Question

Unable to delete Certificates added using Firefox policies

4 个回答
2 人有此问题
1 次查看
最后回复者为 Pankaj Adhikari

4 年前

2019/12/17 15:41

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert.

The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine):

TypeError: certdb.getCerts(...).getEnumerator is not a function

This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option.

I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions:

1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json.

2. If not, then do we have a timeline by which we can expect this to be included?

3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert. The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine): TypeError: certdb.getCerts(...).getEnumerator is not a function This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option. I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions: 1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json. 2. If not, then do we have a timeline by which we can expect this to be included? 3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

由Pankaj Adhikari于2019年12月23日 -0800 11:03:20修改

被采纳的解决方案

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

👍 0

Answer 1 · 2019-12-17 15:41:18

cor-el

Moderator
Top 10 Contributor

2019/12/19 10:44

You can look at some tests about getCerts(); in the Firefox source code that use for (let cert of certdb.getCerts()){...} to iterate.

I don't know whether certificate installed via policies.json are temporary, i.e. only present for the current session and are removed when you close Firefox and not stored in the cert9.db database.

There is only one policies.json file and you need to extent the main policies key if you want to add/combine additional policies: {"policies": {"key1":"value1","key2":"value2","key3":"value3"}}

{
  "policies": {
    "AppUpdateURL": "https://yoursite.com", 
    "BlockAboutProfiles": true | false
  }
}

Answer 2 · 2019-12-17 15:41:18

Pankaj Adhikari 提问者

2019/12/19 15:00

Thanks for the reply. I tried the mentioned workaround but facing another issue:

Error: TypeError: gCertDB.getCerts(...) is not iterable firefox_cert.cfg:8:26

My code:

const CA_CERT_COMMON_NAME= <some name> const CA_CERT_FINGERPRINT = <cert fingerprint> const CA_CERT_BASE64 = <cert pem> var Cc = Components.classes; var Ci = Components.interfaces; const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); let certadd_needed = true; for (let cert of gCertDB.getCerts()) {

   if (cert[commonName] == CA_CERT_COMMON_NAME) {
       if (cert[sha1Fingerprint] == CA_CERT_FINGERPRINT) {
           certadd_needed = false;
       } else {
           gCertDB.deleteCertificate(cert);
       }   
   }

} if (certadd_needed) {

   gCertDB.addCertFromBase64(CA_CERT_BASE64, "C,,");

}

Could you point out what I am doing wrong?

Answer 3 · 2019-12-17 15:41:18

cor-el

Moderator
Top 10 Contributor

2019/12/20 07:31

选择的解决方案

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

搜索 | 用户支持

Unable to delete Certificates added using Firefox policies

被采纳的解决方案

所有回复 (4)

选择的解决方案

按产品浏览

按产品浏览

选择产品

按主题浏览所有论坛帖子

获取下列产品帮助

搜索 | 用户支持

Unable to delete Certificates added using Firefox policies

被采纳的解决方案

所有回复 (4)

选择的解决方案