Incorrect IPv6 address presentation in certificate view
Categories
(Firefox :: Security, defect, P3)
Tracking
()
People
(Reporter: super.dukefb1, Assigned: peer-orchid-social-0a)
References
Details
(Keywords: priv-triaged)
Attachments
(3 files)
badip6.gif
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0
Steps to reproduce:
- Open a new Firefox window and visit https://9.9.9.9/dns-query
- Click the lock pad and finally click the View Certificate
Actual results:
In the View Certificate page the IP Address listed for object "Subject Alt Names" has incorrect format, e.g. "IP Address
2620::fe:0000:0000:0000:0000:0000:0009" (See attachment picture)
Expected results:
IPv6 address is a 128-bit colon segmented address but Firefox renders IPv6 as more than 128-bit -- "2620::fe:0000:0000:0000:0000:0000:0009"
That is, there should be ONE colon between "2620" and "fe"
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 year ago
|
||
This is probably a bug in PKIjs if you want to file it with them: https://github.com/PeculiarVentures/PKI.js
|
||
Comment 3•1 year ago
|
||
Hello! Thank you for submitting this issue, I have managed to reproduce the issue with firefox 125.0a1(2024-02-23), 124.0b2 and 123.0 on Ubuntu 22.04.
I will mark this issue as NEW in order to get our developers involved and provide a solution to this issue.
Have a nice day!
|
|
||
Comment 4•1 year ago
|
||
The severity field is not set for this bug.
:serg, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•1 year ago
|
|
|
||
Comment 5•1 year ago
|
||
Okay, @microshine from github was able to point to the responsible code in mozilla-central. Thanks a lot!
https://github.com/PeculiarVentures/PKI.js/issues/407#issuecomment-2145700628
@mb The PKIjs module does not implement logic for converting IP address values from OCTET STRING to text representation. I reviewed the script at certDecoder.mjs:150 in Firefox and noticed that this script converts the hexadecimal representation of the address incorrectly.
Here is the current implementation in Firefox:
address .toLowerCase() .match(/.{1,4}/g) .join(":") .replace(/\b:?(?:0+:?){2,}/, "::");If the address is 262000FE000000000000000000000009, the result will be 2620::fe:0000:0000:0000:0000:0000:0009.
Here is a potential solution for this issue:
address .toLowerCase() .match(/.{1,4}/g) .map(segment => parseInt(segment, 16).toString(16)) .join(":") .replace(/(^|:)0(:0)+(:|$)/, '::') .replace(/(^|:)0+([1-9a-f])/, '$1$2');With this solution, the result will be 2620:fe::9, but this implementation needs to be tested with other values to ensure it works correctly in all cases.
|
|
||
Updated•2 months ago
|
The solution proposed by @microshine on github is pretty, but there are a couple of quirks attached to ipv6 zero compression.
rfc4291 doesn't specifically say this, but all other tools I find online compress the longest run of zeroes, not the first.
eg for the following address 00000000111100000000000000001111 it returns ::1111:0:0:0:0:1111, while other tools return 0:0:1111::1111 which mean the same thing according to the definition, but the second is shorter. I think the solution will end up looking much uglier, unfortunately, but will return the same result as other implementations.
|
Assignee | |
Comment 10•2 months ago
|
||
Tested the new implementation with the quad9 cert: certDecoder
|
||
Updated•2 months ago
|
|
|
||
Updated•2 months ago
|
|
||
Comment 11•2 months ago
|
||
|
||
Comment 12•2 months ago
|
||
| bugherder | ||
|
||
Updated•2 months ago
|
|
|
||
Comment 13•1 month ago
|
||
Hello! I can confirm that the issue is fixed with firefox 145.0b7 and 146.0a1(2025-10-30) on Ubuntu 22.04 and macOS 15.2.
I will mark this issue as VERIFIED->FIXED and update the flags accordingly.
Have a nice day!
Description
•