Closed Bug 1642789 Opened 4 years ago Closed 4 years ago

Ensure PEM file is stripped of all data before import

Categories

(Firefox :: Enterprise Policies, defect, P5)

Product:
Firefox
Component:
Enterprise Policies
Version:
77 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 79
Tracking Flags:
Tracking Status
firefox-esr78 --- fixed
firefox79 --- fixed

People

(Reporter: ericj, Assigned: mkaply)

References

(Depends on 1 open bug)

Details

Attachments

(2 files)

cert_error.txt
4.24 KB, text/plain
Details
Bug 1642789 - Remove all excess data from PEM files. r?keeler
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0

Steps to reproduce:

Firefox 77.0 on openSUSE 15.1:

Update policies.json to automatically install/trust my CA certificate.
"Certificates": {
"Install": ["/path/to/my/certificates/myca.pem"]
}

Verified the certificate file is valid via: openssl x509 -in /path/to/my/certificates/myca.pem -text -noout

Actual results:

about:policies shows the following Policy Error:
Unable to add certificate - /path/to/my/certificates/myca.pem

Browser console shows:
Policies.jsm: Unable to add certificate - /path/to/my/certificates/myca.pem Policies.jsm:284

Expected results:

Firefox should add this CA certificate to its trust store and not show this error.

There is nothing in the documentation on what logging module will help debug this. I tried pipnss:4 but that did not log anything related.

Note that this is not related to updating to 77.0, I have not attempted this policy before this.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Enterprise Policies

Would you be willing to send me the pem file?

Does the pem file install properly inside of Firefox?

(In reply to Mike Kaply [:mkaply] from comment #3)

Would you be willing to send me the pem file?

Does the pem file install properly inside of Firefox?

I am unable to send you the pem file, however I can indeed manually install it inside Firefox successfully.

As a test, I also grabbed a Verisign CA certificate from /usr/share/pki/trust/ca-certificates-mozila.trust.p11-kit (this comes with openSUSE 15.1 as part of the OS install). I took the snippet and put it in a PEM file. The Enterprise Policy also failed with the same error.

I also tried converting the PEM to DER format and it also failed the same way.

As a side note, I previously installed my CA cert at Firefox compile time (by adding the block to security/nss/lib/ckfw/builtins/certdata.txt). That block was generated using the addbuiltin tool (part of the nss tools) but that seemed to break with Firefox 77.0 (compile fails). It is probable that I need to recreate that block with a newer version of nss (3.52.1 it looks like FFOX 77.0 uses). I am working on that now but having issues getting nss to compile.

Unfortunately I don't print out a good error in this case and there's no easy way to give you code that can do this.

dkeeler: Do you have a logging suggestion so we can see the error coming from constructX509 or constructX509FromBase64?

I'll update the policy to show the full errors in these cases.

Flags: needinfo?(dkeeler)

Unfortunately those functions don't log anything. We could add some or change the return values to depend on the NSS error that gets encountered.

Flags: needinfo?(dkeeler)

I still have not been able to get a PEM certificate installed via Enterprise Policies, and when I attempted to install a DER certificate, I converted it via:
openssl x509 -inform PEM -outform DER -text -in myca.pem -out myca.der

Using this DER certificate also failed to load.

However, I re-converted the DER certificate without the -text via:
openssl x509 -outform der -in myca.pem -out myca.der

And it was successfully installed via Enterprise Policies.

So the additional text header in that DER file caused it to fail. But it doesn't explain why PEM format does not work.

I wonder if the pemToBase64 is doing something weird?

Does it look like this JS would do the right thing on your PEM file?

function pemToBase64(pem) {
return pem
.replace(/-----BEGIN CERTIFICATE-----/, "")
.replace(/-----END CERTIFICATE-----/, "")
.replace(/[\r\n]/g, "");
}

(In reply to Mike Kaply [:mkaply] from comment #9)

I wonder if the pemToBase64 is doing something weird?

Does it look like this JS would do the right thing on your PEM file?

function pemToBase64(pem) {
return pem
.replace(/-----BEGIN CERTIFICATE-----/, "")
.replace(/-----END CERTIFICATE-----/, "")
.replace(/[\r\n]/g, "");
}

I am not proficient in JS. I do have node.js installed so I could run this via terminal (but how to get the pem file in the 'pem' variable?

I'll put something together you can run in Firefox. Probably first thing Monday.

Would there happen to be nightlies for openSUSE or can you run one of our official builds?

I put a change in to at least give us a slightly better error.

Still working on a way for you to test.

(In reply to Mike Kaply [:mkaply] from comment #12)

Would there happen to be nightlies for openSUSE or can you run one of our official builds?

I put a change in to at least give us a slightly better error.

Still working on a way for you to test.

I downloaded the nightly binary tar and configured the enterprise policy. The error is more verbose now (although I am unable to determine the problem from it still). Attached is the exception from the browser console.

Attached file cert_error.txt

certificate install error from browser console.

I found the issue. In the PEM file, there were 3 lines of comments before the -----BEGIN CERTIFICATE-----
The comment lines started with #. Even though tools like openssl will only look at the data between:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
it looks like Firefox does not support that. Now that I removed the comments in the file, the PEM file loads successfully.

Interesting. We can fix that.

Thanks for finding this!

Assignee: nobody → mozilla
Severity: -- → S4
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P5
Summary: Enterprise Policies - unable to add certificate via Certificates Install → Ensure PEM file is stripped of all data before import

(In reply to Mike Kaply [:mkaply] from comment #16)

Interesting. We can fix that.

Thanks for finding this!

Thank you for all your help!

Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/7b9f4185ccd2
Remove all excess data from PEM files. r=keeler

https://hg.mozilla.org/mozilla-central/rev/7b9f4185ccd2

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 79
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/2fd504523a1b
Port bug 1642789 - Remove all excess data from PEM files. r=darktrojan DONTBUILD

Comment on attachment 9155746 [details]
Bug 1642789 - Remove all excess data from PEM files. r?keeler

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only
  • User impact if declined: Some certificates don't load from policy
  • Fix Landed on Version: 79
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Policy only.
  • String or UUID changes made by this patch:
Attachment #9155746 - Flags: approval-mozilla-esr78?

Comment on attachment 9155746 [details]
Bug 1642789 - Remove all excess data from PEM files. r?keeler

Approved for 78.1esr.

Attachment #9155746 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: