We recently had introduced a prompt, which would give a user feedback, if an attempt to import a certificate is rejected, because it is in invalid certificate. There are scenarios when that prompt does not show up, if there happens to be no window context available. One example where this lack of prompt is seen: When we fetch an invalid cert from a LDAP directory.
Created attachment 245429 [details] [diff] [review] Patch v1 This patch will provide a backup context, if none has been passed in by the caller.
Comment on attachment 245429 [details] [diff] [review] Patch v1 r+ = relyea. May want one of the Imbedded guys (particular Camino) look at the use of PipUIContext().
(In reply to comment #2) > May want one of the Imbedded guys (particular Camino) look at the use of > PipUIContext(). Not sure why you propose that, we use PipUIContext all over PSM already?
fixed on trunk
Comment on attachment 245429 [details] [diff] [review] Patch v1 We should get this correctness fix into Thunderbird 2, in order to assist people who fail trying to fetch certificates over LDAP. Not sure whether to ask for approval 22.214.171.124 or 126.96.36.199
Kai: We are done with 188.8.131.52, so nominating for 184.108.40.206. Also cc'ing mscott so this bug doesn't get lost for Thunderbird 2 (since there is no flag for it here).
This seems like a good candidate for Thunderbird 2 beta 2 which will be based on the 220.127.116.11 security train, so jay's nomination looks good to me.
Comment on attachment 245429 [details] [diff] [review] Patch v1 Approved for 1.8 branch, a=jay for drivers.
Checked in to 1.8 branch: Checking in nsNSSCertificateDB.cpp; /cvsroot/mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp,v <-- nsNSSCertificateDB.cpp new revision: 18.104.22.168; previous revision: 22.214.171.124 done
Kai: If there is a testcase QA can use to verify this bug, please let us know. Otherwise we appreciate any help in testing the latest builds to verify this is fixed. Thanks!
In order to verify, you'll have to use a special setup, that involves an LDAP server, one that provides S/Mime encryption certificates. Configure such a LDAP directory for use in Thunderbird. Make sure the certificates are not trusted by the Thunderbird. You'll also need a personal certificate for S/Mime signing and encryption. Once you have the above setup, compose a message, enable encryption for this message, add a recipient whose cert can be found in the LDAP directory, and try to send. This will trigger a "obtain cert" from the directory, and an attempt to import the cert. I don't have the setup right now, but I had verified it when I checked it in.