Allow an extension to configure Firefox security devices

(Jlam) #1

Hi Jorge,

Topic is [Bug 1357391] Allow an extension to configure Firefox security devices

I am on the bug (Bug 1357391) distribution list and just have a very short question. I have follow you instruction (posted by William Bamberg ) on the:

and building a webExtention to load our PKCS11.dll onto the Nightly 58. But it seems to be that Firefox 58 doesn’t supported yet (?)
Could you point me to some kind of example on how this feature has been added?
Is this feature now working with the Nightly 58 both on Window and Linux?

Very much appreciated,

Johny Lam
90Meter Software
PKCS11 library developer at Costa Mesa, CA

Introduction to Add-on Development
(Jorge) #2

Nightly is currently version 59. The documentation indicates that the pkcs API should work on 58, so it should work both on Nightly and Beta. Please make sure you’re using an updated version of Firefox and confirm whether the problem continues to occur.

It would also help if you explain exactly what isn’t working, and if you’re seeing error messages or something else.

(Jlam) #3

I used FF version 59.0a1

Per instruction on PKCS #11 manifests

Below are the files.
File name: manifest.json
“name”: “mypkcs11”,
“description”: “My pkcs11 extension”,
“version”: “1.0”,
“manifest_version”: 2,
“background”: {
“scripts”: [“background-script.js”]
“permissions”: [

File name: background-script.js
var MyPkcs11App = {
var loadPKCS11 = browser.pkcs11.installModule(“mypkcs11”);

Registry Setting:
(Default) =“C:\webExt\mypkcs11”

Using about:debugging-> Load Temporary Add-on

Expect Firefox loading the mypkcs11.dll.

But it is not working yet or some steps are missing from my process …

(Bertrand Perret) #4

you need to create a json file pointing to the pkcs11 module:

  "name": "mypkcs11",
  "description": "My test security module",
  "path": "c:\\webext\\mypkcs11\\mypkcs11.dll",
  "type": "pkcs11",
  "allowed_extensions": [ "your extension ID between these double quotes" ]

The json file location is the data of the default key value you specified earlier.

ie: (Default) =“C:\webExt\mypkcs11\my_json.json”

(Jlam) #5

Hello Mr. Bertrand Perret,
First of all, thank you very very much for your correction since I was hitting a wall while try to work with this new environment.
I have followed your helps.
Trying the run from “Load Temporary Add-on” button in “about:debugging”.
I got a parsing error: “There was an error during installation: JSON.parse: bad escaped character at line 4 column 15 of the JSON data”.
So, I change the path to:
“path”: “c:\webext\mypkcs11\mypkcs11.dll”, it then passes that state and now getting into another error: "There was an error during installation: Extension is invalid"
I have no idea what it means by invalid, please help.

BTW the manifest is now:

“name”: “mypkcs11”,
“description”: “My test extension”,
“path”: “C:\webExt\mypkcs11\mypkcs11.dll”,
“type”: “pkcs11”,
“allowed_extensions”: [

(Jlam) #6

Actually the path is double backslash "\ "
“path”: “C:\ \webExt\ \mypkcs11\ \mypkcs11.dll”,

(Martin Giger) #7

The string in the allowed_extensions array must match the ID you give your extension, which you have to do manually at least while your extension is not signed. If you don’t explicitly define an ID you will get one assigned once the extension is signed and would have to then adjust the manifest for the pkcs11 module. See for documentation on how to set an ID in your manifest.json of the extension.
Ensure both manifests use the same ID.

P.S.: you can use ``` to start and end code blocks (like on GitHub), so multi line code gets easier to read and indentation is preserved.

(Bertrand Perret) #8

Hello jlam,

Sorry, I forgot to tell you the following:

You need to set an ID in the very beginning of your manifest.json like this:

 "applications": {
    "gecko": {
      "id": "",
      "strict_min_version": "57.0"

  ... other declarations in manifest.json

As freaktechnik told you, this ID must match the ID in the other manifest file.

Hope this helps.

Also, don’t forget you can’t insert comments in a json file, only data is accepted.

(Jlam) #9

Thanks a millions! Man this is very tricky.

(Jlam) #10

Hi Bertrand and Freaktechnik,

I finally passes the ID issues. I could not make it without you guys’s help!

Again very appreciated,


(Jlam) #11

Have you got the pkcs11 API to work?

I assume that pkcs11 API is now in Nightly build 59.0a1.

When debugging my background.js with the content below:

console.log(“module installed”);
console.log("module could not be installed "+e);

console showing:
module could not be installed TypeError: browser.pkcs11 is undefined ’

(Martin Giger) #12

That sounds like you don’t have the “pkcs11” permission requested in your manifest.json, though the one you posted earlier in this thread did have the permission listed.

(Jlam) #13

Hi Freaktechnik,

Yes, you are correct! I have remove that statement while testing. Put a back it works!

I don’t know how to say thanks for all the helps from you guys.

I finally got my first WebExt to load my DLL!


(Bertrand Perret) #14

Hi jlam,

Glad to know that you could get it work.

Another point though:
since installModule is an asynchronous API, you could re-write your code
like the following:

var /*Promise*/ statusObj = browser.pkcs11.installModule("mypkcs11");

/* Only print success message within the 'then' statement, 
              error in 'catch' one */
statusObj.then(() => console.log("module installed (v2)")).catch(err => console.log("module could not be installed (v2)", err)); 


(Jlam) #15

Hello Mr. Bertrand Perret,

Thanks for the code.
There is one issue with the mypkcs11.json:
At the statement:
‘“path”: “C:\webExt\mypkcs11\mypkcs11.dll”,’

What if my installer is installed into a dynamic location that may ending in ‘“D:\webExt\mypkcs11\mypkcs11.dll"’? A different drive (D:) that is not drive C: ?

Note that we in case the mypkcs11.dll is not stored under ‘“C:\webExt\mypkcs11".’

(Martin Giger) #16

You’d have to generate the JSON on the fly then. Just set the path to wherever it is installed.

(Jlam) #17

Oh, got it, thank you for the instruction.

(Jlam) #18

Hi Martin and Bertrand,

I must go to you again for another help, and thanks in advance for your generosity!

I am preparing for package to be signed by Firefox AMO. And man, is that true that the I have to go through the whole-9-yard of the below process?

  1. Your API key (JWT issuer)


  1. Access Credentials

Truly yours,

(Martin Giger) #19

You can also sign extensions via web interface on

(Yohanndurant) #20

I try your method
but it was not ok

“name”: “mypkcs11”,
"description”: “Installation du “,
“path”: “C:\Windows\System32\pcks11.dll”,
“type”: “pkcs11”,
“allowed_extensions”: [

Windows Registry Editor Version 5.00



manifest.json extension
“name”: “mypkcs11”,
“description”: “My pkcs11 extension”,
“version”: “1.0”,
“manifest_version”: 2,

“background”: {
“scripts”: [“background-script.js”]

“applications”: {
“gecko”: {
“id”: "",
“strict_min_version”: “59.0”
“permissions”: [

background-script.js extensions

var /Promise/
statusObj = browser.pkcs11.installModule(‘mypkcs11’);
/* Only print success message within the ‘then’ statement,
error in ‘catch’ one */
statusObj.then(() = > console.log(‘module installed (v2)’)).catch (err = > console.log(‘module could not be installed (v2)’, err));

do you see wath is the problem