On 09/15/2010 03:39 PM, Wei Deng wrote: > I am Wei Deng working in mozilla China. Most Chinese e-banks support IE only, > because they use MS' activex techs. We have cooperated with CCB(one of the > biggest banks in China), and most work has been finished. Maybe it will be > online as soon as possible, it is under whole testing now. > But there is still problem I need help. > The problem is > CCB will make a diagnosis tool, before users dealing any business online,it > will check the envirement. > for example, it will check whether the CCB root certificate have been added to > the trusted CA certificate list in Firefox. Is this tool a plugin or a separately downloaded tool? > We can check it with the certutil > tool, the CCB root certificate is also added into firefox by using certutil. > But how to check whether personal certificate have been loaded into firefox, > is > there any way? > If you are running code on the user's machine, certutil will list the user certs as well.
From a browser page you and redirect to a web-server that request/not require client auth providing the root for the client certificate. If the client has that certificate, the user will get a dialog asking if they want to use it to connect and the connnection completes with client auth. If the user does not have a certificate, then the server will not receive a client auth cert. You can proceed with whatever error recovery you need from there. NOTE: From the server you cannot tell the difference between the user refusing to use the cert, the cert is in a smart card that has been removed or is not authenticated by the user, and the cert not existing. My default the browser use to be ask anytime, but that has been identified as a privacy problem, so I doubt you can get more information (unless you are running yoru own plugin). > Most chinese use smart cards, we have added PKCS#11 module into secmod.db, > when > firefox is starting ,it will load all the PKCS#11 modules and load personal > certificate with them. Where do the personal certificate store and how can I > get info about it? > They are stored in the smart card;). The above browser process will work for certs in the smart card as well. NSS does not 'copy' certs off of smart cards. They are not visible unless the smart card is currently plugged in (and often only if it's plugged in and authenticated). bob > It is a little urgency, I need help very much. > Thanks a lot. >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
