Python and GUI for Network Security Services command line utilities

The Network Security Services ( NSS ) package is a set of libraries used in the cross-platform development of secure client and server applications. Applications built using NSS can use TLS from v1.0 to TLS v1.3, PKCS # 5, PKCS # 7, CMS, PKCS # 11, PKCS # 12, S / MIME, X.509 v3 certificates, OCSP and other standards security In its functional capacity in the field of cryptography and PKI, NSS can be compared only with OpenSSL . But at the same time, the NSS package has one indisputable advantage over OpenSSL, namely, it has a repository that stores root certificates, third-party certificates, information about connected hardware accelerators, tokens, smart cards with PKCS # 11 interface.

Currently the NSS package supports the PKCS # 11 v.2.40 standard.

AOL, Red Hat, Sun Microsystems / Oracle, Google and other companies and individual contributors contributed to the development of NSS. Mozilla has provided storage for source code.

The NSS package is widely used , including in Mozilla products, including the Firefox browser (including on the Android platform), the Thunderbird email client, and the integrated Seamonkey package.
')
The NSS package, like OpenSSL, provides the ability to use command line utilities for implementing various PKI functions (key generation, issuing x509v3 certificates, working with electronic signatures, TLS support, etc.). Unlike OpenSSL, where PKI functions are implemented by a single openssl utility, the NSS package provides a whole range of utilities. So , certutil is used to work with certificates , pk12util is used to work with secure PKCS # 12 containers , and p7sign, p7verify, p7content , etc. are used to work with electronic signatures. If we talk about Linux operating systems, the NSS package is included in the mandatory delivery and all these utilities are preinstalled.

As already mentioned, NSS has built-in storage, which includes three databases:

bash-4.3$ ls -l *.db cert8.db key3.db secmod.db bash-4.3$ 

The first database cert8.db stores root certificates and, as a rule, third-party certificates, which are used, for example, to encrypt email or files on the recipient's certificate. The key3.db stores private keys. And finally, the secmod.db database stores information about plug-in tokens / smartcards with the PKCS # 11 interface. The base is managed by the modutil utility, which allows you to add or remove a module PKCS # 11. A module connection consists in specifying the path to the PKCS # 11 library module and specifying its nickname. Specifying the path to the directory in which the storage is located is an integral parameter of any NSS utility. In some utilities, it is specified as “ -d <NSS storage directory> ”, in others, as “ -dbdir <NSS storage directory> ”. Created by the modutil utility:

 #modutil –create –dbdir <   NSS > 

Note that such storage is in all projects built on NSS, including Firefox, Thunderbird, Seamonkey.

The article expressed a wish to write graphical shells for the command line utilities of OpenSSL and NSS. And now it is time for NSS. First question: in what environment to develop? In previous articles, the development of a user graphical interface in the Tcl / Tk environment was considered using various constructors. The development of a graphical user interface for the NSS package was decided to be in the Python scripting language. In order to ensure continuity with the Tk package, the Tkinter package was chosen as a graphic package.

Now it was necessary to choose tools for designing a graphical interface. The first was considered the package Rapid-TK :



In general, the package left a good impression that justifies its name of the package: Rapid - fast. And yet we note two shortcomings. The first disagreement is due to the fact that only icons of widgets are placed on the easel, and not the widgets themselves (see the figure). And to see the real picture, you have to very often carry out the project. The second drawback is related to the placement of widgets in the window. In the Rapid-TK, the Packer is used as a packer (placement in directions), which makes it very difficult to align widgets in a window, as opposed to grid packers (on a grid, like sea battle) and place (coordinates). Although the use of frame allows you to achieve the desired effect:



However, after the start of design it became clear that the number of widgets and windows in the project is growing and the use of Notebook technology would be optimal (notepad, notebook)



And then an unpleasant surprise awaited: the Rapid-TK designer does not support working with Notebook, although the widget itself is connected. And then the Page constructor was found - an automatic GUI generator for Python. A completely unexpected and pleasant surprise was that the Page constructor is based on Visual Tcl . This was the most powerful argument:



If you look closely, the Page constructor windows are like the twins of the Visual Tcl constructor windows. And yet it was not without a trick: the Python script created by the generator did not want to be executed due to the use of the “great, powerful, truthful and free Russian language!” (I.S. Turgenev). But everything was resolved simply, it turned out enough to add the following code to the file gui_pyton_gen.tcl after 418 lines:

 # -*- coding: utf-8 -*- , 

Now, if you look at the generated Python code, this directive will be the second line in it:

 ! /usr/bin/env python # -*- coding: utf-8 -*- # # GUI module generated by PAGE version 4.9 # In conjunction with Tcl version 8.6 # Aug 14, 2017 11:39:19 AM import sys try: from Tkinter import * except ImportError: from tkinter import * . . . 

What else? The Page Constructor does not assume that the project will be multi-windowed (see above Rapid). In our case, multiple windows, on the one hand, are replaced by Notebook. And on the other hand, first of all it concerns the input of a PIN-code or password, we used the Labelframe widget, which was then hidden ( self1.LabelPSW6.place_forget () ):



It appeared to enter a PIN or password:

 self1.LabelPSW6.place(relx=0.05, rely=0.59, relheight=0.3, relwidth=0.88) 

However, an additional window was required, for example, to view the contents of a certificate from a database or an electronic signature:



In this case, the problem is solved simply. A new project is created in the Page constructor and the resulting code is “handled” into the main branch. To see all the intricacies of graphical user interface development for command line utilities in Python on Tkinter, install the Page constructor, load the nss_my project and analyze it carefully. As features of this project, we will give a screenshot of the extraction of the original file from the file with the attached signature (p7content utility):



Finally, we want to get at the output not a Python script, but a binary code. For this, we used the Nuitka project, which the Python script converts to C code and then translates. The effect exceeded all expectations. Put the Nuitka package, put two Python scripts nss_my.py and nss_my_support.py generated by the Page constructor into the bin folder and execute the command:

 #nuitka –recurse-all nss_my.py 

As a result, you get a binary module nss_my.exe. Do not be confused by the ending, feel free to run it. Binary code can also be downloaded here . As a plug-in PKCS # 11, at least during the testing phase, it is convenient to use a cloud token.