Closed Bug 1911331 Opened 2 months ago Closed 2 months ago

Subject Information Access (OID 1.3.6.1.5.5.7.1.11) Extension Not Recognized in Firefox Certificate Viewer

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Other Branch
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: 2295456556, Unassigned)

Details

Attachments

(7 files)

[new_certificate.der]3ede5a901722604564.crt
3.15 KB, application/x-x509-ca-cert
Details
[new_certificate.der]3ede5a901722604564.der
2.25 KB, application/x-x509-ca-cert
Details
[new_certificate.der]3ede5a901722604564CA.crt
1.58 KB, application/x-x509-ca-cert
Details
[new_certificate.der]3ede5a901722604564CA.der
1.11 KB, application/x-x509-ca-cert
Details
hosts.png
56.57 KB, image/png
Details
nginx_config.png
46.48 KB, image/png
Details
rsa_pri_2048.pem
1.69 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0

Steps to reproduce:

1.Generating a mutated digital certificate with an additional Subject Alternative Name (SAN) of "ypj.test.com", along with its corresponding root CA and private key.
2.Configuring an Nginx web server to use the mutated certificate and private key in HTTPS mode.
3.Setting up the local machine (127.0.0.1) as the server and mapping "ypj.test.com" to 127.0.0.1 in the hosts file.
4.Adding the root CA to the system's trusted root certificate store using certutil.
5.Running nginx.exe. Accessing the URL "https://ypj.test.com:443" in a web browser, where the certificate's SAN matches the URL.

Firefox-version-113.0

Actual results:

The Firefox Certificate Viewer does not recognize the Subject Information Access extension with OID 1.3.6.1.5.5.7.1.11, marking it as an unknown extension. This issue might stem from a problem with the display component or the parsing component of Firefox TLS implementation.

Expected results:

Expected Result:
It limits the Firefox's ability to perform additional validations based on the full certificate data.
The Subject Information Access extension should be recognized.

Additional Information:
This issue might be related to either the certificate viewer display logic or the underlying certificate parsing logic. Proper recognition and display of this extension are critical for users and developers who rely on accurate certificate information.

Please investigate and address this issue to ensure proper handling of the Subject Information Access extension in Firefox TLS implementation.

Attached image hosts.png
Attached image nginx_config.png
Attached file rsa_pri_2048.pem

Firefox does not make use of the subject information access extension at all, nor do we have any plans to make it do so (note that the baseline requirements recommend it not be used). The list of recognized extensions during certificate validation can be found here: https://searchfox.org/nss/rev/c48439ae5a0333d0224780752694df3036d2ff55/lib/mozpkix/lib/pkixcert.cpp#173-225

Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Resolution: --- → WONTFIX

Does Chrome use Issuer Alternative Name?

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: