从 Delphi 访问 Mozilla 证书
我想从 Delphi (XE) 应用程序访问 Mozilla 产品(Firefox 和 Thunderbird)中存储的证书。首先,我想列出它们,接下来,如果能够管理它们(导入、导出、删除)并使用它们(签名),那就太好了。尽管使用 mozilla 支持的所有令牌也很棒,但软件令牌就足够了。
到目前为止,我尝试将 XPCOM 与 http://d-gecko.svn.sourceforge.net/ 一起使用viewvc/d-gecko/trunk/ delphi 绑定。然而,周围没有太多文档,我对所有术语和概念都有点困惑。我能做到的最好的办法是:
var ns:nsIX509CertDB;
servMgr:nsIServiceManager;
p:Pchar;
begin
GRE_Startup;
NS_GetServiceManager(servmgr);
servMgr.GetServiceByContractID('@mozilla.org/security/x509certdb;1',NS_IX509CERTDB_IID,ns);
ns.FindCertNicknames(nil,1,count,p);
GRE_Shutdown;
end;
使用此代码,我确实获得了 certdb 对象的实例,并且我能够向它索要证书。然而,它似乎完全是空的(FindCertNicknames 的计数为 0),并且它对更改 OCSP 也没有反应(IsOcspOn 始终返回 true)。我认为我要么创建了新的证书库,要么需要以某种方式激活默认用户配置文件。
我还尝试将 softokn.dll 作为 PKCS#11 库访问。由于这似乎有某种 PKCS#11 API,因此响应不佳。即 C_Initialize 上的 CKR_BAD_ARGUMENTS。
最后一种也是非常糟糕的方法是直接访问证书文件,因为它应该是“标准”NSS,但我真的不喜欢这种方式。
I would like to access certificates stored in Mozilla products (Firefox and Thunderbird) from a Delphi (XE) applicaiton. For start I would like to list them, next it would be nice to be able to manage them (import, export, delete) and use them (sign). The software token would be sufficient although using all tokens supported by mozilla would be great.
So far I tried using XPCOM with http://d-gecko.svn.sourceforge.net/viewvc/d-gecko/trunk/ delphi binding. However there is not much documentation around and I am kinda confused with all the terminology and concepts. The best I could manage was:
var ns:nsIX509CertDB;
servMgr:nsIServiceManager;
p:Pchar;
begin
GRE_Startup;
NS_GetServiceManager(servmgr);
servMgr.GetServiceByContractID('@mozilla.org/security/x509certdb;1',NS_IX509CERTDB_IID,ns);
ns.FindCertNicknames(nil,1,count,p);
GRE_Shutdown;
end;
Using this code I did get instance of certdb object and I was able to ask it for certificates. However it seems to be completely empty (count from FindCertNicknames is 0) and it also does not react on changing OCSP (IsOcspOn always returns true). I am thinking that I did either create new certstore or that I need to activate default user profile somehow.
I also tried accessing softokn.dll as a PKCS#11 library. As this seem to have some sort of PKCS#11 API, it is not responding well. I.e. CKR_BAD_ARGUMENTS on C_Inititialize.
The last and really bad way would be accessing certificate files directly as it should be "standard" NSS but I realy do not like this way.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我们的 SecureBlackbox 通过 PKCS#11 与 softtokn.dll 配合使用,您可以使用 SecureBlackbox 提供的接口进行便捷的证书管理。
Our SecureBlackbox works with softtokn.dll via PKCS#11 and you can use interfaces provided by SecureBlackbox for handy certificate management.
我对 PKCS#11 方式进行了更多探索,实际上我让它做了一些事情。 softokn.dll 库“几乎”是标准 PKCS#11 库,请参阅 https://developer.mozilla.org /en/PKCS11_Module_Specs 。关键是您需要使用特殊参数来初始化它(结构在链接的 URL 中描述)。
检查 NSS 错误返回值也很方便:请参阅 http://people.mozilla.com/~chofmann/l10n/tree/mozilla/security/nss/cmd/pk11mode/pk11mode.c 。
最后一个关键的事情是,您需要手动指定令牌,因为文档不清楚如何使用 secmod.db - 在“MOD DB 功能不是通过标准 PKCS #11 接口”中缺少一个词,可能是“支持” ”。
所有这些都是相当低级的编码,仍然需要大量工作,因此如果您从头开始,最好按照 Eugene 的建议使用 SecureBalackbox。
I explored the PKCS#11 way a little more and I actually got it to do something. The softokn.dll library is "almost" standard PKCS#11 library, see https://developer.mozilla.org/en/PKCS11_Module_Specs . The key thing is that you need to initialize it with special arguments (the structure is described in the linked URL).
Its also handy to check the NSS erorr return values: see CKR_NETSCAPE_... at http://people.mozilla.com/~chofmann/l10n/tree/mozilla/security/nss/cmd/pk11mode/pk11mode.c .
The last key thing is that you need to specify the tokens by hand as the documentation is unclear about using secmod.db - there is a missing word, probably "supported", in "The MOD DB function is not through standard PKCS #11 interfaces".
All this is rather low-level coding and will still need a lot of work so it may be better to use SecureBalackbox as suggested by Eugene if you are starting from scratch.