450559 - When a certificate previously created using IE browser (Version 6.0 on Windows XP) is imported into Firefox the certificate identification gets corrupted.

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Kristina]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

When selecting a certificate from a web portal, the User Identification Request window displays the certificate’s identification name as a string of characters, in which case the subject name is not being displayed as expected. 

Through continues testing, this has been seen to occur whenever a certificate is being exported from an Internet Explorer browser and the same certificate is then being imported into Firefox browser under the same OS platform.


Reproducible: Always

Steps to Reproduce:
From the URL provided above, a registered user can click on ‘Select Digital certificate’ to select the respective certificate to further secure the authentication session.


Actual Results:  
The certificate identification name is not being displayed as expected when a certificate was exported from Internet Explorer and imported through Firefox.



Expected Results:  
Ideally the certificate identification details should be well demonstrated for ease of identification.



Such problem has been also tested under Windows Vista and Ubuntu.

Comment 1

[Kristina]

Attachment: Report

Bug report with screen shots

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Again, a zip file of a Microsoft word file is not a usable file format for 
Mozilla developers.  

I find the description of this bug a bit too vague to understand what you're
really describing.  We know that many (thousands, at least) of users have
successfully copies certs of all kinds (user certs, CA certs, server certs)
from MS Windows certificate stores into Mozilla browsers, so the problem 
you describe must be for certificates with some particular characteristic 
that is common in your environment, but perhaps not to other users.

I don't know what you mean by "When selecting a certificate from a web portal".
You could mean
- selecting a user certificate to present to a remote server for client 
authentication purposes, or
- dealing with an unverifiable certificate dialog ("security exception"), or
- Some sort of web page that offers the user a variety of certifictes from 
which he can choose.  What kind of certificates would those be?  
Root CA certificates are generally the only type of certificates of which 
multiple might be presented to a user on a single web page.

Are you talking about exporting a user's certificate AND PRIVATE KEY into 
a PKCS#12 (.pfx) file, for the purpose of importing them into Firefox, 
using Windows' certificate export wizard?  

If so, there is a step you must take to properly prepare the certificate 
to be exported.  In MS Windows certificate manager, you must give the 
certificate a "Friendly Name" before exporting it to the PKCS#12 file. 
If you do not do that, then when windows exports the certificate to the 
PFX file, Windows will give the certificate a so-called "friendly name" 
that is actually a "GUID", a big long ugly number, something like this
  {E1C47C8F-5637-4824-9A30-E8339E7CEB98}
That is something done by Windows.  That is put into the file and Firefox
uses whatever name the creator of the pfx file puts into the pfx file.

If necessary, I think I might be able to provide some description of 
how to edit the certificate and give it a "Friendly Name" before you 
export it. 

Comment 3

[Kristina]

Dear Nelson,

I've managed to solve this problem as you suggested using the 'friendly name', and it worked fine.  Thanks a lot for your help.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

No vulnerability here