Open Bug 1735832 Opened 3 years ago Updated 17 days ago

Certificate Manager: Allow viewing the validity of an end entity certificate


(Core :: Security: PSM, enhancement, P5)





(Reporter: KaiE, Assigned: KaiE)



(Whiteboard: [psm-assigned])


(4 files)

With the old certificate viewer (pre bug 1553524), the certificate was validated for various purposes, and the result were displayed.

With the new one, there is apparently no way to view if PSM/Firefox/Thunderbird consider a certificate valid.

I suggest to add a new button in certificate manager, either "Validate" or "Verify".

When clicked, we could either try all relevant usages, or ask the user to select a particular certificate usage.

Would this be an acceptable enhancement for PSM?

(My current motivation is to have this functionality in Thunderbird, at least for installed S/MIME certificates. If this isn't acceptable for PSM in general, I'd have to find a way to add this in a Thunderbird specific way.)

Attached is an initial step. It works when viewing a cert from cert manager.
In this scenario, cert manager already performs a validation of various usages to obtain the chain.
The patch takes the usage verification results (which are currently ignored by about:certificate), and passes them on, and adds code to display the information.

There are a few things missing.

The patch restricts the validation result display to end entity certificates. The reason is, if we are trying to view a CA cert that is marked untrusted as SSL/TLS CA, but only marked trusted as an email CA, then we'd display a misleading status. We'd say the issuer is unknown/untrusted. The reason is that we currently don't have code in mozpkix to verify for the Email CA usage.

Also, there are other callers that open about:certificate, which don't yet perform the validation. We'd have to add that.

Attached image cv1.png
Attached image cv2.png
Attached image cv3.png

The attached sample images show extra content that is shown at the bottom of about:certificate with this patch.

Dana, before going into code details, would you generally be ok with a change like this?

The current patch is limited to provide additional information when opening the certificate from certificate manager. (This could be sufficient as an initial step for Thunderbird.) When opened from other entry points, the section with additional information will not be shown.

Would you generally be ok with a partial implementation like this, or would you ask that we show it regardless of entry point (and perform the required additional verification from those places)?

Flags: needinfo?(dkeeler)
Summary: Certificate Manager: Add way to view validity of a certificate → Certificate Manager: Allow viewing the validity of an end entity certificate

This seems reasonable. Please add and/or modify existing tests to cover the new functionality.

Flags: needinfo?(dkeeler)
Severity: -- → N/A
Whiteboard: [psm-assigned]

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.

Assignee: nobody → kaie
See Also: → 1853475
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.