Closed Bug 229565 Opened 21 years ago Closed 21 years ago

unable to import certs with a lifetime over the year 2049

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: c++, Assigned: KaiE)

Details

User-Agent:       Mozilla/5.0 (Windows NT 5.2; U) Opera 7.21  [de]
Build Identifier: Mozilla/5.0 rv. 1.5

when trying to import a root-certificate (or sub-ca-cert or webserver-cert) in 
the certificate manager with a lifetime longer than the year 2049 you are unable 
to do so. you don't even get any dialog box. trying to browse to a website with 
such certs results in the error -8183

Reproducible: Always

Steps to Reproduce:
1. create a root-ca with i.e. windows certsvc with a validity till december 2050
2. try to import the cert into mozilla
3. --> nothing happens

Actual Results:  
unable to import the cert

Expected Results:  
import the cert. if you're creating a cert with a validity till december 2049 
you're able to import the cert
i've checked the certs time-settings and everything seem's ok. running an 
ASN1PARSE with openssl showed that the start-time is encoded as UTCTIME (the 
year is 2003) and the end-time as GENERALIZEDTIME (the year is 2052)
This should have been fixed in the current Mozilla
trunk builds (version 1.7a, under development).
The bug number for GeneralizedTime support is bug
143334.

Bug submittor, are you using Mozilla version 1.6 or
older?  Could you try the latest Mozilla trunk (1.7a)
nightly build?  (Download it from
http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest-trunk/.)

Error -8183 is SEC_ERROR_BAD_DER, "Security library:
improperly formatted DER-encoded message."  (The NSS
and SSL error codes are tabulated at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html.)

PSM should at least pop up an error dialog box when
it fails to import a cert with an unsupported field
or extension.
Status: UNCONFIRMED → NEW
Ever confirmed: true
the latest 1.7a trunk build from Jan 04, 2004 works as expected.

But there is still room for improvement - the year is NOT displayed correctly 
in the CERT-VIEW, i.e. it is still formated in 2 letter format. This should be
changed to support a four letter format, otherwise it is impossible i.e. to
differentiate between a cert endinf in the year 2049 or 2149 etc.
Marking resolved fixed, in light of the above comment.
A separate bug should be filed about any issues 
with the display format of the date.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
There are two remaining issues.

1. One doesn't get any dialog box when Mozilla is unable to
import a cert with a lifetime longer than the year 2049.
To reproduce this bug requires NSS 3.8.x or older.

2. The year is displayed in two-digit format.
just one more question: who opens the new bug?
We were hoping you'd open the new bugs :-)

I've just opened the new bugs: bug 230301
(no error message dialog on cert import
failure) and bug 230303 (year displayed
in two-digit format).
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.