Closed
Bug 209168
Opened 21 years ago
Closed 21 years ago
Mozilla Mail S/Mime instructs NSS to import the wrong certs
Categories
(MailNews Core :: Security: S/MIME, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
(Keywords: fixed1.4, regression, Whiteboard: [adt2])
Attachments
(1 file)
894 bytes,
patch
|
KaiE
:
review+
kinmoz
:
superreview+
brendan
:
approval1.4+
|
Details | Diff | Splinter Review |
cc'ing many people, mostly FYI
When Mozilla Mail processes an S/Mime message, it tries to import the certs
contained in the message. It does so by calling
NSS_CMSSignedData_ImportCerts(.., .., certUsageEmailSigner, ..);
This seems to be wrong. It should instead import type certUsageEmailRecipient.
In the past, before bug 193367 was fixed, this mistake didn't matter, because
NSS_CMSSignedData_ImportCerts imported any contained cert.
Assignee | ||
Comment 1•21 years ago
|
||
The consequence of this bug is: Mozilla versions that uses an NSS version
containing the fix from bug 193367, might not import the required certificate to
reply using encrypted mail, if dual-key certificates are used.
See also bug 209166, a related issue, that requests a more relaxed handling of
importing S/Mime certificates.
Keywords: regression
Assignee | ||
Comment 2•21 years ago
|
||
Suggested fix
Assignee | ||
Comment 3•21 years ago
|
||
fixing summary
Flags: blocking1.4?
Summary: Mozilla Mail S/Mime instructs NSS to import correct certs → Mozilla Mail S/Mime instructs NSS to import the wrong certs
Assignee | ||
Comment 4•21 years ago
|
||
Proposing this bug as a 1.4 blocker, because I believe this bug breaks S/Mime
functionality when using dual key certificates.
Assignee | ||
Comment 5•21 years ago
|
||
After having tested, I can confirm
- Mozilla is currently broken
- this patch fixes the problem
Testing scenario:
- set up a new Mozilla profile, let's call it RECIPIENT, with an empty
certificate database, where you can receive mail
- using another profile, let's call it SENDER, send a signed message using a
dual key certificate (like the ones that are issued at testca.netscape.com).
[all actions below are to be done in the RECIPIENT PROFILE]
- use the RECIPIENT profile to receive the message
[checkpoint]
- read the received message, you should see a valid signature icon.
- open certificate manager other people's tab. It's empty
- click reply, and in the new compose message window, click the security icon.
You'll see the recipient's name listed and the certificate status will be "not
found".
The above behaviour is incorrect.
With the patch applied the tested behaviour after [checkpoint] is instead:
- read the received message, you see the valid signature icon
- open cert manager tab, you'll see the mail message sender's encryption cert
- click reply in the received email message, click security icon. You'll see the
certificate status is "valid".
Assignee | ||
Updated•21 years ago
|
Attachment #125502 -
Flags: review?(ddrinan)
Assignee | ||
Comment 6•21 years ago
|
||
cc'ing Terry FYI
Comment 7•21 years ago
|
||
Comment on attachment 125502 [details] [diff] [review]
Patch v1
Looks good r=relyea
Assignee | ||
Comment 8•21 years ago
|
||
Comment on attachment 125502 [details] [diff] [review]
Patch v1
Thanks for the review, marking the patch as r=relyea.
Attachment #125502 -
Flags: superreview?(kin)
Attachment #125502 -
Flags: review?(ddrinan)
Attachment #125502 -
Flags: review+
Attachment #125502 -
Flags: superreview?(kin) → superreview+
Assignee | ||
Comment 10•21 years ago
|
||
Comment on attachment 125502 [details] [diff] [review]
Patch v1
requesting branch approval for this regression fix
Attachment #125502 -
Flags: approval1.4?
Comment 11•21 years ago
|
||
a=adt to land on the branch. Please add fixed1.4 keyword.
nsbeta1+/adt2
Assignee | ||
Comment 12•21 years ago
|
||
/me waits for driver's approval before landing
Assignee | ||
Comment 13•21 years ago
|
||
fixed on trunk
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 14•21 years ago
|
||
*** Bug 203235 has been marked as a duplicate of this bug. ***
Comment 15•21 years ago
|
||
Comment on attachment 125502 [details] [diff] [review]
Patch v1
Can't hurt.
/be
Attachment #125502 -
Flags: approval1.4? → approval1.4+
Assignee | ||
Comment 16•21 years ago
|
||
fixed on 1.4 branch after rc2, thanks a lot for approving.
Flags: blocking1.4?
Keywords: fixed1.4
Comment 17•21 years ago
|
||
Verified that expected results outlined in comment #5 occur in 1.4 branch 20030624
"With the patch applied the tested behaviour after [checkpoint] is instead:
- read the received message, you see the valid signature icon
- open cert manager tab, you'll see the mail message sender's encryption cert
- click reply in the received email message, click security icon. You'll see the
certificate status is "valid"."
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•