NSSCertDBTrustDomain::FindIssuer returns early if no candidates are found in NSS sources (thus skipping any 3rd party certs)
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox65 | --- | unaffected |
| firefox66 | --- | unaffected |
| firefox67 | --- | fixed |
People
(Reporter: mozilla, Assigned: keeler)
References
Details
(Keywords: regression, Whiteboard: [psm-assigned])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Steps to reproduce:
Go to about:profiles, create a new profile and launch a browser.
Set security.enterprise_roots.enabled=true.
Go to https://<intranet-site-fqdn>/.
The site has a certificate signed by a corporate CA, which is a trusted root CA in Windows.
Actual results:
A warning page with a yellow border.
Error code: SEC_ERROR_UNKNOWN_ISSUER
In my default Nightly profile, sometimes reloading the page works - the certificate appears to be valid. I can't get this to happen in a fresh profile.
Expected results:
The page should load.
|
Reporter | |
Comment 1•6 years ago
|
||
mozregression output:
2019-02-07T18:19:28: INFO : Narrowed inbound regression window from [7213808d, b828ed31] (3 builds) to [b7597732, b828ed31] (2 builds) (~1 steps left)
2019-02-07T18:19:28: DEBUG : Starting merge handling...
2019-02-07T18:19:28: DEBUG : Using url: https://hg.mozilla.org/integration/autoland/json-pushes?changeset=b828ed311a01c2977f3c78251cb231bc0f7cfbd1&full=1
2019-02-07T18:19:30: DEBUG : Found commit message:
bug 1514118 - have CertVerifier use any third-party roots rather than going through NSS r=jcj
Before this patch, if the enterprise roots feature were enabled, nsNSSComponent
would gather any such roots and temporarily import them into NSS so that
CertVerifier could use them during path building and trust querying. This turned
out to be problematic in part because doing so would require unlocking the
user's key DB if they had a password. This patch implements a scheme whereby
nsNSSComponent can give these extra roots directly to CertVerifier, thus
bypassing NSS and any need to unlock/modify any DBs. This should also provide a
path forward for other improvements such as not repeatedly searching through all
certificates on all tokens, which has inefficiencies (see e.g. bug 1478148).
Differential Revision: https://phabricator.services.mozilla.com/D18156
2019-02-07T18:19:30: DEBUG : Did not find a branch, checking all integration branches
2019-02-07T18:19:30: INFO : The bisection is done.
2019-02-07T18:19:30: INFO : Stopped
|
|
Reporter | |
Comment 2•6 years ago
|
||
If I import the root CA to the Firefox profile, the page loads.
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 3•6 years ago
|
||
Can you send me the output of opening the browser console (ctrl + shift + j) and typing 'Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent).getEnterpriseRoots();'? (that might include your corporate root CA, so if you don't want that publicly disclosed, don't post the output here)
|
|
Assignee | |
Comment 4•6 years ago
|
||
Oh actually never mind I think I figured out the bug. (Thanks for filing this, by the way!)
|
|
Assignee | |
Comment 5•6 years ago
|
||
As of bug 1514118, NSS is not the only place NSSCertDBTrustDomain looks for
issuer certificates. However, the initial implementation did not take into
account that NSSCertDBTrustDomain::FindIssuer would return early if NSS did not
find candidate issuers, resulting in unknown issuer errors for third party
roots. This patch fixes that bug by not returning early.
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 6•6 years ago
|
||
|
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
Description
•