259737 - JavaScript method crypto.signText does not work.

Status: RESOLVED DUPLICATE of bug 236335

(Core :: Security, defect)

Description

[Daemon]

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20040915
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20040915

When I'm trying to use crypto.signText method to sign the challenge with my
Certificate this method returns with error 'error:internalError'. The provided
URL is the sample page that uses crypto.signText to reproduce this error.

This error lives not only in Mozilla, but in Firebird too.

Reproducible: Always
Steps to Reproduce:
1. Go to http://rea.mbslab.kiae.ru/ca/sign.html
2. Click the provided link.
3. Choose the certificate to sign the request (at least one certificate should
be imported to browser) and press OK.

Actual Results:  
I see JavaScript dialog box that says "Signature cannot be obtained. The error
is 'error:internalError'. This dialog box is spawned from my JavaScript code, when
signature cannot be obtained.

Expected Results:  
I expect the dialog box with proper PKCS signature of provied challenge.

There was Mozilla bug number 29152 that closely related to this bug, and
developers says, that now crypto.signText works properly. It's wrong, the
functionality is still broken.

Comment 1

[Frank Wein [:mcsmurf]]

wfm with a current cvs trunk build on Win2K

Comment 2

[Peter Van der Beken [:peterv]]

Wfm on 1.0PR/OS X. I've had other people contact me about this issue but I've
never been able to reproduce the problem.

Comment 3

[Peter Van der Beken [:peterv]]

Can you try signing some text in http://www.t8m.info/verify.php with your
certificate? It's a testcase that someone constructed for me when I implemented
signText. Can you also try different certificates?

Comment 4

[Daemon]

 I've tried that URL, it returns the same thing: error:internalError.
In fact that script does the same, as my, but I've noticed that URL only
after I wrote my own test page.
 I've tested it with five different certificates (all of those was signed by
three different self-signed root certificates), the result is the same.
 This bug is well known among users of OpenCA software, since it uses
crypto.signText functionality.
 I've just downloaded Mozilla with build ID 2004091605, installed it with
"Browser Only" configuration and created new test certificate for it. Things
are just the same. I'll attach the key I've used, it's in PKCS12 format,
password is 'mozilla'. This is all I can do now.

Comment 5

[Daemon]

Attachment: UUencoded test certificate in PKCS12 format.

Export password for certificate is 'mozilla' (without quotes, of course).

Comment 6

[Peter Van der Beken [:peterv]]

Well, that obiously doesn't work because the issuer is unknown. Did you import
the issuer's root certificate? If you view the certificate in the certificate
manager does it say "<Issuer unknown>" under "Purposes"?

Comment 7

[Daemon]

 Well, no. When I've imported the issuer's certificate it started to work.
So, the functionality is OK now, but what it the reason for importing the
issuers certificate? For example when using OpenSSL one does not need any
information about the issuer, just private key for signing and public key
for verification.
 In any case, I think, that error:internalError is not very good explanation
of this error. Maybe you should change it to some more meaningful message,
maybe you should write some documentation about crypto.signText, where all
possible error cases will be described?

Comment 8

[Peter Van der Beken [:peterv]]

I'll just mark this as duplicate of the bug that was filed for an enhanced
signText API. The error codes are what they are to be backwards compatible
(error:noMatchingCert, error:userCancel and error:internalError) with 4.x. There
is a doc on the Netscape site somewhere with details.

*** This bug has been marked as a duplicate of 236335 ***