Closed Bug 243738 Opened 20 years ago Closed 8 years ago

Unable to use Certificate for Signing / Encryption when it contains special characters ÄÖÜ

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: r.kraenzlein, Unassigned)

Details

(Whiteboard: [kerh-coz])

Attachments

(3 files)

test CA cert
871 bytes, application/x-x509-ca-cert
Details
p12 file, CN and nickname with ÖÄÜöäüß, password: x
2.37 KB, application/octet-stream
Details
p12 file, CN and nickname with ø, password: x
2.35 KB, application/octet-stream
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113

Mozilla refuses to use a certificate, if the owners name contains any 'Umlaute'.
I tried a trustcenter.de certificate. When I deleted the certificate and created
a new one without дьц, it worked correctly.
The problem seems to be with the account manager, cause I use one certificate
with 'д' for a very long time and it works, but I am not able to select a
certificate for a new E-Mail adress with 'д' in it.

Reproducible: Always
Steps to Reproduce:
1. Create a Mail Certificate. e.g. at trustcenter.de with an дьц-character in
Owners Name
2. Install Certificate
3. At the Account Setting for the specific E-Mail adress select the certificate
for signing an encryption
4. Try to send an signed or encrypted E-Mail

Actual Results:  
The E-Mail isn't signed or encrypted

Expected Results:  
Sign / Encryp the outgoing Mail

- It is quiete easy to get a Workaround by getting a new Certificate if you know
why it doesn't work. The Problem is with certificates e.g. given out by a bank
or government, because they refuse to change the owners name.
- The bug is the same with Win 98
My name contains the common Danish character ø and Mozilla refuses to sign my
messages and return this error:
"Sending of message failed: You specified that this message should be digitally,
but the application either failed to find an encryption certificate to include
in the signed message, or the certificate has expired"

I will get a friend without special character in his/her name to try the same
and report back.
I can now confirm that the problem does not exist when certificate owner does
not include special characters.
The error message I quoted in my previous post was outdated. Sorry. 

The current one (1.6) is:
<quote>
Sending of message failed.
You specified that this message should be digitally signed, but the application
either failed to find the signing certificate specified in your Mail & Newsgroup
Account Settings, or the certificate has expired.
</quote>
Still present in Mozilla 1.7.
Flags: blocking1.8a2?
Flags: blocking1.8a2? → blocking1.8a2-
Product: Browser → Seamonkey
*** This bug has been confirmed by popular vote. ***
Status: UNCONFIRMED → NEW
Ever confirmed: true
Depends on: 217305
To the reporters of this bug, Robert and Søren,
Please read the questions in https://bugzilla.mozilla.org/show_bug.cgi?id=217305#c35
and answer them with follow-up comments in this bug report (243738).
Also, if you will, please email me copies of your cert7.db and cert8.db
files (not key3.db), using the instructions found in 
https://bugzilla.mozilla.org/show_bug.cgi?id=217305#c42
Once I have some sample files that show the problem, I may be able to 
devise a method to fix them.
Summary: Unable to use Certificate fpr Signing / Encryption when Certificate Owner's contains special characters such as ÄÖÜ → Unable to use Certificate for Signing / Encryption when it contains special characters ÄÖÜ
Hi Nelson,

I no longer have that certificate stored in Mozilla so I can't send any files
but IIRC I discovered it in Mozilla 1.6, imported PKCS12, cert expires june 2006
and was probably installed in june 2004. 

My certificates are now stored on a smart card device (etoken) but still I can't
even select the appropriate certificate with ø in the account settings -> security.

Please let me know if you need more information.

Søren
Robert Kränzlein sent me the following additional details:

> The certificate is installed by clicking on the website (Firefox 1.0.2) then 
> exported as .p12-file and reimported to Thunderbird version 1.0 (20041206)

So, this is a Thunderbird bug, also, and not only a Seamonkey bug. So, I'm 
moving this to core, since TB doesn't seem to have a relevant component.

And this tells me that there is no problem exporting and importing 
this cert.  Also, I verified that the nickname in this cert8.db file is 
valid UTF8.  So this is not the same problem as in bug 217305. 

> When trying to sign a message following error appears.
>
>    Sending of message failed
>    Unable to sign message. Please check that the certificates 
>    specified in Mail & Newsgroups Account
>    Settings for this mail account are valid and trusted

That's a different error message than the one given in comment 1 above.
Component: MailNews: Account Manager → Security: PSM
No longer depends on: 217305
Product: Mozilla Application Suite → Core
Whiteboard: [kerh-coz]
Assignee: sspitzer → kengert
QA Contact: psm
I can not reproduce this bug.

I produced a test CA cert and 2 personal certs. In the personal certs I played with German öäüÖÄÜß chars and the Danish ø.

I used the chars in the CN and in the nickname.

I was able to import this into Thunderbird 2.x, the mail security cert picker offered me both certs and allows me to select them.

Well, at least this works on Linux.
Anyone dares to try this on Windows?

I propose we mark this as WORKSFORME unless you are able to reproduce a problem with the certs that I'll attach.
Attached file test CA cert 

    
    

    
  
Looking at comment 0, we see that the bug reporter was using Mozilla 
Application Suite 1.6.   That version, and all versions prior to 1.7
had a problem, where strings with ISO-Latin-1 characters were sometimes
used as nicknames without translating them from Latin-1 to UTF-8.  
This caused the resultant nickname string to be ab invalid UTF-8 nickname.
(Nicknames are always UTF-8.)   That problem was fixed in Moz 1.7 by John
Myers (IIRC).  The code now translates Latin-1 to UTF-8 when making a 
nickname.  So, people who have enrolled for certs with version 1.7 and 
newer have not seen the problem, AFAIK.

However the fix in 1.7 did not fix existing flawed databases.  
Users of current mozilla browsers (FF or SM) who have databases originally
generated by a pre-1.7 version of mozilla app suite still have these problems
because their cert DB's still have invalid nicknames.  That is the subject
of Bug 237077 and is why Bug 217305 is still open.  See those bugs for more
details. 

    
    

    
  
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody

    
    

    
  
From comment 14, it seems that all currently-valid certificates won't have this problem. Please re-open if that's not the case.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: