Python and the Network Security Services Command-Line Utility GUI

    imageNetwork Security Services ( NSS ) is a set of libraries used in cross-platform development of secure client and server applications. Applications built using NSS can use TLS from v1.0 to TLS v1.3, PKCS # 5, PKCS # 7, CMS, PKCS # 11, PKCS # 12, S / MIME, X.509 v3 certificates, OCSP and other standards security assurance. In terms of its functional power in the field of cryptography and PKI, NSS can only be compared with OpenSSL . But at the same time, the NSS package has one indisputable advantage over OpenSSL, namely it has a repository that stores root certificates, third-party user certificates, information about connected hardware accelerators, tokens, and smart cards with PKCS # 11 interface .

    NSS currently supports PKCS # 11 v.2.40.

    AOL, Red Hat, Sun Microsystems / Oracle Corporation, Google and other companies and individual contributors contributed to the development of NSS. Mozilla provided storage for the source code.

    The NSS package is widely used , including in Mozilla products, including the Firefox browser (including the Android platform), the Thunderbird email client, and the integrated Seamonkey package.

    The NSS package, like OpenSSL, provides the ability to use command-line utilities for implementing various PKI functions (key generation, issuing x509v3 certificates, working with electronic signatures, TLS support, etc.). Unlike OpenSSL, where PKI functions are implemented by a single openssl utility, the NSS package provides a whole set of utilities. So for working with certificates there is a utility certutil, for working with protected containers PKCS # 12, the utility pk12util is used , for working with electronic signatures utilities p7sign, p7verify, p7content , etc. are used. If we talk about operating systems of the Linux family, then the NSS package is included in the required package and all these utilities are preinstalled.

    As already mentioned, NSS has built-in storage, which includes three databases:

    bash-4.3$ ls -l *.db 
    cert8.db 
    key3.db 
    secmod.db 
    bash-4.3$

    The first cert8.db database stores root certificates and, as a rule, third-party user certificates, which are used, for example, to encrypt email or files on the recipient certificate. The key3.db database contains private keys. And finally, secmod.db database stores information about connected tokens / smartcards with PKCS # 11 interface. The modutil utility , which allows you to add or remove the PKCS # 11 module, manages this base . Connecting the module consists in specifying the path to the PKCS # 11 library of the module and specifying its nickname. Specifying the path to the directory where the repository is located is an integral parameter of any NSS utility. In some utilities, it is specified as “ -d <NSS repository directory>", In others as" -dbdir <NSS repository directory> ". The storage is created by the modutil utility:

    #modutil –create –dbdir  < каталог хранилища NSS >

    Note that such repositories are in all projects built on NSS, including Firefox, Thunderbird, Seamonkey.

    The article expressed the desire to write graphical shells for the command-line utilities OpenSSL and NSS. And now it's time for NSS. First question: in which environment to develop? In previous articles, the development of a graphical user interface in Tcl / Tk using various constructors was considered. The development of a graphical user interface for the NSS package was decided to lead in the Python scripting language. In order to ensure continuity with the Tk package, the Tkinter package was chosen as a graphic package .

    Now it was necessary to choose tools for designing a graphical interface. The Rapid-TK package was the first to be reviewed :

    image

    On the whole, the package left a good impression that lives up to its name: Rapid is fast. Nevertheless, we note two drawbacks. The first inconvenience is due to the fact that only widget icons are placed on the easel, and not the widgets themselves (see. Fig.). And to see the real picture, you have to very often complete a project. The second drawback is the placement of widgets in the window. In Rapid-TK, the Packer uses the Packer (placement in directions), which makes it very difficult to align widgets in the window, unlike the grid packers (on the grid, similar to sea battle) and place (on coordinates). Although using frame allows you to achieve the desired effect:

    image

    However, after the start of designing, it became clear that the number of widgets and windows in the project was growing and the use of Notebook technology (notepad, notebook) would be optimal:

    image

    And here I had an unpleasant surprise: the Rapid-TK designer does not support working with Notebook, although the widget itself is connected. And then the Page constructor was found - an automatic GUI generator for Python. A completely unexpected and pleasant surprise was that the Page constructor is based on Visual Tcl . This was the most powerful argument:

    image

    If you look closely, the windows of the Page Designer are like twins of the windows of the Visual Tcl constructor. Nevertheless, it was not without a catch: the Python script created by the generator did not want to be executed due to the use of the “great, powerful, truthful and free Russian language!” (I. S. Turgenev). But everything was resolved simply, it was enough to add the following code to the gui_pyton_gen.tcl file after line 418:

    # -*- coding: utf-8 -*- 	,

    Now, if you look at the generated Python code, this directive will be the second line in it:

    ! /usr/bin/env python
    # -*- coding: utf-8 -*- 
    #
    # GUI module generated by PAGE version 4.9
    # In conjunction with Tcl version 8.6
    #    Aug 14, 2017 11:39:19 AM
    import sys
    try:
        from Tkinter import *
    except ImportError:
        from tkinter import *
    . . .

    What else? The Page constructor does not assume that the project will be multi-windowed (see Rapid above). In our case, the multi-window, on the one hand, is replaced by a Notebook. On the other hand, first of all, this concerns entering a PIN code or password, we used the Labelframe widget, which was hiding ( self1.LabelPSW6.place_forget () ):

    image

    it appeared to enter a PIN code or password:

    self1.LabelPSW6.place(relx=0.05, rely=0.59, relheight=0.3, relwidth=0.88)

    Nevertheless, an additional window was required, for example, to view the contents of a certificate from a database or an electronic signature:

    image

    In this case, the task is solved simply. A new project is created in the Page constructor and the resulting code "pens" is included in the main branch. To see all the intricacies of developing a graphical user interface for command line utilities in Python on Tkinter, just install the Page constructor , load the nss_my project and carefully analyze it. As the capabilities of this project, we will give a screenshot of extracting the original file from a file with an attached signature (p7content utility):

    image

    And finally, we want to get not a Python script, but a binary code at the output. For this we used the Nuitka project, which a Python script converts to C code and then translates. The effect exceeded all expectations. Install the Nuitka package, put the two Python scripts nss_my.py and nss_my_support.py generated by the Page constructor in the bin folder and run the command:

    #nuitka –recurse-all nss_my.py

    As a result, you get the binary module nss_my.exe. Do not let the ending bother you, feel free to launch it. It is convenient to use a cloud token as a PKCS # 11 plug-in, at least during the testing phase.

    Also popular now: