Import Certificate Authority: TypeError: caTreeView.loadCerts is not a function
Categories
(Firefox :: Security, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox104 | --- | fixed |
People
(Reporter: manikulin, Assigned: keeler)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Steps to reproduce:
I was going to test updates of a self-hosted add-on for Thunderbird on local machine. Error reporting in such scenario sometimes can not provide insight on actual problem. I have seen the issue in Thunderbird-91 and 103, Firefox-101
- Use some CA certificate unknown to Firefox or generate a self-signed certificate authority for test purposes
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -outform pem \ -days 3650 -subj "/C=EU/CN=Max Test" \ -out cacert.pem -keyout cakey.pem
- Try to import it
- Open Certificates part of Settings (Privacy & Security section)
about:preferences#privacy
- Click on "View Certificates", switch to "Authorities", click "Import"
- Select the CA certificate (
cacert.pem
) file, check that it should be trusted for web sites. - Try to find the new authority ("Max Test") in the list
Actual results:
No new CA
Debugging add-on I had console opened, so I noticed
Uncaught TypeError: caTreeView.loadCerts is not a function
addCACerts chrome://pippki/content/certManager.js:793
certManager.js:793:18
addCACerts chrome://pippki/content/certManager.js:793
Since I did not found the new authority I started to search a way to bypass the error. It was Thunderbird, so it was impossible to add exception by visit a page served from the local web server.
Trying the same scenario in Firefox, I realized that CA is actually added despite it is not shown. A test web site may be loaded with no warnings concerning non-trusted TLS certificate. I can provide commands how to setup a test HTTPS server with a certificate signed by custom CA, but it is not strictly necessary for purely UI issue.
Expected results:
New CA should appear in the list to avoid confusion of developers. There are enough ways to create an invalid certificate that will be refused by add-on updater, so at least import should work smoothly.
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
Out of curiosity, is the certificate you imported listed in the Your Certificates
tab?
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #2)
Out of curiosity, is the certificate you imported listed in the
Your Certificates
tab?
- Immediately after addition it is not listed in any tab and it is subject of this bug.
- If I close and open certificate management dialog again then my certificate is listed in "Authorities" only, it is not added to "You Certificates".
To be clear, while adding the certificate I checked "Trust this CA to identify websites." but not " Trust this CA to identify email users.".
Is your interest caused by absence of -addext
options in the command to generate certificate to impose some restrictions through keyUsage
or extendedKeyUsage
? At first I tried them but I specified some wrong value and got SEC_ERROR_EXTENSION_VALUE_INVALID
obscure error on attempt to visit a page protected by such certificate chain. There was no hints which particular certificate (host or authority) and which extension is invalid, so I decided that key usage is unimportant for this issue and it is better to omit such details.
Assignee | ||
Comment 4•2 years ago
|
||
In bug 1682412, loadCerts was removed from nsICertTree. At the time, the
certificate manager still had one use of it that should have been updated to
loadCertsFromCache. This patch makes that update.
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/81659464d92a certificate manager: update leftover loadCerts call from bug 1682412 r=rmf
Comment 6•2 years ago
|
||
bugherder |
Description
•