Closed Bug 286735 Opened 20 years ago Closed 19 years ago

Certificate loaded form token displayed in "Other People's Certificates" if the corresponding object on the token has an empty CKA_LABEL

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: olivier.marquis, Assigned: rrelyea)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Build Identifier: 

On a token (smart card), if a PKCS#11 certificate object is created with an 
empty CKA_LABEL, the corresponding certificate is displayed in the "Other 
People's Certificates" panel in the Certificate Manager.
If you only modify the CKA_LABEL (just enter a space character), then the 
certificate is displayed in the "Your Certificates" panel.

Reproducible: Always

Steps to Reproduce:
1. Create a correct PKCS#11 certificate object on a smart card with an empty 
CKA_LABEL
2. Open the Certificate Manager under Mozilla, the certificate appears in 
the "Other People's Certificates" panel
3. Modify the CKA_LABEL of the certificate object
4. Open the Certificate Manager under Mozilla, the certificate appears in 
the "Your Certificates" panel
Actual Results:  
The certificate should always be displayed in the "Your Certificates" panel

Expected Results:  
If the CKA_LABEL attribute is empty the certificate appears in the "Other 
People's Certificates" panel

I had a look to the source code, here are functions which could be responsible 
for this problem

- getCertType(CERTCertificate *cert) in nsNSSCertHelper.cpp
the certificate can only have the USER_CERT type if its nickname is not empty

- pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, CK_ATTRIBUTE 
*privateLabel, char **nickptr) in pk11cert.c
the nickname can only be defined if the label (CKA_LABEL attibute) exists
Assignee: wtchang → rrelyea
QA Contact: bishakhabanerjee → jason.m.reid
User Certs without labels can cause additional problems in applications as well.
Your certs should always have labels of some kind.

bob
NSS defines the nickname for a cert as the PKCS #11 label. (by design).
PSM rejects user certs which do not have a nickname. (by design).

The semantics described in the bug is not unexpected, closing invalid. If PSM
want's to accept user certs which do not have a nickname, then changing
getCertType in nsNSSCertHelper.cpp will be sufficient. This change should only
be made if mozilla apps to do not use the nickname to identify user certs
elsewhere (like storing peferred email certs in preferences).
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.