Todays topic is Firefox and how it su**s. Normally I would not say such a thing, and always recommend it. But not today - today I'm totally furious about it. The thing, that drives me mad about Firefox is its api. When mozilla suite was split up, it wasn't done evenly. Thunderbird got one part and Firefox the other - so far Firebox drew the shorter straw. I have done some work with mozilla api/xul before, but twice I have ran into big problems with it. The problem I have is that I need to install 3 CA certs for our internal CA to about 1000 workstations. Maybe in the future it will be 4 times the count.
So the first thing I thought up was to use an extension to do the installation. Everything worked fine, if any cert needs to be upgraded it will be put into the extension and the extension version will be upgraded and the new cert will be installed if newer extension is available. The user will be prompted to install xx times to install the certificate, or notified that a certificate is installed - not a perfect solution, but it works. So far so good. Everything worked fine, up to a point where the extension will be packaged and installed globally. Now the first time the user starts Firefox the users profile will be generated and since the extension is installed globally Firefox thinks it is already installed and it will not run the install script. So the only way to make it run the cert installations is when its updated. GREAT!!! The reason the extension was packaged is to enforce the security policy that users cant install their own extensions.
OK, so i feel really stupid and try to think up a way to make it work. After some digging in xulplanet.com I end in a nsIX509CertDB interface (the point I started from). The thin I need to do is every time Firefox is started so I could check if the cert with the correct CN is in the database. If it is I can check the serial number for example, but as usual I ran into the problems. So I started digging deeper into the guts of the api.There were 2 interesting functions: findCertByNickname and findCertByEmailAddress. I started messing with the nickname, since it usually is different for each CA subtree. As you can see the interface takes in an "AString" type string. Well I could not find type definition for it so I thought it was just a string with a different typedef. Well, nothing worked. When tried with the email it worked nicely, but then again they are CA certs ffs, they have the same email and the function only can return ONE certificate. Seems I cant run the check through a while cycle.
So for corporate purposes Firefox is pretty much useless. I have some suggestions, but considering that probably no one at the mozilla team will ever see this blog Ill make it short. Fix the frigging LDAP support and enable it on Firefox, add type converter, and implement certificate search through nickname (*char), full DN certificate serial, and search with multiple certificates as a result and thats just for starters.
technorati tags:firefox, extension, building, problems
Blogged with Flock
No comments:
Post a Comment