Closed Bug 275043 Opened 20 years ago Closed 19 years ago

Cert viewer does not show right values for Dutch Gov Root Cert

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 289988

People

(Reporter: bart.knubben, Assigned: KaiE)

Details

Attachments

(2 files)

screen dump of cert viewer on Dutch Gov Root Cert
43.33 KB, image/jpeg
Details
screen dump of cert viewer on Thawte Cert
50.33 KB, image/jpeg
Details 
In the process of testing the inclusion of the Dutch Government Root cert (bug
271585, see debug build of nssckbi.dll), we experienced the following problems
with the cert viewer. 

Although the Dutch government root cert is verified for all uses (websites,
email, developers), the cert viewer only shows: "This certificate has been
verified for the following uses: SSL Certificate Authority." (see attachment
"Staat der Nederlanden.jpg"). Strangely enough, for other certs, like Thawte,
the cert viewer shows verification for all uses (see attachment "Thawte.jpg"). 

With regard to the Extensions fields in the certificate viewer:

1. Basic constrains: shows a hexadecimal value, i.e. not human readable
2. Certificate Policies: shows a hexadecimal value, i.e. not human readable
3. Certificate key usage: shows only "Certificate Signing". Key usage "CRL
Signing" should also be present. 
4. Subject key identifier: should only show
A8:7D:EB:BC:63:A4:74:13:74:00:EC:96:E0:D3:34:C1:2C:BF:6C:F8, but Firefox shows: 
04:14:A8:7D:EB:BC:63:A4:74:13:74:00:EC:96:E0:D3:34:C1:2C:BF:6C:F8

These extension fields should show something like this (results with OpenSSL):

1. Basic Constraints:
   CA:TRUE
2. Certificate Policies:
   Policy: Any Policy
   CPS: http://www.pkioverheid.nl/policies/root-policy
3. Certificate Key Usage: critical
   Certificate Sign, CRL Sign
4. Subject Key Identifier:
A8:7D:EB:BC:63:A4:74:13:74:00:EC:96:E0:D3:34:C1:2C:BF:6C:F8

Thanks for your actions.
To compare with screen dump of cert viewer on Dutch Gov Root Cert
Is this yours, Frank?
Summary: Cert viewer does not show right values → Cert viewer does not show right values for Dutch Gov Root Cert
When I approved the Staat der Nederlanden CA certificate for inclusion I
requested that it be marked as trusted for all purposes; see my comments in bug
261374, which I filed against Nelson Bolyard to get the actual patch made to
NSS. When Nelson did the actual patch he did set all the relevant trust bits for
this CA; see his comment 11 in bug 271585. (I also double-checked this by
looking at the attachment Nelson referenced with the cert data -- in the form of
.der files -- and the addcerts.ksh shell script to add the certs; the relevant
line in the script is

addbuiltin -n "Staat der Nederlanden Root CA" -t C,C,C <
StaatDerNederlandenRootCA.der >> certdata.txt

which sets trust bits for SSL, S/MIME, and object signing.)

So the short answer here is: I don't know what is going on, and it's beyond my
competence to explain why the cert viewer shows these results.
Product: PSM → Core
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

This is a duplicate - there are several certs for which this display is incorrect.

Gerv

*** This bug has been marked as a duplicate of 289988 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: