1851831 - Firefox and Edge handle CRL and AIA certificate information differently

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[2295456556]

Attachment: cert_file and the private key

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.69

Steps to reproduce:

Overview: We tested with a mutated digital certificate as a test case. We found that Firefox can parse and display the CRL and Authority Information Access (AIA) information of the certificate, but Edge cannot parse them
user agent(firefox):Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
user agent(Edge):Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.69
OS: Windows 10 22H2 19045.2604
Steps to Reproduce:
(1) In Firefox, visit the url "about:certificate?cert=(processed pem data)" containing the certificate information.
(2) Use Python to create a local server (e.g. using Flask) and specify a mutated certificate and private key. Access the Flask provided url in Edge.

Actual results:

Edge cannot parse and display the CRL and AIA information of the certificate. Firefox can parse and display them.

Expected results:

Edge should be able to parse and display the CRL and AIA information of the certificate like Firefox, and the information should be consistent.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

This is a bug tracker for Firefox, not Edge. I suggest you contact Microsoft to address issues in Edge.