Closed Bug 185198 Opened 23 years ago Closed 9 years ago

cert manager import dialog should not select .pem files

Categories

(Core Graveyard :: Security: UI, defect, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: hauser, Unassigned)

Details

(Whiteboard: [kerh-coz])

Build 2002121008 Apparently, there are two kinds of PEM files: 1) the fat ones basically equivalent to a p12 file with a private key and multiple certs along the hierarchy - e.g. by my makefile generated with: $(OPENSSL) pkcs12 -in $*.pfx -out $*.pem or 2) The slimmer ones where only one certificate is in. Equivalent to .crt for some software providers. If in the certificate manager, the "Other People - Import" hits a "fat.pem", it appears to just abort upon hitting the private key (which typically is in the first position) or any other non-white-space text that openssl typically adds here (see at the very bottom). If by hand, I cut out the private key, the "Other Person" key gets imported irrespective of whether it is in the first or second position (assuming there are two keys in the hierarchy). Suggestion: - Add a warning, if a private key or other disturbing text is in the *.pem and nothing gets imported - Skip the private key/non-white-spaces and be more verbose on which other certs get imported as suggested already in http://bugzilla.mozilla.org/show_bug.cgi?id=184659 etc. ------ Begin file.pem excerpt ------ Bag Attributes friendlyName: Ralf Hauser's TC TrustCenter for Security in Data Networks GmbH ID localKeyID: D7 51 9A D0 D6 4F 14 9F 3C 8B D1 D7 68 04 78 26 5E E8 E9 43 Key Attributes: <No Attributes> -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,D429B33929D770B7 Mul3Qmxn+QNjGmNhC9S2BnMam/WHD9+VktGr/MsxsXvykuTkDAYlGzpIgO0r/2e8 ... WGB7sGhw+WSDRLGyIl2kbCYP4pSZoy30+WeKFZafp6hI3DJ5EDgRTA== -----END RSA PRIVATE KEY----- Bag Attributes friendlyName: TC TrustCenter Class 1 CA - TC TrustCenter for Security in Data Networks GmbH subject=/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 1 CA/Email=certificate@trustcenter.de issuer= /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 1 CA/Email=certificate@trustcenter.de -----BEGIN CERTIFICATE----- MIIDXDCCAsWgAwIBAgICA+kwDQYJKoZIhvcNAQEEBQAwgbwxCzAJBgNVBAYTAkRF MRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJI MSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAxIENBMSkwJwYJKoZIhvcN AQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw05ODAzMDkxMTU5NTla Fw0xMTAxMDExMTU5NTlaMIG8MQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy ZzEQMA4GA1UEBxMHSGFtYnVyZzE6MDgGA1UEChMxVEMgVHJ1c3RDZW50ZXIgZm9y IFNlY3VyaXR5IGluIERhdGEgTmV0d29ya3MgR21iSDEiMCAGA1UECxMZVEMgVHJ1 c3RDZW50ZXIgQ2xhc3MgMSBDQTEpMCcGCSqGSIb3DQEJARYaY2VydGlmaWNhdGVA dHJ1c3RjZW50ZXIuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAp67R2 s67Xtlu0Xue947GcSQRXW6Gr2X8TG/26YavY53HfLQCUXVFIfSPvdWKEkDwKH1kR dC+OgKX9MAI9KVLNchpJIZy8y1KOSKFjlsgQhTBpV3RFwFqGxtU94GhXfTFqJI1F lz4xfmhmMm4kbewyNslByvAxRMijYcoboDYfAgMBAAGjazBpMA8GA1UdEwEB/wQF MAMBAf8wDgYDVR0PAQH/BAQDAgGGMDMGCWCGSAGG+EIBCAQmFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwEQYJYIZIAYb4QgEBBAQDAgAHMA0G CSqGSIb3DQEBBAUAA4GBAE+ZWYXIZFaCxW892EYJLzxRwadwWIGSEur01BYAll5y KOfWNl8anK8fwoMatAVVmaZYXDco8lce612/sdNFD3IcA9IAxyxV2v5fiXaL4tR3 9U0JF6/EuqswK0+4HerZ/1nwUHRGul7qNrDrknsPWNoy4VK9IzcP9fMASq6wXt5u -----END CERTIFICATE----- Bag Attributes friendlyName: Ralf Hauser's TC TrustCenter for Security in Data Networks GmbH ID localKeyID: D7 51 9A D0 D6 4F 14 9F 3C 8B D1 D7 68 04 78 26 5E E8 E9 43 subject=/C=CH/CN=Ralf Hauser/Email=hauser@privasphere.net issuer= /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 1 CA/Email=certificate@trustcenter.de -----BEGIN CERTIFICATE----- MIID1zCCA0CgAwIBAgIOY6UAAAACYsZ4RUFrV9wwDQYJKoZIhvcNAQEEBQAwgbwx CzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJn MTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBO ZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAxIENB MSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw0w MjEyMTMxMjE1MTlaFw0wMzEyMTMxMjE1MTlaMEoxCzAJBgNVBAYTAkNIMRQwEgYD VQQDEwtSYWxmIEhhdXNlcjElMCMGCSqGSIb3DQEJARYWaGF1c2VyQHByaXZhc3Bo ZXJlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOXdKC/h0Hgt iP9WafcJ30ovu737gI4vbjL1Xq36WRxkXjlorDKj0xdiBLRP9QONbceSoB3nEXlQ pU2Ee4Ms92YmIFYSLtzljgmyXK9uBoyUjD0JAWlEd+EusCRBEJKZHhdEhQibR8HE OsPVArnRMaukYINt+sApGBG5vKKxMBpiYYbJeuinequ9hzq/exbuhIlNTJYfPOd6 OwrHA0CjEKTVUzmMdguknRoZlx8pk6Pte0yYxwu0Re2mSfCealiTclhZ0yNJ+2d4 MxKz0LXn+KbcGrO/dORf4agtRMckag9LMg26inzuva6j78TIkTf2s0A81NtiOnM5 uB6VErRhsFcCAwEAAaOByDCBxTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF 4DAzBglghkgBhvhCAQgEJhYkaHR0cDovL3d3dy50cnVzdGNlbnRlci5kZS9ndWlk ZWxpbmVzMBEGCWCGSAGG+EIBAQQEAwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6 Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2dpLWJpbi9jaGVjay1yZXYuY2dpLzYzQTUw MDAwMDAwMjYyQzY3ODQ1NDE2QjU3REM/MA0GCSqGSIb3DQEBBAUAA4GBAAA/EQ30 K1642pciuElzOxwOpqWJEeagHw5pwCJUwC9MsI87kt82GZLRrU/KFIqyAGIfC/tx FFIkmxlXiS2HE3zpn5qhnqKdTgDhaRJsEOozq2CZQeaSHQFrBT16HExHQit3RbnC y7SiQhvRjB53Mrp649Dxlk5M74ggSfbrDkN2 -----END CERTIFICATE-----
Priority: -- → P3
Version: 2.1 → 2.4
Mozilla does not support .pem files. It does not claim to support .pem files. .pem files are an invention of OpenSSL. mozilla is not based on OpenSSL. The set of certificate import formats that are supported by mozilla is documented, and is the same set as is supported by the older Netscape Communicator 4.x browser. See http://wp.netscape.com/eng/security/comm4-cert-download.html If some .pem file happens to be close enough to one of the documented supported formats that it sometimes works, great. But diagnosing input file format errors is no more an objective of mozilla/NSS than diagnosing html or style-sheet errors is.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Fine, but then, why does the certificate manager when clicking on "import" display them as "Certificate Files" and not only under "All Files"? Therefore, I suggest: 1) you either deal with them in a user friendly way or you don't offer to work on them as certificates at all. So reading your below: DONT show "*.pem" files as importable if you never intended to support them. All other is misleading and causing user frustration. 2) Extend the help section (e.g. the one when clicking HELP in the Certificate Manager's "Other People's") by adding a paragraph on "Import" and discussing the permitted certificate formats - I would be surprised if it is a reqirement to be able to run Mozilla safely as a regular user - an I hope the security is ultimately also intended for the regular user) only if one browses your web-site sufficiently long enough to eventually stumble of the historic URL you cite below. 3) Let the user decide whether to kick out a root certificate or not. For me, the current behaviour where an import ends up *reducing* the functionality/content of my security configuration/certificate manager without asking me (let alone alerting me) in an unrecoverable way is not an acceptable user interface.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Oops, suggestion number 3 is rather targeted to http://bugzilla.mozilla.org/show_bug.cgi?id=185243#c2
I agree with comment 2, part 1. Since mozilla does not support .pem files in general, it should not appear to do so in the cert import dialog.
Summary: problems importing .pem files → cert manager import dialog should not select .pem files
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Status: REOPENED → NEW
Product: PSM → Core
Whiteboard: [kerh-coz]
QA Contact: junruh → ui
Version: psm2.4 → 1.0 Branch
Status: NEW → RESOLVED
Closed: 23 years ago9 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.