Invalid cert can be imported as a CA cert, if it is already imported as an enterprise cert

RESOLVED DUPLICATE of bug 1431850

Status

()

Product:
Core
Component:
Security: PSM
Status:
RESOLVED DUPLICATE of bug 1431850
Reported:
6 months ago
Modified:
6 months ago

People

(Reporter: yuki, Unassigned)

Tracking

Version:
Trunk
Platform:
Unspecified
Windows
Points:
---

Firefox Tracking Flags

(firefox-esr60 affected, firefox64 affected)

Details

Attachments

(2 attachments)

self-signed.badssl.crt
1.24 KB, application/pkix-cert
Details
self-signed.badssl.reg
7.33 KB, text/x-ms-regedit
Details
(Reporter)

Description

6 months ago 
Generally Firefox's cert manager disallows to import a CA cert if it is not acceptable as a CA, for example a self-signed cert for server authentication. However, when it is already imported as an enterprise cert via Active Directory's group policy feature, it can be imported as a CA cert without no such error message.

I think this is not a critical but confusable.


# Steps to reproduce (on Windows 10):

1. Prepare a self-signed cert just for server authentication.
   (You can skip these steps if you use the attached file
   "self-signed.badssl.crt".)
   1-1. Go to https://self-signed.badssl.com/
   1-2. Click the "More..." button.
   1-3. Click the link "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT".
   1-4. Scroll down and select text from "-----BEGIN CERTIFICATE-----"
        to "-----END CERTIFICATE-----".
   1-5. Copy and paste the text to a text editor.
   1.6. Save it as a cert file "self-signed.badssl.crt".
2. Set it as an enterprise cert provided via Active Directory's group policy.
   (You can skip these steps if you use the attached file
   "self-signed.badssl.reg".)
   2-1. Double click the file "self-signed.badssl.crt" to open it by
        the cert viewer of the Windows itself.
        Then please remember the fingerprint hex, for example: "7a57d3243..."
   2-2. Click the "Install Certificate" button.
        Then cert importer wizard starts.
   2-3. Choose the store for the current user and click "Next".
   2-4. Choose the second choice to specify cert store manually,
        and choose "Trusted Root Certification Authorities".
        Then click "Next".
   2-5. Click "Finish".
   2-6. Start regedit.exe with admin privilege.
   2-7. Go to "Computer\HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
        \Root\Certificates" and find a sub key for the imported cert.
        The name of the sub key is same to its fingerprint hex, for example:
        "7A57D3243..."
   2-8. Export the sub key to a file "self-sighed.badssl.reg".
   2-9. Open the file by a plain text editor supporting UTF-16LE.
   2-10. Replace the path of the key from "Computer\HKEY_CURRENT_USER\Software
         \Microsoft\SystemCertificates\Root\Certificates" to
         "HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
         \Certificates".
   2-11. Save the change.
   2-12. Double-click the file and import it to the registry.
3. Start Firefox.
4. Go to "about:config" and set "security.enterprise_roots.enabled" to "true".
5. Restart Firefox.
6. Open "Tools" => "Options".
7. Go to the certificates manager: "Privacy & Security" => "Certificates" =>
   "View Certificates"...
8. Choose the "Authorities" tab.
9. Click the "Import..." button.
10. Choose the cert file "self-signed.badssl.crt.


# Actual result:

A "Downloading Certificate" dialog is opened and you can import it as a CA.


# Expected result:

An error message "This is not a certificate authority certificate, so it can’t
be imported into the certificate authority list." is shown, and importing operation is rejected.
(Reporter)

Comment 1

6 months ago 
Component: Security → Security: PSM

    
    

      

        



        		

        
            (Reporter)
        

        

          
        

      


      

        
          

            Comment 2
          
6 months ago
          

        		
      


      

        
        
      

    


    
  
By the way, there is one more difference about such a self-signed cert
for server authentication imported as an enterprise cert, between Firefox
and IE/Edge. After the step 2 (preparing a situation that the cert is
detected as an enterprise cert), IE (Edge) doesn't report "bad cert" error
for the website "https://self-signed.badssl.com/". On the other hand,
Firefox still shows a cert error for the website and you need to add a
security exception for the site manually to show its contents, despite
the cert was correctly imported from the registry. (I verified that by
logging with "set MOZ_LOG=pipnss:5".)

Initially I got a question from my client company about such an odd difference.
I'm guessing that NSS reports the cert error on this case because the issuer
of the server cert (it equels to the self-signed cert itself) doesn't have
a CA flag. I don't know how Firefox should treat such a special case, so
I've filed this bug just about an odd behavior of the certificates manager.
Should I file another bug for the original problem above?

    

      

        



        		
        
            (Reporter)
        
        

          
        

      

      

        
          

            Updated
          
6 months ago
          

        		
      

    

  
status-firefox-esr60: --- → affected

    
    

      

        



        		

        
        

        

          
        

      


      

        
          

            Comment 3
          
6 months ago
          

        		
      


      

        
        
      

    


    
  
I agree it's confusing but it doesn't ultimately matter, because Firefox will never build a validated certificate chain to that "root" because, as you said, it's not a valid root. Bug 1431850 should address this in any case by not showing that certificate in the authorities section.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1431850

          You need to log in
          before you can comment on or make changes to this bug.