X
Tap here to go to the mobile version of the site.

Support Forum

Unable to delete Certificates added using Firefox policies

Posted

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert.

The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine):

TypeError: certdb.getCerts(...).getEnumerator is not a function

This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option.


I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions:

1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json.

2. If not, then do we have a timeline by which we can expect this to be included?

3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

My product needs to add a CA cert to firefox cert chain. My CA can change and accordingly I have to delete older cert from FF cert store and add the new one. To achieve this currently I am using a cfg file which enumerates over the all the certs, finds if cert with common name already exists, match the pem and deletes/adds the cert. The issue I am seeing from FF 71 (FF < v70 and FF 68.3esr are working fine): TypeError: certdb.getCerts(...).getEnumerator is not a function This seems to be deprecated. Do we have any substitute for this function?? Changing "security.enterprise_roots.enabled" config is not an option. I also find out that new way of doing is to use policies.json(https://github.com/mozilla/policy-templates/blob/master/README.md#certificates). I tried the new way and is able to add the certs but I have few questions: 1. There is an "Install" option present but no "Uninstall". Is there any way to uninstall the previously installed CA cert in the event of cert change using policies.json. 2. If not, then do we have a timeline by which we can expect this to be included? 3. I see that we have to name the file "policies.json". What if someone else is using the policies.json for another software? Do I have to add it in the same file because using any other name for the file is not working.

Modified by Pankaj Adhikari

Chosen solution

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

Read this answer in context 0
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

More Information

cor-el
  • Top 10 Contributor
  • Moderator
17699 solutions 160142 answers

You can look at some tests about getCerts(); in the Firefox source code that use for (let cert of certdb.getCerts()){...} to iterate.

I don't know whether certificate installed via policies.json are temporary, i.e. only present for the current session and are removed when you close Firefox and not stored in the cert9.db database.

There is only one policies.json file and you need to extent the main policies key if you want to add/combine additional policies: {"policies": {"key1":"value1","key2":"value2","key3":"value3"}}


{
  "policies": {
    "AppUpdateURL": "https://yoursite.com", 
    "BlockAboutProfiles": true | false
  }
}
You can look at some tests about getCerts(); in the Firefox source code that use <b>for (let cert of certdb.getCerts()){...}</b> to iterate. *https://dxr.mozilla.org/mozilla-release/search?q=regexp:getCerts *https://dxr.mozilla.org/mozilla-release/source/security/manager/ssl/tests/unit/test_certDB_import.js#71 I don't know whether certificate installed via policies.json are temporary, i.e. only present for the current session and are removed when you close Firefox and not stored in the cert9.db database. There is only one policies.json file and you need to extent the main policies key if you want to add/combine additional policies: {"policies": {"key1":"value1","key2":"value2","key3":"value3"}} ---- <pre>{ "policies": { "AppUpdateURL": "https://yoursite.com", "BlockAboutProfiles": true | false } }</pre>
Was this helpful to you?
Quote

Question owner

Thanks for the reply. I tried the mentioned workaround but facing another issue:

Error: TypeError: gCertDB.getCerts(...) is not iterable firefox_cert.cfg:8:26


My code:

const CA_CERT_COMMON_NAME= <some name> const CA_CERT_FINGERPRINT = <cert fingerprint> const CA_CERT_BASE64 = <cert pem> var Cc = Components.classes; var Ci = Components.interfaces; const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); let certadd_needed = true; for (let cert of gCertDB.getCerts()) {

   if (cert[commonName] == CA_CERT_COMMON_NAME) {
       if (cert[sha1Fingerprint] == CA_CERT_FINGERPRINT) {
           certadd_needed = false;
       } else {
           gCertDB.deleteCertificate(cert);
       }   
   }   

} if (certadd_needed) {

   gCertDB.addCertFromBase64(CA_CERT_BASE64, "C,,");

}


Could you point out what I am doing wrong?

Thanks for the reply. I tried the mentioned workaround but facing another issue: Error: TypeError: gCertDB.getCerts(...) is not iterable firefox_cert.cfg:8:26 My code: const CA_CERT_COMMON_NAME= <some name> const CA_CERT_FINGERPRINT = <cert fingerprint> const CA_CERT_BASE64 = <cert pem> var Cc = Components.classes; var Ci = Components.interfaces; const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); let certadd_needed = true; for (let cert of gCertDB.getCerts()) { if (cert[commonName] == CA_CERT_COMMON_NAME) { if (cert[sha1Fingerprint] == CA_CERT_FINGERPRINT) { certadd_needed = false; } else { gCertDB.deleteCertificate(cert); } } } if (certadd_needed) { gCertDB.addCertFromBase64(CA_CERT_BASE64, "C,,"); } Could you point out what I am doing wrong?
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17699 solutions 160142 answers

See also:

This works in the Browser Console:

let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
for (let cert of certdb.getCerts()) {console.log(cert.commonName)}

certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
for (cert of certdb.getCerts()) {console.log(cert["commonName"])}
See also: *https://dxr.mozilla.org/mozilla-release/source/browser/components/enterprisepolicies/Policies.jsm#194 This works in the Browser Console: <pre><nowiki>let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); for (let cert of certdb.getCerts()) {console.log(cert.commonName)} certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); for (cert of certdb.getCerts()) {console.log(cert["commonName"])} </nowiki></pre>

Modified by cor-el

Was this helpful to you?
Quote

Chosen Solution

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array.

We have to separately handle these two cases based on return type getCerts().

if(Array.isArray(certificates)){

    // new style of handlining
    for (let certificate of certificates) { ... }

} else {

   // old style of handling using enumerator
   let certEnumerator = certificates.getEnumerator();
   .....

}

I have tried this and certificate addition/deletion is working fine.

The issue here was that in FF 71, return type of certdb.getCerts() has changed. With FF 68.3.0esr (and till FF 70) the return type was of object but now this has been changed to array. We have to separately handle these two cases based on return type getCerts(). if(Array.isArray(certificates)){ // new style of handlining for (let certificate of certificates) { ... } } else { // old style of handling using enumerator let certEnumerator = certificates.getEnumerator(); ..... } I have tried this and certificate addition/deletion is working fine.
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.