Closed Bug 229565 Opened 21 years ago Closed 21 years ago

unable to import certs with a lifetime over the year 2049

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: c++, Assigned: KaiE)

Details

User-Agent: Mozilla/5.0 (Windows NT 5.2; U) Opera 7.21 [de] Build Identifier: Mozilla/5.0 rv. 1.5 when trying to import a root-certificate (or sub-ca-cert or webserver-cert) in the certificate manager with a lifetime longer than the year 2049 you are unable to do so. you don't even get any dialog box. trying to browse to a website with such certs results in the error -8183 Reproducible: Always Steps to Reproduce: 1. create a root-ca with i.e. windows certsvc with a validity till december 2050 2. try to import the cert into mozilla 3. --> nothing happens Actual Results: unable to import the cert Expected Results: import the cert. if you're creating a cert with a validity till december 2049 you're able to import the cert
i've checked the certs time-settings and everything seem's ok. running an ASN1PARSE with openssl showed that the start-time is encoded as UTCTIME (the year is 2003) and the end-time as GENERALIZEDTIME (the year is 2052)
This should have been fixed in the current Mozilla trunk builds (version 1.7a, under development). The bug number for GeneralizedTime support is bug 143334. Bug submittor, are you using Mozilla version 1.6 or older? Could you try the latest Mozilla trunk (1.7a) nightly build? (Download it from http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest-trunk/.) Error -8183 is SEC_ERROR_BAD_DER, "Security library: improperly formatted DER-encoded message." (The NSS and SSL error codes are tabulated at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html.) PSM should at least pop up an error dialog box when it fails to import a cert with an unsupported field or extension.
Status: UNCONFIRMED → NEW
Ever confirmed: true
the latest 1.7a trunk build from Jan 04, 2004 works as expected. But there is still room for improvement - the year is NOT displayed correctly in the CERT-VIEW, i.e. it is still formated in 2 letter format. This should be changed to support a four letter format, otherwise it is impossible i.e. to differentiate between a cert endinf in the year 2049 or 2149 etc.
Marking resolved fixed, in light of the above comment. A separate bug should be filed about any issues with the display format of the date.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
There are two remaining issues. 1. One doesn't get any dialog box when Mozilla is unable to import a cert with a lifetime longer than the year 2049. To reproduce this bug requires NSS 3.8.x or older. 2. The year is displayed in two-digit format.
just one more question: who opens the new bug?
We were hoping you'd open the new bugs :-) I've just opened the new bugs: bug 230301 (no error message dialog on cert import failure) and bug 230303 (year displayed in two-digit format).
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.