Closed Bug 1774579 Opened 2 years ago Closed 2 years ago

Import Certificate Authority: TypeError: caTreeView.loadCerts is not a function

Categories

(Firefox :: Security, defect, P1)

Product:
Firefox
Component:
Security
Version:
Firefox 101
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox104 --- fixed

People

(Reporter: manikulin, Assigned: keeler)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1774579 - certificate manager: update leftover loadCerts call from bug 1682412 r?rmf
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0

Steps to reproduce:

I was going to test updates of a self-hosted add-on for Thunderbird on local machine. Error reporting in such scenario sometimes can not provide insight on actual problem. I have seen the issue in Thunderbird-91 and 103, Firefox-101

  • Use some CA certificate unknown to Firefox or generate a self-signed certificate authority for test purposes 
    openssl req -x509 -newkey rsa:4096 -sha256 -nodes -outform pem \
    -days 3650 -subj "/C=EU/CN=Max Test" \
    -out cacert.pem -keyout cakey.pem
  • Try to import it
  • Open Certificates part of Settings (Privacy & Security section) about:preferences#privacy
  • Click on "View Certificates", switch to "Authorities", click "Import"
  • Select the CA certificate (cacert.pem) file, check that it should be trusted for web sites.
  • Try to find the new authority ("Max Test") in the list

Actual results:

No new CA

Debugging add-on I had console opened, so I noticed

 Uncaught TypeError: caTreeView.loadCerts is not a function
    addCACerts chrome://pippki/content/certManager.js:793
certManager.js:793:18
    addCACerts chrome://pippki/content/certManager.js:793

Since I did not found the new authority I started to search a way to bypass the error. It was Thunderbird, so it was impossible to add exception by visit a page served from the local web server.

Trying the same scenario in Firefox, I realized that CA is actually added despite it is not shown. A test web site may be loaded with no warnings concerning non-trusted TLS certificate. I can provide commands how to setup a test HTTPS server with a certificate signed by custom CA, but it is not strictly necessary for purely UI issue.

Expected results:

New CA should appear in the list to avoid confusion of developers. There are enough ways to create an invalid certificate that will be refused by add-on updater, so at least import should work smoothly.

The Bugbug bot thinks this bug should belong to the 'Firefox::Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security
Status: UNCONFIRMED → NEW
Ever confirmed: true

Out of curiosity, is the certificate you imported listed in the Your Certificates tab?

Flags: needinfo?(manikulin)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #2)

Out of curiosity, is the certificate you imported listed in the Your Certificates tab?

  • Immediately after addition it is not listed in any tab and it is subject of this bug.
  • If I close and open certificate management dialog again then my certificate is listed in "Authorities" only, it is not added to "You Certificates".

To be clear, while adding the certificate I checked "Trust this CA to identify websites." but not " Trust this CA to identify email users.".

Is your interest caused by absence of -addext options in the command to generate certificate to impose some restrictions through keyUsage or extendedKeyUsage? At first I tried them but I specified some wrong value and got SEC_ERROR_EXTENSION_VALUE_INVALID obscure error on attempt to visit a page protected by such certificate chain. There was no hints which particular certificate (host or authority) and which extension is invalid, so I decided that key usage is unimportant for this issue and it is better to omit such details.

Flags: needinfo?(manikulin)

In bug 1682412, loadCerts was removed from nsICertTree. At the time, the
certificate manager still had one use of it that should have been updated to
loadCertsFromCache. This patch makes that update.

Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Severity: -- → S4
Priority: -- → P1
Whiteboard: [psm-assigned]
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81659464d92a
certificate manager: update leftover loadCerts call from bug 1682412 r=rmf

https://hg.mozilla.org/mozilla-central/rev/81659464d92a

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox104: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: