Closed
Bug 765133
Opened 12 years ago
Closed 9 years ago
Certificate details dialog box shows the wrong error message for certificates that are blocked because their cert chain contains an MD5-based signature
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: briansmith, Unassigned)
References
Details
(In reply to Brian Smith (:bsmith) from bug 758314 comment #3)
> [T]he certificate details dialog box WILL NOT show this custom
> error message for certificates with MD5-based signatures, because
> CERT_VerifyCertificate does NOT return the
> SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED error for them when we call it
> from nsUsageArrayHelper::GetUsagesArray. Instead, CERT_VerifyCertificate
> returns SEC_ERROR_INADEQUATE_CERT_TYPE. I believe this is because we're
> asking it to verify the cert for every possible usage, and
> CERT_VerifyCertificate first detects
> SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, and then later detects
> SEC_ERROR_INADEQUATE_CERT_TYPE, and decides to return the latter error code
> instead of the former.
>
> Consequently, the error message in the certificate details dialog box will
> not be very helpful; it will say "Could not verify certificate for unknown
> reasons."
>
> Also, when you have libpkix enabled, you also get the "Could not verify
> certificate for unknown reasons" because of a known bug, bug 672811.
Reporter | ||
Comment 1•12 years ago
|
||
I do not want to make enhancements to the old non-libpkix certificate path validation library. Instead, we should fix this by switching to libpkix.
Depends on: 672811, pkix-default
Reporter | ||
Updated•11 years ago
|
No longer depends on: pkix-default
We switched to mozilla::pkix, so if I'm understanding comment 0 correctly, this should be fixed (also I double-checked with sha1 disabled and everything looks good to me).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•