Closed Bug 1044952 Opened 5 years ago Closed 4 years ago

'GIP-CPS' Certificates no longer installed by a vendor addon at addon installation time.

Categories

(Core :: Security: PSM, defect, major)

33 Branch
x86
Windows 7
defect
Not set
major

Tracking

()

RESOLVED WONTFIX

People

(Reporter: bertrand.perret, Unassigned)

References

Details

Attachments

(1 file)

392.06 KB, application/zip
Details
Attached file cps3_pkcs11_w32.zip
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140716183446

Steps to reproduce:

On a Windows 7 x86 platform :

Go to the link (to fetch the 2014-07-05 Nightly build):

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-07-05-03-02-03-mozilla-central/

Download the file : firefox-33.0a1.en-US.win32.installer.exe

Install the Nightly version on Windows 7 x86 platform.

Copy the attached DDL to %windir%\system32

Open Nightly and go to the following site 'http://testssl.asipsante.fr'

Click the link named 'Installeur XPI de l'extension CPS ...'

Install the CPS Addon, which restarts the browser.

When restarted, go to :

Options -> Advanced -> Certificates tab -> View Certificates -> Authorities tab.


Actual results:

The root & ac certificates labeled 'GIP-CPS' don't shown between 'Geotrust' and 'GlobalSign' sections.


Expected results:

The root & ac certificates labeled 'GIP-CPS' should be displayed between 'Geotrust' and 'GlobalSign' sections.

With mozregression, we see that it works with the 2014-07-04 Nightly build

After investigations, we realized that following code embedded in the addon now throws an exception :
In file asipsantePKCS11.js located at C:\Users\<USERNAME>\AppData\Roaming\Mozilla\Firefox\Profiles\<RANDOM>.default\extensions\CPS2ter-2020_Firefox@asipsante.fr\content

    try 
    {
      // Exception raised HERE !
      x509CertDB2= Components.classes["@mozilla.org/security/x509certdb;1"].getService(Components.interfaces.nsIX509CertDB2);
      if (x509CertDB2 == null) {
        //alert("x509CertDB2 est NULL");
        return false;
      }
      x509CertDB = Components.classes["@mozilla.org/security/x509certdb;1"].getService(Components.interfaces.nsIX509CertDB); 
        
      if (x509CertDB == null) {
        //alert("x509CertDB est NULL");
        return false;
      }
    }catch(exc) {
      //alert("Erreur insertion certificats");
      return false;
    }
Severity: normal → major
Hardware: x86_64 → x86
Version: 31 Branch → 34 Branch
Version: 34 Branch → 33 Branch
Summary: 'GIP-CPS' Certificates no longer installed by a vendor addon at adddon installation time. → 'GIP-CPS' Certificates no longer installed by a vendor addon at addon installation time.
This commit seems to be the sources of this bug :

https://www.openhub.net/p/mozilla/commits/346161625

It breaks compatibilty for addons which still use nsIX509CertDB2 insterface.
Installing the Aurora 33.a02 (2014-08-07), and testing our CPS Addon, I realize
that nsIX509Cert2 interface has been removed too.

nsIX509CertDB2 is still unavailable on this version of Aurora.

Is this documented anywhere ?

Thanks.
Depends on: 643041
This was documented here:

https://developer.mozilla.org/en-US/Firefox/Releases/33#Changes_for_add-on_and_Mozilla_developers

But late.

The solution is t odo something like this in your code:

var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
var certdb2 = certdb;
try {
  certdb2 = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB2);
} catch (e) {}

I think they believed this wasn't a commonly used service, so they didn't do any remediation.
Thanks for filing the bug, and sorry for the bustage.

Unfortunately, we're unlikely to revert the change, especially at this point.

mkaply's solution from comment 3 looks like it would work as a workaround.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Hello,

thanks for the answer.

We fixed this problem in our XPI for the release of FF34.

Sincerely.
You need to log in before you can comment on or make changes to this bug.