Closed
Bug 670454
Opened 13 years ago
Closed 13 years ago
Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"
Categories
(Core :: Security: PSM, defect)
Tracking
()
VERIFIED
FIXED
mozilla8
People
(Reporter: 5rgz6ni02, Assigned: KaiE)
References
Details
(Keywords: regression)
Attachments
(4 files, 2 obsolete files)
(deleted),
image/png
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
KaiE
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0a2) Gecko/20110709 Firefox/7.0a2
Build ID: 20110709042004
Steps to reproduce:
Start Aurora with a new Profile just to be sure
Open Menu Preferences
Select Advanced | Encryption , View Certificates
Select tab certificates, scroll down to Thawte
Select first Thawte Certificate, click "view..." button
(Actually the problem is not specific to this single certificate. I tried many more built-in root certificates and they all had the same issue.)
Actual results:
Certificate Viewer opens, it says "could not verify this certificate for unknown reasons"
Expected results:
Certificate Viewer opens, it should say "this certificates has been verified for the following uses" and a list of uses.
Reporter | ||
Comment 1•13 years ago
|
||
about:support info attached
Updated•13 years ago
|
Component: General → Security
QA Contact: general → firefox
Reporter | ||
Comment 2•13 years ago
|
||
Aurora has been updated several times since I originally reported the bug. The problem persists. Someone on irc wanted to see "my" about:buildconfig (I guess this really is Aurora's configuration), so I attach it here.
Updated•13 years ago
|
Comment 3•13 years ago
|
||
This is caused by bug 479393:
+ verifyResult =
+ CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
certificateUsageSSLClient |
certificateUsageSSLServer |
certificateUsageSSLServerWithStepUp |
certificateUsageEmailSigner |
certificateUsageEmailRecipient |
certificateUsageObjectSigner |
certificateUsageSSLCA |
certificateUsageStatusResponder,
NULL, &usages);
...
+ if (verifyResult != SECSuccess) {
+ int err = PR_GetError();
+ verifyFailed(_verified, err);
+ return NS_OK;
+ }
We are expecting that CERT_VerifyCertificateNow will return SECSuccess if at least one of the given usages is valid. However, it actually returns SECFailure unless all of the given usages are valid. I remember that Kai's original patch was correctly ignoring the return value of CERT_VerifyCertificateNow, but he "corrected" it when I told him we should check the return value. My bad. :(
The fix is simple: restore the error detection logic to the way it was done before:
- if (count == 0) {
- verifyFailed(_verified, err);
- } else {
- *_verified = nsNSSCertificate::VERIFIED_OK;
- }
Also, we should add a comment about why we are not checking the return value.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•13 years ago
|
||
This affects Firefox 6, so we might want to consider fixing it there before shipping (I'm not exactly sure how critical this is).
tracking-firefox6:
--- → ?
(In reply to comment #4)
> (I'm not exactly sure how critical this is).
Fairly "critical", IMO, as it affects the display of *all* certs in cert viewer (Fx 6 will show "Could not verify this certificate for unknown reasons" even if a server cert is perfectly valid - try https://addons.mozilla.org e.g.).
Keywords: regression
Version: 7 Branch → 6 Branch
Updated•13 years ago
|
Assignee: nobody → bsmith
Comment 6•13 years ago
|
||
This causes the certificate viewer to show a misleading message in the General tab, and prevents the general tab from displaying the usages for which the certificate is valid. The information is still available from the Details tab. No other certificate functionality is affected by the bug--in particular, it doesn't affect any other parts of the UI like the site identity block, it doesn't stop valid SSL connections from working, and it doesn't allow invalid SSL connections to work.
Summary: Aurora regression: Built-in root certificates are displayed as untrusted → Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"
Assignee | ||
Comment 8•13 years ago
|
||
Let's be clear which parts need to be reverted and attach a patch.
Comment 9•13 years ago
|
||
Here is the fix.
The libpkix case is still broken, but that doesn't matter because libpkix is not enabled yet and can only be enabled with an unsupported hidden pref. I filed 672811 for fixing the libpkix case.
Attachment #547103 -
Flags: review?(kaie)
Assignee | ||
Comment 10•13 years ago
|
||
Attachment #547104 -
Flags: review?(bsmith)
Assignee | ||
Updated•13 years ago
|
Assignee: bsmith → kaie
Assignee | ||
Comment 11•13 years ago
|
||
Comment on attachment 547103 [details] [diff] [review]
Fix usage display in cert viewer for non-libpkix case only
I don't like your patch, because you call PR_GetError() very late. Please call it as early as we did in the past, immediately after the action - this avoids all risk that other activity might change the error code.
Attachment #547103 -
Flags: review?(kaie) → review-
Assignee | ||
Comment 12•13 years ago
|
||
Also, you're calling PORT_GetError, while the old code used PR_GetError. Let's use exactly what we did in the past.
Comment 13•13 years ago
|
||
Comment on attachment 547104 [details] [diff] [review]
Patch v1 - restore the old behaviour
Review of attachment 547104 [details] [diff] [review]:
-----------------------------------------------------------------
r+. Please add my comment and (void) in front of the call to CERT_VerifyCertificateNow, so we don't make this mistake again.
Attachment #547104 -
Flags: review?(bsmith) → review+
Assignee | ||
Comment 14•13 years ago
|
||
(In reply to comment #9)
>
> The libpkix case is still broken, but that doesn't matter because libpkix is
> not enabled yet and can only be enabled with an unsupported hidden pref. I
> filed 672811 for fixing the libpkix case.
My patch works in the libpkix case, too.
Assignee | ||
Comment 15•13 years ago
|
||
(In reply to comment #14)
>
> My patch works in the libpkix case, too.
I'm wrong.
Comment 16•13 years ago
|
||
Kai, lets worry about the libpkix case in bug 672811. I will comment there.
Assignee | ||
Comment 17•13 years ago
|
||
carrying forward r=bsmith
Attachment #547104 -
Attachment is obsolete: true
Attachment #547113 -
Flags: review+
Assignee | ||
Updated•13 years ago
|
Attachment #547103 -
Attachment is obsolete: true
Assignee | ||
Comment 18•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 19•13 years ago
|
||
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added
Requesting approval for beta and aurora.
Firefox 6 would be the first release to show up this regression bug.
Attachment #547113 -
Flags: approval-mozilla-beta?
Attachment #547113 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•13 years ago
|
tracking-firefox7:
--- → ?
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla6
Comment 20•13 years ago
|
||
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added
Approved for releases/mozilla-aurora and releases/mozilla-beta. We'll also track this to make sure we don't ship with this regression
Attachment #547113 -
Flags: approval-mozilla-beta?
Attachment #547113 -
Flags: approval-mozilla-beta+
Attachment #547113 -
Flags: approval-mozilla-aurora?
Attachment #547113 -
Flags: approval-mozilla-aurora+
Comment 21•13 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110726 Firefox/8.0a1
Verified issue on mozilla central using the STR from Comment 0, on Windows XP, Windows 7, Ubuntu and Mac OS X 10.6.
The target milestone of this bug is set to mozilla 6. Will this land on Firefox beta 6 and Aurora also?
Updated•13 years ago
|
Target Milestone: mozilla6 → mozilla8
Comment 22•13 years ago
|
||
Yes, it will.
Comment 23•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/8966bdc465aa
http://hg.mozilla.org/releases/mozilla-beta/rev/d66a5a76f6ba
status-firefox6:
--- → fixed
status-firefox7:
--- → fixed
Reporter | ||
Comment 24•13 years ago
|
||
Thanks everybody, works again in the Aurora release I just received via auto update. Not sure about Mozilla's bugzilla process. Should I as the original reporter set the status to verified?
Comment 25•13 years ago
|
||
(In reply to comment #24)
> Thanks everybody, works again in the Aurora release I just received via auto
> update. Not sure about Mozilla's bugzilla process. Should I as the original
> reporter set the status to verified?
You could have done, or anyone else who could reproduce the problem and verify the fix. I'll set it now, based on your comment. Thanks for the report.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•