Closed Bug 1615002 Opened 5 years ago Closed 5 years ago

about:certificate chain download only includes end-user certificate for client certificates

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
72 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1599985

People

(Reporter: will.dickson, Unassigned)

Details

(Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

  1. In Certificate Manager UI, "Your Certificates" tab, import a (client) certificate from a P12. (The certificate is issued via a non-standard root CA, which has previously been imported successfully into Firefox, and also includes an intermediate CA, ie. root CA, then intermediate CA, then end-user certificate.)

  2. In Certificate Manager UI, choose the "View" button.

  3. In the about:certificate tab which appears, go to the "Miscellaneous" section and click the "PEM (chain)" link. Download the file which Firefox offers.

Actual results:

The file contains the PEM for the end-user certificate only. The Base64 is all on one line.

Expected results:

The file should contain the PEM for all three certificates, one after the other, with the regular PEM separator lines, and with the Base64 split over multiple lines; viz:

-----BEGIN CERTIFICATE-----
<Base64 for root certificate...>
<... more base64...>
<etc. etc. etc.>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64 for intermediate CA certificate...>
<... more base64...>
<etc. etc. etc.>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64 for end-user certificate...>
<... more base64...>
<etc. etc. etc.>
-----END CERTIFICATE-----

Please note:

  1. A self-signed certificate is not sufficient to reproduce this bug; there needs to be more than one certificate in the chain.

  2. I haven't been able to test with a certificate from a well-known CA; I don't know whether the fact that my CA certificate is imported has any effect.

  3. The "correct" order of certificates in PEM files of this type is not always observed - or even known. :-) IMHO it would be acceptable to export in the reverse order instead, ie. end-user, then intermediate CA, then root CA. To export in arbitrary order would be a bit weak, but tolerable if there's no simple way to determine the order.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core

(In reply to Will Dickson from comment #0)

The Base64 is all on one line.

This is an unrelated issue - please file a bug in Firefox :: Security.

Priority: -- → P5
Summary: Certificate Manager chain download only includes end-user certificate → about:certificate chain download only includes end-user certificate for client certificates
Whiteboard: [psm-backlog]

Done; please see https://bugzilla.mozilla.org/show_bug.cgi?id=1615612 . I don't think I have permission to set the Component.

Looks like bug 1599985 fixed this.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.