Question

Unable to delete Certificates added using Firefox policies

4 回覆
2 有這個問題
1 次檢視
最近回覆由 Pankaj Adhikari

4 年前

12/17/19, 3:41 PM

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert.

The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine):

TypeError: certdb.getCerts(...).getEnumerator is not a function

This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option.

I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions:

1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json.

2. If not, then do we have a timeline by which we can expect this to be included?

3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert. The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine): TypeError: certdb.getCerts(...).getEnumerator is not a function This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option. I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions: 1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json. 2. If not, then do we have a timeline by which we can expect this to be included? 3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

由 Pankaj Adhikari 於 December 23, 2019, 11:03:20 AM PST 修改

被選擇的解決方法

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

👍 0

Answer 1 · 2019-12-17 15:41:18

cor-el

Moderator
Top 10 Contributor

12/19/19, 10:44 AM

You can look at some tests about getCerts(); in the Firefox source code that use for (let cert of certdb.getCerts()){...} to iterate.

I don't know whether certificate installed via policies.json are temporary, i.e. only present for the current session and are removed when you close Firefox and not stored in the cert9.db database.

There is only one policies.json file and you need to extent the main policies key if you want to add/combine additional policies: {"policies": {"key1":"value1","key2":"value2","key3":"value3"}}

{
  "policies": {
    "AppUpdateURL": "https://yoursite.com", 
    "BlockAboutProfiles": true | false
  }
}

Answer 2 · 2019-12-17 15:41:18

Pankaj Adhikari 提出問題者

12/19/19, 3:00 PM

Thanks for the reply. I tried the mentioned workaround but facing another issue:

Error: TypeError: gCertDB.getCerts(...) is not iterable firefox_cert.cfg:8:26

My code:

const CA_CERT_COMMON_NAME= <some name> const CA_CERT_FINGERPRINT = <cert fingerprint> const CA_CERT_BASE64 = <cert pem> var Cc = Components.classes; var Ci = Components.interfaces; const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); let certadd_needed = true; for (let cert of gCertDB.getCerts()) {

   if (cert[commonName] == CA_CERT_COMMON_NAME) {
       if (cert[sha1Fingerprint] == CA_CERT_FINGERPRINT) {
           certadd_needed = false;
       } else {
           gCertDB.deleteCertificate(cert);
       }   
   }

} if (certadd_needed) {

   gCertDB.addCertFromBase64(CA_CERT_BASE64, "C,,");

}

Could you point out what I am doing wrong?

Answer 3 · 2019-12-17 15:41:18

cor-el

Moderator
Top 10 Contributor

12/20/19, 7:31 AM

選擇的解決方法

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

搜尋 Mozilla 技術支援網站

Unable to delete Certificates added using Firefox policies

被選擇的解決方法

所有回覆 (4)

選擇的解決方法

依照產品進行探索

依照主題進行探索

選擇產品

以主題瀏覽所有討論串

獲得下列產品的協助

搜尋 Mozilla 技術支援網站

Unable to delete Certificates added using Firefox policies

被選擇的解決方法

所有回覆 (4)

選擇的解決方法