Add CAcert root certificate to Firefox OS

While being quite happy with my new Firefox OS phone so far, the biggest stopper for me was that, like all Mozilla products, the root certificate of CAcert was not included and so I could not access sites using certificates assured by CAcert.

Recent versions of Gaia allow to accept untrusted site certificates in the browser but in case you want to use an IMAP server or Caldav server which is using a CAcert assured certificate, you are still stuck.

Based on a post by Carmen Jiménez Cabezas, I wrote a script to read the certificate database from the phone (via adb), add some certificates and then write the database back to the phone. After this procedure, the CAcert root certificate (or any other) are known by the phone and can be used. This enabled me to access my own IMAP server via SSL from the Email app and also use a self-hosted groupware as Caldav server for the Calendar app via HTTPS.

Save the following script somewhere on your system (Download the script):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

#!/bin/bash

CERT_DIR=certs
ROOT_DIR_DB=/data/b2g/mozilla
CERT=cert9.db
KEY=key4.db
PKCS11=pkcs11.txt
DB_DIR=`adb shell "ls -d ${ROOT_DIR_DB}/*.default 2>/dev/null" | sed "s/default.*$/default/g"`

if [ "${DB_DIR}" = "" ]; then
  echo "Profile directory does not exists. Please start the b2g process at
least once before running this script."
  exit 1
fi

function log
{
	GREEN="\E[32m"
	RESET="\033[00;00m"
	echo -e "${GREEN}$1${RESET}"
}

# cleanup
rm -f ./$CERT
rm -f ./$KEY
rm -f ./$PKCS11

# pull files from phone
log "getting ${CERT}"
adb pull ${DB_DIR}/${CERT} .
log "getting ${KEY}"
adb pull ${DB_DIR}/${KEY} .
log "getting ${PKCS11}"
adb pull ${DB_DIR}/${PKCS11} .

# clear password and add certificates
log "set password (hit enter twice to set an empty password)"
certutil -d 'sql:.' -N

log "adding certificats"
for i in ${CERT_DIR}/*
do
  log "Adding certificate $i"
  certutil -d 'sql:.' -A -n "`basename $i`" -t "C,C,TC" -i $i
done

# push files to phone
log "stopping b2g"
adb shell stop b2g

log "copying ${CERT}"
adb push ./${CERT} ${DB_DIR}/${CERT}
log "copying ${KEY}"
adb push ./${KEY} ${DB_DIR}/${KEY}
log "copying ${PKCS11}"
adb push ./${PKCS11} ${DB_DIR}/${PKCS11}

log "starting b2g"
adb shell start b2g

log "Finished."

Once done, add a new directory in the directory where you stored the script and place the certificates which you want to add to the phone’s database in the sub directory “certs”. For CAcert, this would be the class 3 root certificate in PEM format as found on the CAcert website.

Then simply run the script.

Note: before running the script you need to enable ‘Remote debugging’ in the Developer settings menu and connect your phone with your PC using a USB cable (or more general: get adb working).

Update: mcnesium created a GIT repository to further maintain this script at https://github.com/mcnesium/b2g-certificates. Please get the latest version from there.

Tags: firefox-os, adb, certificate, ssl Aug 19, 2014