Etsi tuesta

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Lue lisää

Unable to delete Certificates added using Firefox policies

  • 4 vastausta
  • 2 henkilöllä on sama ongelma
  • 1 näyttö
  • Viimeisin kirjoittaja Pankaj Adhikari

more options

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert.

The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine):

TypeError: certdb.getCerts(...).getEnumerator is not a function

This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option.


I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions:

1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json.

2. If not, then do we have a timeline by which we can expect this to be included?

3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert. The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine): TypeError: certdb.getCerts(...).getEnumerator is not a function This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option. I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions: 1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json. 2. If not, then do we have a timeline by which we can expect this to be included? 3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

Muokattu , muokkaaja Pankaj Adhikari

Valittu ratkaisu

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

Lue tämä vastaus kontekstissaan 👍 0

Kaikki vastaukset (4)

more options

You can look at some tests about getCerts(); in the Firefox source code that use for (let cert of certdb.getCerts()){...} to iterate.

I don't know whether certificate installed via policies.json are temporary, i.e. only present for the current session and are removed when you close Firefox and not stored in the cert9.db database.

There is only one policies.json file and you need to extent the main policies key if you want to add/combine additional policies: {"policies": {"key1":"value1","key2":"value2","key3":"value3"}}


{
  "policies": {
    "AppUpdateURL": "https://yoursite.com", 
    "BlockAboutProfiles": true | false
  }
}
more options

Thanks for the reply. I tried the mentioned workaround but facing another issue:

Error: TypeError: gCertDB.getCerts(...) is not iterable firefox_cert.cfg:8:26


My code:

const CA_CERT_COMMON_NAME= <some name> const CA_CERT_FINGERPRINT = <cert fingerprint> const CA_CERT_BASE64 = <cert pem> var Cc = Components.classes; var Ci = Components.interfaces; const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); let certadd_needed = true; for (let cert of gCertDB.getCerts()) {

   if (cert[commonName] == CA_CERT_COMMON_NAME) {
       if (cert[sha1Fingerprint] == CA_CERT_FINGERPRINT) {
           certadd_needed = false;
       } else {
           gCertDB.deleteCertificate(cert);
       }   
   }   

} if (certadd_needed) {

   gCertDB.addCertFromBase64(CA_CERT_BASE64, "C,,");

}


Could you point out what I am doing wrong?

more options

See also:

This works in the Browser Console:

let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
for (let cert of certdb.getCerts()) {console.log(cert.commonName)}

certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
for (cert of certdb.getCerts()) {console.log(cert["commonName"])}

Muokattu , muokkaaja cor-el

more options

Valittu ratkaisu

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.