182607 - lose certificate/private key PKCS#12 keystore entry while you upgrade from 1.2-beta to 1.2-final

Status: RESOLVED WONTFIX

(NSS :: Libraries, defect, P1)

Description

[Uwe Guenther]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126

lose certificate/private key PKCS#12 keystore entry while you upgrade from
1.2-beta to 1.2-final.

Reproducible: Sometimes

Steps to Reproduce:
1.Import a cert under Mozilla < 1.2-final
2.Upgrade to Mozilla 1.2
3.The First Certs is lost -- see Edit|Preferences|Prvacy & Security|Certificates

Actual Results:  
You can't read your encrypted mails if you have no backup of your private key
the got lost with the update. This means all your mails that are encrypted now
byte waste on your harddrive. This is a realy hard bug and should be post with
red blinking letters on http://www.mozilla.org/index.html !!!

Expected Results:  
Mozilla should take advance of may private keys.

Comment 1

[Matthias Versen [:Matti]]

not security (since this is nor security hole) -> PSM

Comment 2

[John Unruh]

>Client Library. 

Comment 3

[Kai Engert [:KaiE:]]

I think I have seen this once, but I'm unable to reproduce it.

Comment 4

[Wan-Teh Chang]

Attachment: Diffs in NSS libraries (mozilla/security/nss/lib) between mozilla 1.2beta and 1.2final

Mozilla 1.2beta is using some NSS 3.6 beta release.
Mozilla 1.2final is using some NSS 3.6.1 beta release.

This file contains the diffs between these two NSS
snapshots.  I omitted the changes to certdata.c (a
generated file) for brevity.

Mr. Guenther, could you copy the NSS libraries (libnss3.so,
libsoftokn3.so, libnssckbi.so, libsmime3.so, and libssl3.so)
in mozilla 1.2beta to your mozilla 1.2final installation and
see if that makes your certificate and private key reappear?

Comment 5

[John Unruh]

*** Bug 182737 has been marked as a duplicate of this bug. ***

Comment 6

[Wan-Teh Chang]

Confirmed the bug because more than one person reported it.

Comment 7

[John Unruh]

*** Bug 183939 has been marked as a duplicate of this bug. ***

Comment 8

[Julien Pierre]

Discussed this bug in today's NSS meeting.

The consensus is that the bug is probably a manifestation of a database
optimization put in to NSS 3.6 . As of this version, certificates need to have
the correct "user" bit in order to access the private key. This was unnecessary
in previous versions of NSS, which was tolerant of the this missing trust bit.

This is indeed a serious problem to encounter. Here is a workaround to try :
1) roll back to a previous version of Mozilla, using NSS 3.5 or lower
2) go to manage certificates and verify that the user certs are present
3) use the "backup all" function to save them to a PKCS#12 file
4) reinstall the latest mozilla (1.2x) using NSS 3.6
5) import the PKCS#12 file created at step 3

Please let us know if this fixes the problem or not.
Another possible fix if you are adventurous is to use a daily build of Mozilla
1.3 (tip). This version will convert cert7 db to cert8 format. In the process,
it should recover your private keys. However, once on the cert8 format, you
cannot go back to cert7, and cert8 is still experimental, therefore I suggest
you try the other workaround above first.

I'm raising the priority level of this bug to P1 due to the severity. I agree
that there should be something in the mozilla release notes. My suggestion is to
have some sort of text such as :
"before trying a new version of mozilla, you should backup your private keys to
a PKCS#12 file". This is a always good thing to do in any case, in case problems
exist in the new Mozilla build that the user is trying.

Comment 9

[Ignacio Coupeau]

I tested the workaround proposed by Julien Pierre  2002-12-09 16:07, about NSS
3.6 (steps 1-5): backup certs, install 1.2.1 and restore certs, and works fine.
Thanks.

Comment 10

[Wan-Teh Chang]

Comment on attachment 108043 [details] [diff] [review]
Diffs in NSS libraries (mozilla/security/nss/lib) between mozilla 1.2beta and 1.2final

Does this patch contain the database optimization
that Julien referred to in comment #8?

Comment 11

[Wan-Teh Chang]

I'd like to know the exact versions of Mozilla before
and after the upgrade.

Bug reporters, please confirm the following.  If you
are using a nightly build as opposed to a beta or final
release, we need to know that.  If possible please use
the Help:About menu item to get the full Mozilla version
information.

Before:
uwe: 1.2-beta
dshpak: unknown
icoupeau: 1.1

After:
uwe: 1.2 (final)
dshpak: 1.2 (final)
icoupeau: 1.2.1 (final)

Mr. Shpak, what's the Mozilla version you were using
before the upgrade?

Comment 12

[Ignacio Coupeau]

scenario tested:
Before: 1.1
After: 1.2.1 (final); Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1)
Gecko/20021130)

Comment 13

[Kai Engert [:KaiE:]]

A friend of mine also had the same problem, I was told today, and could fix it
using the same workaround, re-importing the cert. He switched from 1.1 to 1.2.1

Comment 14

[John Unruh]

*** Bug 178684 has been marked as a duplicate of this bug. ***

Comment 15

[Tom Mraz]

*** Bug 183159 has been marked as a duplicate of this bug. ***

Comment 16

[Wan-Teh Chang]

Updated: Mozilla versions before and after the upgrade.

Before:
uwe: 1.2-beta
dshpak: 1.0.0.2002052918
icoupeau: 1.1

After:
uwe: 1.2 (final)
dshpak: 1.2 (final)
icoupeau: 1.2.1 (final)

Comment 17

[Wan-Teh Chang]

*** Bug 186002 has been marked as a duplicate of this bug. ***

Comment 18

[John Unruh]

*** Bug 186276 has been marked as a duplicate of this bug. ***

Comment 19

[Kai Engert [:KaiE:]]

I think it was a problem in NSS.
But that was long ago.

Comment 20

[Nelson Bolyard (seldom reads bugmail)]

This probably was a real bug, way back when. 
But it's ancient history now, IMO.