Hello,
how can I configure Thunderbird to use a specific signing/encryption
certificate - in a programmatic way? (using NSS Tools)
Background: I need to create a software that will install the user's
personal certificate on his local machine and configure Thunderbird to
make use of this certificate, by default. This needs to work on hundreds
of machines. And the user's will generally be novices that have no idea
about cryptography. So this all needs to work in an unattended way,
automatically, with *no* user interaction required.
Now, I already figured out how to import the certificates into the
Thunderbird certificate DB from a PKCS#12 file, with the help of
"certutil.exe" and "pk12util.exe" from the NSS Tools suite. That is the
easy part. It works fine.
The troubling part is to actually configure the user's Thunderbird
profile to make use of the specific certificate! I already found that
the signing/encryption certificate is stored in the user's "prefs.js"
file in the profile directory. The entries are called
"mail.identity.id?.encryption_cert_name" and
"mail.identity.id?.signing_cert_name". Adding or altering this entries
is straight forward. But the specific value that I need to set up is the
problem! The format of the value of these entries appears to be:
*<prefix>: <certificate_friendly_name>
*First of all: Why use the friendly name here? It's not really
unique/unambiguous. Why not use, e.g., the Thumbprint or a combination
of issuer and S/N instead? Anyway, the bigger problem is the Prefix
string! That string is *locale-specific*. It is "Software Security
Device" in English version of Thunderbird, but "Sécurité personnelle" in
French version, and "das Software-Sicherheitsmodul" in German version.
NSS Tools also adds a prefix when I list the certificates with the CLI
program, but with NSS Tools the prefix is "NSS Certificate DB".
And yes, I already tested that each version of Thunderbird needs the
correct *locale-specific* prefix to recognize the certificate. In other
words: "prefs.js" files are *not* portable between different language
versions of Thunderbird. Kind of disappointing.
So my question is:
1. Is there some way to configure the certificate in "perfs.js" that is
/locale-independent/, i.e. does *not* require a locale-specific prefix?
2. If not, how to figure out the required prefix for a given Thunderbird
installation, in a programmatic way? And I mean, _without_ having to
read the locale from the registry and then using a lookup-table that
contains the locale-specific prefix for every TB version that exists.
3. Where does the prefix string come from? I did full-text search on the
Thunderbrid source codes, but the strings "Sécurité personnelle" or "das
Software-Sicherheitsmodul" do not exist in Thunderbrid source. They
neither exits in NSS Tools source.
I would very grateful for any help, because this problem has been
blocking me for days!
Best Regards!
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
