Open Bug 1510003 Opened 6 years ago Updated 2 years ago

No visible failure report when importing PKCS12 cert into People tab in Certificate manager

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox65 --- affected

People

(Reporter: aceman, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

In the certificate manager, clicking Import, does NOT offer the "PKCS12 Files" (for a personal signing certificate) in the file name filter. Finding the .p12 file via "All files" and trying to import it produces in the Browser console: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIX509CertDB.importCertsFromFile] certManager.js:484 The import fails and there is no message to the user. The solution to import the PKCS12 cert is o be on the "Your certificates" tab and click Import there. It is not obvious the various Import buttons on the various tabs can import different types of certificates. (It's hardly obvious there are even any tabs, as they have no visual indication and separation on their labels.)
The "people" tab isn't meant for your personal signing certificates. What is the task you are looking to accomplish?
Flags: needinfo?(acelists)
Yes, the certificate can be imported into the "Your certificates" tab. But it is not obvious you must first choose the right tab as the Import buttons and file choosers look identical. Anyway, if there was some message to the user instead of just a silent console error, maybe the user would find out what to do.
Flags: needinfo?(acelists)
We were working on a problem for which Aceman needed to have a mail certificate. He got one at Comodo and their delivery mechanism imports into FF. So he exported it and needed to re-import into TB. Not being familiar with this, we tried to import from the wrong tab and it failed without any indication of what had gone wrong. I tried to retrace his steps and it failed for me two since I also hadn't paid attention on which tab I was. When I coincidentally switched to the "Your certificates" tab, the import worked. So a failed user action without and user feedback isn't nice. That's what the bug is about.
Ok - thanks.
Blocks: 1029832
Priority: -- → P3
Whiteboard: [psm-backlog]

Oops, it just happened again, I was in the wrong tab an importing my personal certificate silently failed. This is in the console:
NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIX509CertDB.importCertsFromFile]

https://searchfox.org/mozilla-central/rev/2e355fa82aaa87e8424a9927c8136be184eeb6c7/security/manager/pki/resources/content/certManager.js#507

Could the priority on this be raised? This wouldn't be hard to fix? Add try/catch and show an error? Like "Import of certificate failed. Make sure you are importing into the correct category". Or what are other reasons for failure?

Flags: needinfo?(dkeeler)

I know it's disappointing to hear this about a feature you use, but this is not a priority right now. That said, I think this is something we'd welcome a patch for.

Flags: needinfo?(dkeeler)

OK, so can you describe the shape of the solution? Add try/catch and show an error? Or is there more to it?

Yeah, probably try/catch with alert.

Changing this in addCACerts()

-      certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.CA_CERT);
-      caTreeView.loadCerts(Ci.nsIX509Cert.CA_CERT);
-      caTreeView.selection.clearSelection();
+      try {
+        certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.CA_CERT);
+        caTreeView.loadCerts(Ci.nsIX509Cert.CA_CERT);
+        caTreeView.selection.clearSelection();
+      } catch (ex) {
+        promptError(ex);
+      }

gives an "The PKCS #12 operation failed for unknown reasons" alert. Better then nothing. But trying to import a CA cert which already exists gives "This certificate is already installed as a certificate authority" from here
https://searchfox.org/mozilla-central/rev/2e355fa82aaa87e8424a9927c8136be184eeb6c7/security/manager/ssl/nsNSSCertificateDB.cpp#310
now followed by the "unknown reason" error. So that's not the correct fix.

I wonder why
https://searchfox.org/mozilla-central/rev/2e355fa82aaa87e8424a9927c8136be184eeb6c7/security/manager/ssl/nsNSSCertificateDB.cpp#305
doesn't trigger.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.