in reply to Firefox Keystore - Parsing Certutil Output

Not having certutil handy, I don't really understand the sample you included in your post. Off hand, I would expect to extract the name from the CN field, but there are more than 1. Can you post sanitized versions of actual certs?

As for a more Perlish way, Firefox stores setting, preferences, etc. in a SQLite database. Look at DB::SQLite. Also, it might be easier to examine the DB if you install SQLite and use its generic client to explore the DB.

  • Comment on Re: Firefox Keystore - Parsing Certutil Output

Replies are listed 'Best First'.
Re^2: Firefox Keystore - Parsing Certutil Output
by fixed_1978 (Initiate) on Jun 06, 2014 at 18:35 UTC

    I am not trying to parse the actual certificates, just the simple certutil overview output I provided earlier to get the CN and Trust Level.

    However, that is a great idea to use the DB::SQLite module. I will try this and see if I have any success.

    Thanks!

[reply]
Re^2: Firefox Keystore - Parsing Certutil Output
by fixed_1978 (Initiate) on Jun 09, 2014 at 13:44 UTC

    I tried to generically connect via sqlite3 and was unsuccessful: 

    $ sqlite3 cert8.db
   SQLite version 3.3.6
   Enter ".help" for instructions
   sqlite> .tables
   Error: file is encrypted or is not a database

    [download]

    I did some research and it appears that sqlite3 may not be able to communicate with the stored format. However, I think I did find a work around. Basically, if I use the strings command on the cert8.db file, it will dump the contents of the db file on different lines and I can find the certificate names alone on a single from there. So I updated my code to: 

    my %certs;
my @stored_certs;

# Get stored certificates:
my $command = "strings $config{firefox_profile}/cert8.db";
open(OUTPUT , "-|", "$command");
while (my $line = <OUTPUT>){
    chomp $line;
    if ($line =~ /CN=/i) {
        $line =~ s/^!//g;
        $line =~ s/(^\s+|\s+$)//g;
        if (! $certs{$line}) { $certs{$line}{stored_in_firefox}++; }
    }
}
close OUTPUT;

# Get each stores certificate's trust level:
$command  = "certutil -L -d $config{firefox_profile}";
open(OUTPUT, "-|", "$command");
while (my $line = <OUTPUT>){
    chomp $line;
    push (@stored_certs, $line);
}

foreach my $cert (sort keys %certs) {
    foreach my $line (@stored_certs) {
        if ($line =~ /^$cert/) {
            $line =~ s/^$cert//;
            $line =~ s/(^\s+|\s+$)//;
            $lcerts{$cert}{trust_level} = $line;
        }
    }
}

    [download]

    I think this is good enough for now. Thanks again,

[reply]
[d/l]
[select]
Re^2: Firefox Keystore - Parsing Certutil Output
by fixed_1978 (Initiate) on Jun 10, 2014 at 16:32 UTC

    I did some more testing and found that the cert8.db file contains old certificate information even if the certificate is not in the certutil output. Additionally, not all of the possible certs start with CN=. So, my test was missing certs and setting certs that were not really in use. So I am back to doing a pattern match to extract the certificate information.

    Now I parse through the certutil output and filter via the following: 

    foreach my $line (@certuil_output) {
    my $cert;
    my $trust;
    if ($line =~ /(^$|SSL,S\/MIME,JAR\/XPI|Certificate Nickname)/i) { 
+next; }
    if ($line =~ /(.*)\s+(\w+,\w+,\w+)$/) {
        $cert = $1;
        $trust = $2
    } elsif ($line =~ /(.*)\s+,,\s+$/) {
        $cert = $1;
        $trust = “,,”;
    } else {
        print “Unmatched line: $line\n”;
    }

    if ($cert && $trust) { print "$cert\t$trust\n"; }
}

    [download]

    So unless there is a better way, this is what I have.

[reply]
[d/l]

In Section Seekers of Perl Wisdom