Closed Bug 1910223 Opened 1 year ago Closed 11 months ago

Firefox Rejects Certificate with Policy Mappings Extension (Error code: SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: 2295456556, Unassigned)

Details

Attachments

(8 files)

[3.0.126.52.der]1264ea691722004557.crt
2.12 KB, application/x-x509-ca-cert
Details
[3.0.126.52.der]1264ea691722004557.der
1.50 KB, application/x-x509-ca-cert
Details
[3.0.126.52.der]1264ea691722004557CA.crt
1.13 KB, application/x-x509-ca-cert
Details
[3.0.126.52.der]1264ea691722004557CA.der
797 bytes, application/x-x509-ca-cert
Details
hosts.png
56.57 KB, image/png
Details
nginx_config.png
44.74 KB, image/png
Details
chrome.png
56.60 KB, image/png
Details
rsa_pri_2048.pem
1.69 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0

Steps to reproduce:

1.Generating a mutated digital certificate with an additional Subject Alternative Name (SAN) of "ypj.test.com", along with its corresponding root CA and private key.
2.Configuring an Nginx web server to use the mutated certificate and private key in HTTPS mode.
3.Setting up the local machine (127.0.0.1) as the server and mapping "ypj.test.com" to 127.0.0.1 in the hosts file.
4.Adding the root CA to the system's trusted root certificate store using certutil.
5.Running nginx.exe. Accessing the URL "https://ypj.test.com:443" in a web browser, where the certificate's SAN matches the URL.

Firefox-version-113.0

Actual results:

Firefox rejects a certificate containing the critical Policy Mappings extension (OID 2.5.29.33) and displays the error code: SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION. Conversely, Chrome correctly accepts the certificate.

There are two issues identified:

  1. Firefox fails to parse the OID 2.5.29.33 (Policy Mappings) and incorrectly treats it as an unknown extension.
  2. Firefox blocks normal access due to this failure.

Expected results:

Firefox should behave consistently with Chrome by:

  1. Correctly parsing the OID 2.5.29.33 as Policy Mappings.
  2. If the Policy Mappings field is valid, Firefox should pass the verification and allow normal access.
    Please address this inconsistency to ensure proper handling of the Policy Mappings extension in certificates.
Attached image hosts.png
Attached image nginx_config.png
Attached image chrome.png
Attached file rsa_pri_2048.pem

At this time, mozilla::pkix does not support the policy mappings extension, and we have no plans to support it. The baseline requirements recommend that it not be used, and we see no reason to support it.

Assignee: nobody → nobody
Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
Component: Security: PSM → Libraries
Product: Core → NSS
Resolution: --- → WONTFIX
Version: Other Branch → unspecified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: