Closed Bug 440033 Opened 11 years ago Closed 11 years ago

Error importing PKCS12 (PKCS#12) certificates to firefox

Categories

(Core :: Security: PSM, defect, major)

x86
Windows Vista
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: remybr, Assigned: kaie)

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

When trying to import a PKCS12 certificate generated with openssl FF will give a "Failed to restore the PKCS #12 file for unknown reasons" and won't import the file. The same file will import correctly in IE7.

Reproducible: Always

Steps to Reproduce:
1. Open menu Tools -> Options and select tabs Advanced -> Encryption
2. Click View Certificates
3. Select tab My Certificates
4. Click the Import button
5. Select .p12 file containing the certificate (I can provide one if needed)
6. Click the Open button
Actual Results:  
FF will present the message "Failed to restore the PKCS #12 file for unknown reasons". See image here: http://img183.imageshack.us/img183/3079/ffbugxn8.gif

Expected Results:  
Certificate is imported to FF repository.

I can provide a sample PKCS12 file if needed, but I've tried with files generated by openssl and MS Certification authority, so I believe this would happen with any file.

Also, the same files are imported without any problems in IE7
Remy: It would be great if you could provide the file. Please feel free to send to my email address. Thanks.
This is one of the certificate files I'm using to test.
I've attached one of my test PKCS#12 certificate files in the bug report.

Tested the same file with Thunderbird 2.0.0.14 and IE7, and it works OK. Only FF presents the error.

Also tested with FF 2.0.0.14 and it presents the same bug, except it will crash and won't display the error message.
Moving over to Security component to get some clarification as to why this might not be working since I am not familiar with particular cert.
Component: General → Security
QA Contact: general → firefox
Moving once more, Certificate Management is a Core:PSM function.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Confirming the same problem for Firefox 3 under Linux (Ubuntu 804LTS).

Importing the same client cert succeeds under Firefox 2.0.0.14.
Hello friends:

I can confirm several test.

a) I have the same problem with my certificates, I can't export or import any certificate to or from a .p12 file. This problem only affects to certificates with private key.

b) I can change the container's password without problems.

c) I can create and install certificates from https://www.startssl.com/, but once one certificate is installed from web into my browser, I can't do a backup to a .p12 file of it. This is a problem, because if the solution is create a new user profile, you will lost this certificate and other installed like that.

d) I can use all my installed certificates, apparently without problems. 

e) I have follow this procedure without exit:

http://www.pki.gov.ar/index.php?option=com_content&task=view&id=552&Itemid=180

The main problem is the statement "for unknown reasons", It can't help us to find the problem's origin. We need more information about this issue, but MrSSL had said to me this:

"Sorry, as a matter of principle, I don't work on bugs about failures that
PSM reports as "for an unknown reason".  NSS reports specific error codes
that say what the reason is.  For some reason, PSM decides to discard that
information and report "for an unknown reason".  That PSM choice has the 
effect that when users experience failures, instead of taking simple 
corrective actions idicated by specific error codes, they file bugs.  The 
NSS and PSM developers get asked to diagnose a problem that was already 
diagnosed by NSS, but that diagnosis was discarded by PSM.

Years ago, when PSM was being first developed, the developer responsible
for doing the error code UI was not up to the job, and the display of 
error codes became the last thing to be completed.  The manager of the
project, desiring to get it done more quickly, decided to just take all
the remaining error codes and report them "for an unknown cause".  
That was 8 years ago, and from that to do this, no person responsible for
the PSM UI has thought it important to fix that utterly useless UI.

My position is this: There is no reason that the NSS team should do extra
work to diagnose problems whose diagnosis has already been given by NSS, 
but was discarded by Firefox.  UI is Firefox's responsibility, not NSS's.  
If it is not important to the Mozilla/Firefox/UI community to report those 
error codes, then it certainly is not worthy of the NSS team's time either."

At this point, I think that the first step must be towards error message support. 

Best regards from Fernando Acero
Can you confirm that you do exactly the following:

1. Open Certificate Viewer in Firefox
2. Select a personal client certificate
3. Click on Backup
4. Choose a *writable* directory and enter a file name (like client.p12)
5. Provide twice a password for the certificate backup
6. Click OK

If it doesn't succeed tell me exactly at which stage that happens. 
(In reply to comment #8)
> Can you confirm that you do exactly the following:
> 
> 1. Open Certificate Viewer in Firefox
> 2. Select a personal client certificate
> 3. Click on Backup
> 4. Choose a *writable* directory and enter a file name (like client.p12)
> 5. Provide twice a password for the certificate backup
> 6. Click OK
> 
> If it doesn't succeed tell me exactly at which stage that happens. 
> 

Hello Eddy:

1) I chose Edit | Preferences  | Cipher | View Certificates to open my Certificate Viewer in Firefiox ( I am traslating from Spanish those commands because I don't know actual English commands, but I really open my Certificate Viewer indeed).

2) I select My certificates View and choose one of them for export.

3) Clic on Backup button.

4) As I have launch firefox from my account, I choose my home directory for backup the certificate and store it. Obviously my home directory is writable for me. 

5) I enter a file name (complete filename, with name and extension ".p12" and I click on "Store it" button.

6) Now my system ask to me for my master password of certificates container. I enter my master password and clic on "Accept" button. 

At this point I get an error message saying "Se produjo un fallo por motivos desconocidos al guardar la copia de seguridad del archivo PKCS #12." or in English "There was a fail with unknown causes when a backup of a PKCS #12 file was made" (more or less translating literally).

Best regards


This bug is about IMPORTing an existing PKCS12 file. 
Fernando's comments are about EXPORTING to a new PKCS12 file.
These are not the same problem.  Please don't try to make this bug
cover additional problems than the one that it was originally about.
(In reply to comment #10)
> This bug is about IMPORTing an existing PKCS12 file. 
> Fernando's comments are about EXPORTING to a new PKCS12 file.
> These are not the same problem.  Please don't try to make this bug
> cover additional problems than the one that it was originally about.
> 

Hello Nelson:

This isn't exact indeed, I actually cannot export or import certificates, as you can see at bug 442151 title:

"[Bug 442151] I can't export or install digital certificates".

Also, I had said:

"I have found a problem when I try to export (backup) a certificate or when I try to install another one."

Remy can check if he can export a certificate. If he has none for export, he can use https://www.startssl.com/ and install one from the web (I can do that without problems) and try to export it. 

I am convinced about that, probably this is the same problem. If this is the case, we could consider one of them as duplicate. But I only want suggest that. 

Best regards.

I propose we limit this bug to discussing Remy's problems,
and let's discuss all details of Fernando's problems in bug 442151,
until we are sure both are the same.

Comment 7, 8, 9 should have been added to bug 442151, not this one.

Remy, can you please tell us the password for the file you have attached?
Oops! My bad. Forgot to provide the password.

It's "123456" (without the quotes).

For me FF shows the error even before asking the password.
Remy, thanks for the password.

I downloaded the official Firefox 3 Linux release from www.mozilla.com and create a new profile, and was successfuly able to import. I was prompted for a password.

I also tried a local build build, I tried with the Fedora binary (that uses external NSS), and I tried with an existing profile.

All my tests worked for me.


So maybe this is a Windows-specific problem?
It seems to be a Windows-specific problem.

I'm writing now from a Xubuntu 8.04 with FF 3.0 and the file I attached to the bug works fine. Imported it without any problem.

On the other hand, I've tried two other Vista boxes here, and got the same problem. Is it worth to try on a XP box also?
If you are quickly able to test on XP, that would be great.

I am using XP and that's what I would use to try to reproduce this bug.


I think the fact this is a Windows only problem suggests that Fernando's and Remy's problems are separate bugs.
Unfortunately I am unable to reproduce on Windows XP SP3.
I downloaded Firefox 3 setup.exe from www.mozilla.com
I used a fresh profile and could successfully import xxx.p12.
OK, now it seems I've nailed down the problem. I did several tests here after reading that Kai couldn't reproduce it in XP. This is what I did:

Test 1: Create a new profile and try to import xxx.p12.
Result: Certificate was successfully imported.

Test 2: Start in safe mode and try to import xxx.p12.
Result: Certificate was successfully imported.

Test 3: Disable all add-ons and try to import xxx.p12.
Result: Certificate was successfully imported.

At this time it was clear to me that it has something to do with some add-on. I have the following installed:

- Adblock Plus 0.7.5.5
- Japanese-English Dictionary for Rikaichan 1.06
- Rikaichan 1.02
- Torbutton 1.2.0rc1
- User Agent Switcher 0.6.11
- Portuguese Spell Checking 1.0

So I started with all of them disabled, and went on enabling one by one and trying to import the certificate. I was leaving the ones that didn't seem to affect the problem enabled after testing them.

**** Possible cause ****

The problem seems to be Torbutton 1.2.0rc1. When I enabled it I couldn't import the certificate anymore, and the error message I first reported appeared. Disabling Torbutton makes possible to import the certificate.

So I'm not sure if this is a bug in Torbutton, nor why a bug in it would affect certificate management in FF. Someone would mind to clarify a little bit more?
I (the torbutton author) am unable to import your attached certificate
on Firefox 3 even when I disable Torbutton, uninstall Torbutton, and
create a whole new blank FF3 profile.

I think there may be some confusion here. There may be some certificate
issues with Torbutton (see Bug 442151), but I don't think this is one
that's our fault. I am still trying to get a repro cert that triggers
442151 btw, so if you come across one please let me know.
Just a quick confirmation to Reny's test: Firefox 3.0 with Torbutton 1.2.0rc1 cannot import PKCS#12 files, but if Torbutton is not enabled there is no problem with importing function. I've tried importing PKCS#12 with an earlier version of Firefox (1.5.0.7) with Torbutton enabled: there were also no problem (and the profile with newly imported PKCS#12 was kept after re-install of Firefox 3.0 with Torbutton).
Mike, maybe the problem with torbutton is windows-only. What platform did you test.

Remy, Aron and myself did not see problems with a default install, therefore I'm resolving this as INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Just wanted to let you know that the problem persists with Torbutton 1.2.0rc5, that I've just got.

As per Kai's comment, I understand that you consider this a bug in Torbutton, not Firefox, correct? How that goes along with Mike's comment (https://bugzilla.mozilla.org/show_bug.cgi?id=440033#c20)? It seems he's having the same problem, even without Torbutton installed.

As for me, my particular problem is solved, since I can import the certificates once I disable Torbutton (enabling it after that won't have any negative effects). But I'd like to help understanding this issue better, and maybe providing a solution that is not a workaround.
I can confirm that disabling Torbutton 1.2.0rc5 resolves the client certificate import problem in Firefox 3 under Ubuntu 8.04LTS.
Can someone please generate/provide a test PKCS#12 certificate that triggers this issue, or provide detailed instructions on how to make one? The only reproduction cert I have so far was Remy's one above, which causes the issue for me regardless of Torbutton. Generating my own certs does not cause the problem (but they are PEM, PKCS#7, or other format that also don't trigger the issue).
You need to log in before you can comment on or make changes to this bug.