How `services/settings/dumps/security-state/intermediates.json` is built?

[kvtb]

I would like to make a custom Firefox binary having some (private) CAs compiled in.

I discovered that certificates in Firefox sources are not in one of ubiquitous formats, but in a custom JSON. So I wonder, how this file https://github.com/mozilla/gecko-dev/commits/master/services/settings/dumps/security-state/intermediates.json is built?

crlite looks like the best candidate for that. At least its sources have all field names of that JSON and there is no other open-source project to have them all.

Could you explain on how to build intermediates.json out of plain certificates in PEM or DER form?

[jschanck]

The intermediates.json file won't help you. It's just a list of intermediate CAs that chain up to roots that are trusted by Firefox by default. Your best option is to configure a private CA using an enterprise policy: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox.

[kvtb]

I need exactly trusted intermediate CAs. In my case, web servers do not provide full chain to the trusted root.

Also, it is much simpler and more reliable to have a custom build than set up policies.

[kvtb]

Anyway, the question is not on how to solve "my problems" The question is on how those .json files are built.

Is it legit to ask the maintainers of the open source project about where that data is taken out and how is converted to json ? Otherwise it looks like a suspicious blob.

[jschanck]

I genuinely believe that an enterprise policy is the right option for you. But to satisfy your general curiosity, here's the long answer:

TLS servers are supposed to provide clients with the intermediate certificates necessary to verify their endpoint certificates, but some servers are misconfigured and fail to do this. Firefox works around misconfigured servers by downloading a list of useful intermediate certs (those that chain up to Mozilla's root store) from RemoteSettings. The intermediates.json file is a snapshot of this list for Firefox to use on start-up before it has a chance to connect to RemoteSettings. The list itself comes from CCADB, and is available here in csv format. CRLite runs frequently and needs the same list of intermediates, so we take responsibility for keeping the list up to date. The formatting as a json file is done on the RemoteSettings server.

It's not a good fit for your use case because it will be overwritten once the user connects to RemoteSettings.

[kvtb]

Thank you for pointing to RemoteSettings. It is definitively a security hole (moreover: controlled from NATO territory) and I prefer to compile Firefox without it.