Open Bug 1735832 Opened 3 years ago Updated 2 months ago

Certificate Manager: Allow viewing the validity of an end entity certificate

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

People

(Reporter: KaiE, Assigned: KaiE)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [psm-assigned])

Attachments

(4 files)

WIP: Bug 1735832 - Allow certificate viewer to show validated usages.
48 bytes, text/x-phabricator-request
Details | Review
cv1.png
27.70 KB, image/png
Details
cv2.png
12.73 KB, image/png
Details
cv3.png
13.64 KB, image/png
Details

With the old certificate viewer (pre bug 1553524), the certificate was validated for various purposes, and the result were displayed.

With the new one, there is apparently no way to view if PSM/Firefox/Thunderbird consider a certificate valid.

I suggest to add a new button in certificate manager, either "Validate" or "Verify".

When clicked, we could either try all relevant usages, or ask the user to select a particular certificate usage.

Would this be an acceptable enhancement for PSM?

(My current motivation is to have this functionality in Thunderbird, at least for installed S/MIME certificates. If this isn't acceptable for PSM in general, I'd have to find a way to add this in a Thunderbird specific way.)

Attached is an initial step. It works when viewing a cert from cert manager.
In this scenario, cert manager already performs a validation of various usages to obtain the chain.
The patch takes the usage verification results (which are currently ignored by about:certificate), and passes them on, and adds code to display the information.

There are a few things missing.

The patch restricts the validation result display to end entity certificates. The reason is, if we are trying to view a CA cert that is marked untrusted as SSL/TLS CA, but only marked trusted as an email CA, then we'd display a misleading status. We'd say the issuer is unknown/untrusted. The reason is that we currently don't have code in mozpkix to verify for the Email CA usage.

Also, there are other callers that open about:certificate, which don't yet perform the validation. We'd have to add that.

Attached image cv1.png
Attached image cv2.png
Attached image cv3.png

The attached sample images show extra content that is shown at the bottom of about:certificate with this patch.

Dana, before going into code details, would you generally be ok with a change like this?

The current patch is limited to provide additional information when opening the certificate from certificate manager. (This could be sufficient as an initial step for Thunderbird.) When opened from other entry points, the section with additional information will not be shown.

Would you generally be ok with a partial implementation like this, or would you ask that we show it regardless of entry point (and perform the required additional verification from those places)?

Flags: needinfo?(dkeeler)
Summary: Certificate Manager: Add way to view validity of a certificate → Certificate Manager: Allow viewing the validity of an end entity certificate

This seems reasonable. Please add and/or modify existing tests to cover the new functionality.

Flags: needinfo?(dkeeler)
Severity: -- → N/A
Whiteboard: [psm-assigned]

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.

Assignee: nobody → kaie
See Also: → 1853475
Priority: -- → P5
See Also: → 1719054

(In reply to Dana Keeler (she/her) (use needinfo) [:keeler] from comment #8)

This seems reasonable. Please add and/or modify existing tests to cover the new functionality.

FYI, I'm currently actively working on completing this, and I'm also including a fix for related bug 1719054.

For the tests, I need some code from pippki.js - therefore I suggest that we move it to a pippki.sys.mjs

For the related bug 1716998 I also need code from pippki.js - if we move it to .sys.mjs then I don't have to duplicate code in Thunderbird.

Attachment #9250819 - Attachment description: WIP: Bug 1735832 - Display end entity cert validity when viewing cert from cert manager. → Bug 1735832 - Allow certificate viewer to show validated usages. r=keeler
Blocks: 1716998
Type: enhancement → defect
Keywords: regression
Regressed by: cert-viewer
See Also: cert-viewer
Severity: N/A → S4
Attachment #9250819 - Attachment description: Bug 1735832 - Allow certificate viewer to show validated usages. r=keeler → WIP: Bug 1735832 - Allow certificate viewer to show validated usages.

Dana, I haven't yet asked for re-review in phabricator, because I've discovered that the new validation introduces failing tests, apparently caused by timing changes and introduces races.

I'd like to ask which approach you like better:

(a) Try to fix all the races, (which might be tricky and I'm not sure how much time it might cost me).

(b) Change the implementation strategy in the following way:
Instead of immediately trying to validate the usages when opening the certificate viewer, show only a button that offers to validate the certificate.
This would avoid the timing changes, and would also ensure that the viewer tab opens up immediately.
Only when the user presses a button, we validate for the various usages and dynamically update the certificate viewer, adding the new information at the bottom (and removing the button).

Flags: needinfo?(dkeeler)

Well, either way, we would still want tests for this new functionality, so I imagine any races in the implementation would have to be fixed, right?
In any case, I like the option of having a button that performs the validations.

Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: