applications/Firefox.app",
		"/Applications/FirefoxDeveloperEdition.app",
		"/Applications/Firefox Developer Edition.app",
		"/Applications/Firefox Nightly.app",
		"C:\\Program Files\\Mozilla Firefox",
	}
)

func init() {
	allPaths := append(append([]string{}, nssDBs...), firefoxPaths...)
	for _, path := range allPaths {
		if pathExists(path) {
			hasNSS = true
			break
		}
	}

	switch runtime.GOOS {
	case "darwin":
		switch {
		case binaryExists("certutil"):
			certutilPath, _ = exec.LookPath("certutil")
			hasCertutil = true
		case binaryExists("/usr/local/opt/nss/bin/certutil"):
			// Check the default Homebrew path, to save executing Ruby. #135
			certutilPath = "/usr/local/opt/nss/bin/certutil"
			hasCertutil = true
		default:
			out, err := exec.Command("brew", "--prefix", "nss").Output()
			if err == nil {
				certutilPath = filepath.Join(strings.TrimSpace(string(out)), "bin", "certutil")
				hasCertutil = pathExists(certutilPath)
			}
		}

	case "linux":
		if hasCertutil = binaryExists("certutil"); hasCertutil {
			certutilPath, _ = exec.LookPath("certutil")
		}
	}
}

func (m *mkcert) checkNSS() bool {
	if !hasCertutil {
		return false
	}
	success := true
	if m.forEachNSSProfile(func(profile string) {
		err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()
		if err != nil {
			success = false
		}
	}) == 0 {
		success = false
	}
	return success
}

func (m *mkcert) installNSS() bool {
	if m.forEachNSSProfile(func(profile string) {
		cmd := exec.Command(certutilPath, "-A", "-d", profile, "-t", "C,,", "-n", m.caUniqueName(), "-i", filepath.Join(m.CAROOT, rootName))
		out, err := execCertutil(cmd)
		fatalIfCmdErr(err, "certutil -A -d "+profile, out)
	}) == 0 {
		log.Printf("ERROR: no %s security databases found", NSSBrowsers)
		return false
	}
	if !m.checkNSS() {
		log.Printf("Installing in %s failed. Please report the issue with details about your environment at https://github.com/FiloSottile/mkcert/issues/new 👎", NSSBrowsers)
		log.Printf("Note that if you never started %s, you need to do that at least once.", NSSBrowsers)
		return false
	}
	return true
}

func (m *mkcert) uninstallNSS() {
	m.forEachNSSProfile(func(profile string) {
		err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()
		if err != nil {
			return
		}
		cmd := exec.Command(certutilPath, "-D", "-d", profile, "-n", m.caUniqueName())
		out, err := execCertutil(cmd)
		fatalIfCmdErr(err, "certutil -D -d "+profile, out)
	})
}

// execCertutil will execute a "certutil" command and if needed re-execute
// the command with commandWithSudo to work around file permissions.
func execCertutil(cmd *exec.Cmd) ([]byte, error) {
	out, err := cmd.CombinedOutput()
	if err != nil && bytes.Contains(out, []byte("SEC_ERROR_READ_ONLY")) && runtime.GOOS != "windows" {
		origArgs := cmd.Args[1:]
		cmd = commandWithSudo(cmd.Path)
		cmd.Args = append(cmd.Args, origArgs...)
		out, err = cmd.CombinedOutput()
	}
	return out, err
}

func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {
	var profiles []string
	profiles = append(profiles, nssDBs...)
	for _, ff := range FirefoxProfiles {
		pp, _ := filepath.Glob(ff)
		profiles = append(profiles, pp...)
	}
	for _, profile := range profiles {
		if stat, err := os.Stat(profile); err != nil || !stat.IsDir() {
			continue
		}
		if pathExists(filepath.Join(profile, "cert9.db")) {
			f("sql:" + profile)
			found++
		} else if pathExists(filepath.Join(profile, "cert8.db")) {
			f("dbm:" + profile)
			found++
		}
	}
	return
}
Fix and add missing license headers 2019-06-01 21:58:20 +08:00			`// Copyright 2018 The mkcert Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`package main`

			`import (`
truststore_nss: retry certtool with sudo when it fails due to permissions Based on @rfay's investigation and fix. Fixes #192 Closes #193 2019-11-10 06:30:15 +08:00			`"bytes"`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`"log"`
			`"os"`
			`"os/exec"`
			`"path/filepath"`
Add debugging output for #12 2018-07-04 08:48:31 +08:00			`"runtime"`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`"strings"`
			`)`

			`var (`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`hasNSS bool`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`hasCertutil bool`
			`certutilPath string`
truststore_nss: support multiple NSS databases This adds support for Snap's Chromium, and and CentOS 7. Fixes #116 Fixes #120 Closes #121 2019-06-01 23:01:09 +08:00			`nssDBs = []string{`
			`filepath.Join(os.Getenv("HOME"), ".pki/nssdb"),`
			`filepath.Join(os.Getenv("HOME"), "snap/chromium/current/.pki/nssdb"), // Snapcraft`
			`"/etc/pki/nssdb", // CentOS 7`
			`}`
			`firefoxPaths = []string{`
truststore_nss: add firefox nightly and developer edition binary paths (#225) on my system I have only Firefox Nightly installed, so `/usr/bin/firefox` doesn't exist and so `hasNSS` was false and CA wasn't installed. on my arch based system, the binary was at `/usr/bin/firefox-nightly` https://aur.archlinux.org/packages/firefox-nightly/ it could also be at `/usr/bin/firefox-developer-edition` see "package contents" https://www.archlinux.org/packages/community/x86_64/firefox-developer-edition/ 2019-11-30 06:36:50 +08:00			`"/usr/bin/firefox",`
			`"/usr/bin/firefox-nightly",`
			`"/usr/bin/firefox-developer-edition",`
Add support for Firefox in a Snap for Ubuntu 22.04 Closes #327 Fixes #325 2022-04-26 01:55:19 +08:00			`"/snap/firefox",`
truststore_nss: add firefox nightly and developer edition binary paths (#225) on my system I have only Firefox Nightly installed, so `/usr/bin/firefox` doesn't exist and so `hasNSS` was false and CA wasn't installed. on my arch based system, the binary was at `/usr/bin/firefox-nightly` https://aur.archlinux.org/packages/firefox-nightly/ it could also be at `/usr/bin/firefox-developer-edition` see "package contents" https://www.archlinux.org/packages/community/x86_64/firefox-developer-edition/ 2019-11-30 06:36:50 +08:00			`"/Applications/Firefox.app",`
Support latest FirefoxDeveloperEdition.app without spaces (#280) Latest version of Firefox Developer Edition on macOS seem to use upper camel case naming for the app. This ensures that the CA will be added to the Firefox trust store if using recent versions of FF Dev Edition. 2020-10-26 07:24:53 +08:00			`"/Applications/FirefoxDeveloperEdition.app",`
Add support for Firefox Developer Edition This also fixes a bug where we wouldn't install to Chrome on Linux if Firefox wasn't also present. Closes #48 Updates #51 2018-08-13 09:11:34 +08:00			`"/Applications/Firefox Developer Edition.app",`
Add "Firefox Nightly.app" support on macOS (#102) 2019-01-09 01:22:13 +08:00			`"/Applications/Firefox Nightly.app",`
Offer a less confusing warning about Firefox on Windows 2018-08-13 09:44:02 +08:00			`"C:\\Program Files\\Mozilla Firefox",`
truststore_nss: support multiple NSS databases This adds support for Snap's Chromium, and and CentOS 7. Fixes #116 Fixes #120 Closes #121 2019-06-01 23:01:09 +08:00			`}`
			`)`

			`func init() {`
			`allPaths := append(append([]string{}, nssDBs...), firefoxPaths...)`
			`for _, path := range allPaths {`
			`if pathExists(path) {`
			`hasNSS = true`
			`break`
			`}`
Add support for Firefox Developer Edition This also fixes a bug where we wouldn't install to Chrome on Linux if Firefox wasn't also present. Closes #48 Updates #51 2018-08-13 09:11:34 +08:00			`}`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`switch runtime.GOOS {`
			`case "darwin":`
truststore_darwin: check the default Homebrew path for certutil "mkcert localhost" went from 2.125s to 0.552s, a 4x speedup. Fixes #135 2019-08-17 06:13:31 +08:00			`switch {`
			`case binaryExists("certutil"):`
Cleanup path logics with pathExists and binaryExists 2019-06-01 21:55:58 +08:00			`certutilPath, _ = exec.LookPath("certutil")`
truststore_darwin: check the default Homebrew path for certutil "mkcert localhost" went from 2.125s to 0.552s, a 4x speedup. Fixes #135 2019-08-17 06:13:31 +08:00			`hasCertutil = true`
			`case binaryExists("/usr/local/opt/nss/bin/certutil"):`
			`// Check the default Homebrew path, to save executing Ruby. #135`
			`certutilPath = "/usr/local/opt/nss/bin/certutil"`
			`hasCertutil = true`
			`default:`
Cleanup path logics with pathExists and binaryExists 2019-06-01 21:55:58 +08:00			`out, err := exec.Command("brew", "--prefix", "nss").Output()`
			`if err == nil {`
			`certutilPath = filepath.Join(strings.TrimSpace(string(out)), "bin", "certutil")`
			`hasCertutil = pathExists(certutilPath)`
nss: use certutil from $PATH if found on macOS (#71) Fixes #70 Thanks to @hostep for testing and fixing the patch. 2018-08-26 05:52:43 +08:00			`}`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`}`

			`case "linux":`
Cleanup path logics with pathExists and binaryExists 2019-06-01 21:55:58 +08:00			`if hasCertutil = binaryExists("certutil"); hasCertutil {`
			`certutilPath, _ = exec.LookPath("certutil")`
			`}`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`}`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`}`

Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`func (m *mkcert) checkNSS() bool {`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`if !hasCertutil {`
			`return false`
			`}`
			`success := true`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`if m.forEachNSSProfile(func(profile string) {`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()`
			`if err != nil {`
			`success = false`
			`}`
			`}) == 0 {`
			`success = false`
			`}`
			`return success`
			`}`

Avoid printing a success message on error Updates #51 2018-08-13 08:32:34 +08:00			`func (m *mkcert) installNSS() bool {`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`if m.forEachNSSProfile(func(profile string) {`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`cmd := exec.Command(certutilPath, "-A", "-d", profile, "-t", "C,,", "-n", m.caUniqueName(), "-i", filepath.Join(m.CAROOT, rootName))`
truststore_nss: retry certtool with sudo when it fails due to permissions Based on @rfay's investigation and fix. Fixes #192 Closes #193 2019-11-10 06:30:15 +08:00			`out, err := execCertutil(cmd)`
			`fatalIfCmdErr(err, "certutil -A -d "+profile, out)`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`}) == 0 {`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`log.Printf("ERROR: no %s security databases found", NSSBrowsers)`
Avoid printing a success message on error Updates #51 2018-08-13 08:32:34 +08:00			`return false`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`}`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`if !m.checkNSS() {`
			`log.Printf("Installing in %s failed. Please report the issue with details about your environment at https://github.com/FiloSottile/mkcert/issues/new 👎", NSSBrowsers)`
			`log.Printf("Note that if you never started %s, you need to do that at least once.", NSSBrowsers)`
Avoid printing a success message on error Updates #51 2018-08-13 08:32:34 +08:00			`return false`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`}`
Avoid printing a success message on error Updates #51 2018-08-13 08:32:34 +08:00			`return true`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`}`

Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`func (m *mkcert) uninstallNSS() {`
			`m.forEachNSSProfile(func(profile string) {`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()`
			`if err != nil {`
			`return`
			`}`
			`cmd := exec.Command(certutilPath, "-D", "-d", profile, "-n", m.caUniqueName())`
truststore_nss: retry certtool with sudo when it fails due to permissions Based on @rfay's investigation and fix. Fixes #192 Closes #193 2019-11-10 06:30:15 +08:00			`out, err := execCertutil(cmd)`
			`fatalIfCmdErr(err, "certutil -D -d "+profile, out)`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`})`
			`}`

truststore_nss: retry certtool with sudo when it fails due to permissions Based on @rfay's investigation and fix. Fixes #192 Closes #193 2019-11-10 06:30:15 +08:00			`// execCertutil will execute a "certutil" command and if needed re-execute`
			`// the command with commandWithSudo to work around file permissions.`
			`func execCertutil(cmd *exec.Cmd) ([]byte, error) {`
			`out, err := cmd.CombinedOutput()`
			`if err != nil && bytes.Contains(out, []byte("SEC_ERROR_READ_ONLY")) && runtime.GOOS != "windows" {`
			`origArgs := cmd.Args[1:]`
			`cmd = commandWithSudo(cmd.Path)`
			`cmd.Args = append(cmd.Args, origArgs...)`
			`out, err = cmd.CombinedOutput()`
			`}`
			`return out, err`
			`}`

Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 10:26:37 +08:00			`func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {`
Add support for Firefox in a Snap for Ubuntu 22.04 Closes #327 Fixes #325 2022-04-26 01:55:19 +08:00			`var profiles []string`
truststore_nss: support multiple NSS databases This adds support for Snap's Chromium, and and CentOS 7. Fixes #116 Fixes #120 Closes #121 2019-06-01 23:01:09 +08:00			`profiles = append(profiles, nssDBs...)`
Add support for Firefox in a Snap for Ubuntu 22.04 Closes #327 Fixes #325 2022-04-26 01:55:19 +08:00			`for _, ff := range FirefoxProfiles {`
			`pp, _ := filepath.Glob(ff)`
			`profiles = append(profiles, pp...)`
			`}`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`for _, profile := range profiles {`
truststore: check if profile is a directory before joining cert*.db (#33) 2018-07-05 00:59:33 +08:00			`if stat, err := os.Stat(profile); err != nil \|\| !stat.IsDir() {`
			`continue`
			`}`
Cleanup path logics with pathExists and binaryExists 2019-06-01 21:55:58 +08:00			`if pathExists(filepath.Join(profile, "cert9.db")) {`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`f("sql:" + profile)`
			`found++`
Cleanup path logics with pathExists and binaryExists 2019-06-01 21:55:58 +08:00			`} else if pathExists(filepath.Join(profile, "cert8.db")) {`
firefox: prefer cert9.db and skip cert8.db when found (#13) Fixes #12 (again) 2018-07-13 01:47:05 +08:00			`f("dbm:" + profile)`
			`found++`
Add Firefox support Fixes #6 2018-06-28 13:29:20 +08:00			`}`
			`}`
			`return`
			`}`