On Jul 23, 7:40 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> joshuaaa wrote, On 2008-07-23 14:38:
>
>
>
> > On Jul 23, 4:20 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> >> joshuaaa wrote, On 2008-07-22 23:56:
>
> >>> I was under the impression (read somewhere here) that firefox 3 would
> >>> allow the cert database to be updated WHILE firefox was running. I'm
> >>> getting the same old behavior in FF3. ie. remove cert while firefox is
> >>> open, view cert manager and the cert still exists. Have I
> >>> misunderstood or am I doing something wrong?
> >> Firefox stores certs in several places, two of which are the built-in
> >> list of root CA certs, and the cert DB. The cert DB can be updated,
> >> as you suggest, and certs can be deleted. There should be no need to do
> >> any restarts after editing the cert DB. However, deleting root CA certs
> >> from the built-in list of root certs is not possible. For them, you need
> >> to "edit" them and remove the trust flags, rather than try to delete them.
>
> >>> If this behavior is by design, is there a way to tell it to grab a new
> >>> instance of the cert store? Any solutions to get around this issue?
> >> If you try to delete a root cert from the cert DB, and the root cert is
> >> not presently in use (e.g. you're not visiting an SSL server whose cert
> >> chain uses it)., the results should be immediate. If they're not, file a
> >> bug.
>
> > Thanks for the quick response Nelson. I guess I do not have a clear
> > understanding of where certificates are stored. I must be doing
> > something wrong... A simple example for what I'm doing with JSS would
> > be like this:
>
> > String dir = ".....\Mozilla\\Firefox\\Profiles\\some_number.default";
> > CryptoManager.initialize( dir );
> > CryptoManager cm = CryptoManager.getInstance();
>
> > CryptoToken internalToken = cm.getInternalKeyStorageToken();
> > CryptoStore cs = internalToken.getCryptoStore();
> > cs.deleteCert(cm.findCertByNickname("nickname_of_cert"));
> > System.out.println("Success.");
>
> > If firefox is open and I run the code above and then do a
> > crpytomanager.getAllTokens() and print out the names for all the certs
> > within each token the cert I removed IS NOT in the list. I assumed
> > that it had worked. BUT, if I open the cert manager in firefox it
> > still shows the user certificate! If firefox IS NOT running and I
> > execute my code, the cert is removed and when I start firefox to check
> > the cert manager it is really gone this time.
>
> > What am I doing wrong?
>
> Until this message, it was not clear to me whether you were using jss in
> the browser or in a separate process, and whether you were using the
> browser's DBs or some other DBs. Now it seems clear to me that you are
> using a separate Java process and are operating on the browser's DB files.
> The short answer is: that won't work today.
>
> NSS 3.12 (used in FF3) is able to use either cert8.db files, which are
> Berkeley DB files, and is also able to use cert9.db files, which are SQLite3
> DB files. SQLite3 DB files can be actively shared by multiple processes
> at the same time. The old Berkeley DB files can NOT. If two processes try
> to operate on Berkeley DB files simultaneously, both with read/write, the
> most common outcomes are DB corruption and process crashes. NSS 3.11.x and
> older versions only support the Berkeley DBs. NSS 3.11.x is used in FF2.
>
> For applications like FF3 that use NSS 3.12, which type of DB is used is
> under the control of the application. FF3 does not make use of the SQLite3
> DBs (even though that capability was added primarily for FF3). So, at
> present, and until such time as FF3 starts to use sqlite3 DBs, it will be
> necessary to ensure that no more than one process is using the browser's DB
> files at any time.
>
> One alternative that may or may not be feasible for you is to run your
> Java/JSS code in the browser process itself. Then the Java code is
> using the same instance of the DB that the browser is using. While this
> is feasible, I cannot advise you on how to do it. Perhaps others in this
> list can help here.
>
> /Nelson
Sorry for the confusion. It would be greatly appreciated if anyone can
shed some light on this subject. I've spent plenty of hours
researching and haven't come up with anything promising.
Anyone know if this can be accomplished through an extension?
Thanks again.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
