Cloudflare SSL certificate's Organization shows escaped comma (also entrust and godaddy certs)
Categories
(Firefox for Android :: Toolbar, defect, P2)
Tracking
()
People
(Reporter: boek, Unassigned)
References
Details
Attachments
(1 file)
|
32.43 KB,
image/png
|
Details |
Android Bug Screenshot
From github: https://github.com/mozilla-mobile/fenix/issues/26438.
Steps to reproduce
- Open https://cloudflare.com
- Click the Lock icon
- Click the "Connection is secure" item to view the certificate's details
Expected behaviour
"Verified by" should show
Cloudflare, Inc.Actual behaviour
"Verified by" shows
Cloudflare\, Inc.Device name
No response
Android version
12
Firefox release type
Firefox Nightly
Firefox version
105.0a1 (2022-08-11)
Device logs
No response
Additional information
I'm not entirely sure if this dialog is created via Fenix, or if this is an a-c issue upstream. I'll just file it here for now.
┆Issue is synchronized with this Jira Task
Change performed by the Move to Bugzilla add-on.
|
||
Comment 2•1 year ago
|
||
From the duplicate bug, the same problem exists with Entrust and GoDaddy certs. Presumably any cert with a comma, if we can figure out where someone is trying to sanitize this as if it's CSV data. The GoDaddy cert is particularly troubling since parts of the location bleed into the Organization string.
- Visit https://www.entrust.com and https://www.godaddy.com
- check the connection security details as above
Expected results
Verified By: Entrust, Inc.
Verified By: GoDaddy.com, Inc.
Actual results
Verified By: Entrust\, Inc.
Verified By: GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona
It's disappointing that there appears to be no way to get actual certificate details in Fenix, unlike Firefox for desktop and the mobile Chrome and Edge browsers. The Organization string of the intermediate is unreliable if you can't check that it came from the expected root.
|
|
||
Comment 3•1 year ago
|
||
I took a guess and moved this to Toolbar. NSS would never give a string escaped like this to GeckoView. It looked like the front-end code might be using Java x509 classes to do it's own parsing of certificates.
|
||
Comment 4•1 year ago
•
|
||
Some reference:
-
How fenix get issuer name:
https://searchfox.org/mozilla-central/rev/893f350260faac2ee6bf2b14c627d55eb2babfb0/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt#1691
Using string subtraction with default format will cause 1) backslash 2) cannot cleary filter out unneeded info , like L= , St=......
The first question could be solved by using alternative format : certificate?.issuerX500Principal?.getName(X500Principal.RFC1779). (Note: getIssuerDN is deprecated , use getIssuerX500Principal instead)
but this is not a elegant way and it couldn't solve the second problem.
The proper way is to use sun.security.x509.X500Name , however this API is not exposed in android. Or geckview pass issuerOrganization of nsIX509Cert.idl from js to java then expose via API to Fenix
Ref bugs
https://github.com/mozilla-mobile/android-components/issues/5557
https://bugzilla.mozilla.org/show_bug.cgi?id=1795970
|
|
||
Comment 5•1 year ago
|
||
I found these info once existed and were removed from Geckoview in https://phabricator.services.mozilla.com/D58154 due to the introduction of full server certificate,
|
Reporter | |
Updated•1 year ago
|
|
||
Comment 6•1 year ago
|
||
This appears on Android version 121.0.1.
It appears fixed on the Linux desktop 121.
Description
•