Pretraži podršku

Izbjegni prevare podrške. Nikad te nećemo tražiti da nas nazoveš, da nam pošalješ telefonski broj ili da podijeliš osobne podatke. Prijavi sumnjive radnje pomoću opcije „Prijavi zlouporabu”.

Saznaj više

Unable to delete Certificates added using Firefox policies

more options

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert.

The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine):

TypeError: certdb.getCerts(...).getEnumerator is not a function

This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option.


I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions:

1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json.

2. If not, then do we have a timeline by which we can expect this to be included?

3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert. The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine): TypeError: certdb.getCerts(...).getEnumerator is not a function This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option. I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions: 1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json. 2. If not, then do we have a timeline by which we can expect this to be included? 3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

Izmjenjeno od Pankaj Adhikari

Izabrano rješenje

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

Pročitaj ovaj odgovor u kontekstu 👍 0

Svi odgovori (4)

more options

You can look at some tests about getCerts(); in the Firefox source code that use for (let cert of certdb.getCerts()){...} to iterate.

I don't know whether certificate installed via policies.json are temporary, i.e. only present for the current session and are removed when you close Firefox and not stored in the cert9.db database.

There is only one policies.json file and you need to extent the main policies key if you want to add/combine additional policies: {"policies": {"key1":"value1","key2":"value2","key3":"value3"}}


{
  "policies": {
    "AppUpdateURL": "https://yoursite.com", 
    "BlockAboutProfiles": true | false
  }
}
more options

Thanks for the reply. I tried the mentioned workaround but facing another issue:

Error: TypeError: gCertDB.getCerts(...) is not iterable firefox_cert.cfg:8:26


My code:

const CA_CERT_COMMON_NAME= <some name> const CA_CERT_FINGERPRINT = <cert fingerprint> const CA_CERT_BASE64 = <cert pem> var Cc = Components.classes; var Ci = Components.interfaces; const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); let certadd_needed = true; for (let cert of gCertDB.getCerts()) {

   if (cert[commonName] == CA_CERT_COMMON_NAME) {
       if (cert[sha1Fingerprint] == CA_CERT_FINGERPRINT) {
           certadd_needed = false;
       } else {
           gCertDB.deleteCertificate(cert);
       }   
   }   

} if (certadd_needed) {

   gCertDB.addCertFromBase64(CA_CERT_BASE64, "C,,");

}


Could you point out what I am doing wrong?

more options

See also:

This works in the Browser Console:

let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
for (let cert of certdb.getCerts()) {console.log(cert.commonName)}

certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
for (cert of certdb.getCerts()) {console.log(cert["commonName"])}

Izmjenjeno od cor-el

more options

Odabrano rješenje

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.