Closed
Bug 109770
Opened 23 years ago
Closed 23 years ago
Obtaining a certificate from Verisign does not work
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.2
People
(Reporter: KaiE, Assigned: KaiE)
References
()
Details
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
javi
:
review+
blizzard
:
superreview+
|
Details | Diff | Splinter Review |
I tested with version 094 and with the current trunk. Version 094 works as
expected. The current trunk does not.
To reproduce:
- Go to https://digitalid.verisign.com/client/class1Netscape.htm
- Apply for a test certificate
(hint: if you already have a test certificate, use a different first/last
name, append a number for example)
Fill first, last name, e-mail address, challenge phrase, select test-drive,
submit.
- wait for the e-mail from Verisign to arrive, this can take a while.
- make sure you still use the same profile and browser version you used in the
initial steps
- as instructed by the e-mail go to
https://digitalid.verisign.com/enrollment/nspickup.htm and paste your digital ID
pin you received in the mail
- click submit
- you will be presented a page that informs you "the certificate has been
installed" (or similar text)
- go to certificate manager.
Expected result: A new certificate from Verisign is listed
Actual result: No new certificate has been received
As this works with 094, it shouldn't be a server side problem.
Could somebody please test to confirm what I see?Thanks.
Assignee | ||
Comment 1•23 years ago
|
||
I'd like to find out at which point the problem starts. Either storing the
generated private key does not work, or downloading the certificate does not work.
I tried to use "certutil -K -k all" from NSS to list all keys in the certificate
database, but that seems to work only for keys already having a certificate.
If nobody has an idea, I'll have to debug what goes wrong.
Comment 2•23 years ago
|
||
I was able to get a cert from testca.netscape.com
This may have to do with keygen.
Assignee | ||
Comment 3•23 years ago
|
||
Using testca works for me, too. Something must be different between verisign and
testca.
Assignee | ||
Comment 4•23 years ago
|
||
The reason, why it didn't work for me, was influenced by the time Verisign
needs to issue the certifiate. I had stopped my browser session and restarted.
When I tried to download my cert, I had not yet logged in to the token. It is
password protected.
So, if you want to reproduce my initial problem, quit the browser completely,
and try to download the cert without having logged in to the token.
During import, NSS function PK11_KeyForCertExists is called. It iterates over
tokens, and calls PK11_Authenticate for each.
It is expected that this call prompts the user to log in to the token. However,
this does not happen. No password prompt is shown.
This problem is always reproducable on my machine. I can fix it by logging in
to the token first.
PK11PasswordPrompt expects the context object to be an nsIInterfaceRequestor,
and tries to QueryInterface nsIPrompt on it.
However, that does not succeed.
Solution
========
The bug is in method PSMContentDownloaderContext::GetInterface, which returns
an undefined result code in the success case.
I'll attach a simple patch which fixes the problem for me.
Question
========
While my patch fixes the problem, I wonder why there are two classes in PSM
that do exactly the same. Besides from this bug, I couldn't find any difference
between classes PSMContentDownloaderContext and PipUIContext. Should I create a
patch to remove one class and reduce code bloat?
Assignee | ||
Comment 6•23 years ago
|
||
Javi, do you think we should prefer this fix? It removes class
PSMContentDownloaderContext which I think is not necessary.
Comment 7•23 years ago
|
||
Comment on attachment 57510 [details] [diff] [review]
Suggested fix
r=javi
Attachment #57510 -
Flags: review+
Assignee | ||
Comment 8•23 years ago
|
||
Javi, before I go and request sr=, what do you think about the alternative patch?
Updated•23 years ago
|
Attachment #57512 -
Flags: review+
Comment 9•23 years ago
|
||
Comment on attachment 57512 [details] [diff] [review]
Alternative fix
r=javi
Comment 10•23 years ago
|
||
Comment on attachment 57510 [details] [diff] [review]
Suggested fix
marking patch as obsolete
Attachment #57510 -
Attachment is obsolete: true
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → 2.2
Comment 11•23 years ago
|
||
Comment on attachment 57512 [details] [diff] [review]
Alternative fix
sr=blizzard
Attachment #57512 -
Flags: superreview+
Assignee | ||
Comment 12•23 years ago
|
||
checked in => fixed
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•