Open Bug 1523110 Opened 6 years ago Updated 1 year ago

certificate viewer: display more of authority key identifier and subject key identifier extensions

Categories

(Firefox :: Security, enhancement, P5)

enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: it, Unassigned)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

View certificates with certain forms of the AuthorityKeyIdentifier X.509 extension, for instance the "Chambers of Commerce Root - 2008" certificate in the default trust store called "Authorities".

Actual results:

For the mentioned certificate the Certificate Authority Key Identifier is shown as

Not Critical
Size: 9 Bytes / 72 Bits
00 a3 da 42 7e a4 b1 ae da

where the authorityCertSerialNumber is shown (with a leading '00' is erroneously shown, see bug 1520923) while the keyIdentifier and the authorityCertIssuer is not shown.

Expected results:

For the mentioned certificate the Certificate Authority Key Identifier should be shown as

Not Critical
Size: 20 Bytes / 160 Bits
f9 24 ac 0f b2 b5 f8 79 c0 fa 60 88 1b c4 d9 4d
02 9e 17 19
authorityCertIssuer: /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
authorityCertSerialNumber: A3:DA:42:7E:A4:B1:AE:DA

Component: Security → Libraries
OS: Unspecified → All
Priority: -- → P1
Product: Thunderbird → NSS
Hardware: Unspecified → All
Summary: Certificate Authority Key Identifier of X.509 certificates not always properly displayed → Unusual Certificate Authority Key Identifiers of X.509 certificates not properly displayed
Version: unspecified → trunk
See Also: → 1520923
Severity: normal → S3
Severity: S3 → S4
Priority: P1 → P3
Severity: S4 → --
Component: Libraries → Security: PSM
Priority: P3 → --
Product: NSS → Core
Version: trunk → unspecified

This looks fine in the new certificate viewer.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

OpenSSL correctly shows the Authority Key ID as follows:

        X509v3 Authority Key Identifier: 
            keyid:F9:24:AC:0F:B2:B5:F8:79:C0:FA:60:88:1B:C4:D9:4D:02:9E:17:19
            DirName:/C=EU/L=Madrid (see current address at www.camerfirma.com\/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
            serial:A3:DA:42:7E:A4:B1:AE:DA

while Mozilla just shows:

Key ID: F9:24:AC:0F:B2:B5:F8:79:C0:FA:60:88:1B:C4:D9:4D:02:9E:17:19

This is a reminder that Bugzilla is our professional working environment as much as it is our issue tracker, and that personal attacks directed at our colleagues, as well resetting issue resolution flags because you disagree with a decision, are not acceptable uses of Bugzilla.

Please take a moment to review our community participation and Bugzilla etiquette guidelines if you intend to continue contributing to this or other issues.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago1 year ago
Resolution: --- → WORKSFORME

Would you be so kind and provide a screenshot of the certificate viewer output for the above example cert,
to justify your WORKSFORME move.

Flags: needinfo?(mhoye)

If you open the Certificate Manager in a current Firefox and double click (or select "view" for) the certificate in question, you will see detailed information about certificate and its issuer, including the information you've described above and links to the issuer's policies.

It is true that the URL provided for the issuer's address - www.camerfirma.com/address - is a 404 at the moment, though that is a server-side issue that doesn't impact the integrity of the certificate. I've brought that to the attention of our team to pass on to the authority in question.

Flags: needinfo?(mhoye)

As I mentioned yesterday, the issue is still not solved, despite wrong claims made by two Mozilla people.
See screenshot attached, taken with the latest Firefox available for download: 112.0.2.

Therefore, reopening the bug report for the 2nd time.

As mentioned, the issue is still not solved, despite wrong claims made by two Mozilla people.
See screenshot attached, taken with the latest Firefox available for download: 112.0.2.
There

Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

Since you censored my first message of yesterday, here is again the technical essence.

For the example cert that I mentioned,
Serial Number: A82743287
Organization: AC Camerfirma S.A.
Common Name: Chambers of Commerce Root - 2008

in the Miscellaneous section, it still says:
Serial Number: 00:A3:DA:42:7E:A4:B1:AE:DA
rather than A3:DA:42:7E:A4:B1:AE:DA

Moreover, as I wrote in my subsequent message,
the X509v3 Authority Key Identifier output contains just

        keyid:F9:24:AC:0F:B2:B5:F8:79:C0:FA:60:88:1B:C4:D9:4D:02:9E:17:19

while not showing the further fields

        DirName:/C=EU/L=Madrid (see current address at www.camerfirma.com\/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
        serial:A3:DA:42:7E:A4:B1:AE:DA
Severity: -- → N/A
Type: defect → enhancement
Component: Security: PSM → Security
Priority: -- → P5
Product: Core → Firefox
Summary: Unusual Certificate Authority Key Identifiers of X.509 certificates not properly displayed → certificate viewer: display more of authority key identifier and subject key identifier extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: