Please report any other irregularities here.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52) Gecko/2008072820 Firefox/3.0.1 Build Identifier: thunderbird version 184.108.40.206 (20080724) I have problems with several certificates issued by a Microsoft CA in Thunderbird. Thunderbird says that """ This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved. """ I believe the problem is that the certificates contain a critical extension with oid 220.127.116.11.4.1.311.21.10 http://support.microsoft.com/kb/287547 says: """ Application Policies extension -- same encoding as szOID_CERT_POLICIES szOID_APPLICATION_CERT_POLICIES 18.104.22.168.4.1.311.21.10 """ How can I make psm know this extension? I attach the certs for reproduction of the bug. Reproducible: Always Steps to Reproduce: 1. import the CA certs, set them to identity mail users 2. import the good cert, it works 3. try to import the bad cert, and see how it does not work. Actual Results: Thunderbird says that """ This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved. """ Expected Results: certificate imported This bug is a showstopper for me. If I cannot fix it, I have to use M$ Outlook, bleech.
Comment on attachment 341084 [details] The certificates you can reproduce the bug with. it is a tar.gz
NSS has two separate bodies of code that do cert path validation, an old one that does not understand policies and probably never will, and a new one that does understand policies now. The Mozilla code common to Firefox, Thunderbird, SeaMonkey and other mozilla clients sometimes uses one and sometimes uses the other. Until it switches over completely to the new one, certs with critical policy extensions will continue to not be accepted by those products. The policies extensions are not required to be critical. If you (or your company, whoever runs the CA) find that Microsoft's CA is taking control away from you, not letting you generate the certs you want to generate, you should consider finding a CA software product that will put you back in control.
Assignee: nobody → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Version: unspecified → 1.9.0 Branch
Any timetable for switching over to the new code? How can I help with it? If you outline what to be changed to what, I can dig into the code and maybe come out with a patch working. If this would be a small company with maybe tens of rolled out certificates, I would switch CA and reroll the certs. (Or better I would not do the mistake to choose any software written by M$.) But it isn't.
Okay, I have found code in security/manager/ssl/src/nsNSSCertificateDB.cpp , function nsNSSCertificateDB::ImportEmailCertificate Is s/certificate/cert/ in function/constant names and doing the necessary changes coming from API changes is The Right Way? I plan to change SECCertUsage to SECCertificateUsage certUsageEmailRecipient to certificateUsageEmailRecipient CERT_VerifyCert to CERT_VerifyCertificate But what to do with CERT_ImportCerts and CERT_CertChainFromCert? Cannot find the new equivalents.
Tried the above, did not work. Even tried CERT_SetUsePKIXForValidation(PR_TRUE) in CERT_VerifyCertificate, before the for cycle. cert_VerifyCertChainPkix returns != SECSuccess, but could not yet find the exact place in the code where things went wrong. Any help anyone?
This is a remainder that I still have the bug, and it is a showstopper for me. Downloading Microsoft outlook 2007 right now...
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
We won't be supporting this OID.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.