bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

problem importing certificates, possibly related to MS-specific extension being critical

RESOLVED WONTFIX

Status

()

Core
Security: PSM
RESOLVED WONTFIX
10 years ago
2 years ago

People

(Reporter: magwas, Unassigned)

Tracking

1.9.0 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-cert-manager])

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1
Build Identifier: thunderbird version 2.0.0.16 (20080724)

I have problems with several certificates issued by a Microsoft CA in Thunderbird.
Thunderbird says that
"""
This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.
"""

I believe the problem is that the certificates contain a critical extension with oid 1.3.6.1.4.1.311.21.10
http://support.microsoft.com/kb/287547 says:
"""
Application Policies extension -- same encoding as szOID_CERT_POLICIES
       szOID_APPLICATION_CERT_POLICIES         1.3.6.1.4.1.311.21.10
""" 

How can I make psm know this extension?

I attach the certs for reproduction of the bug.

Reproducible: Always

Steps to Reproduce:
1. import the CA certs, set them to identity mail users
2. import the good cert, it works
3. try to import the bad cert, and see how it does not work.
Actual Results:  
Thunderbird says that
"""
This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.
"""

Expected Results:  
certificate imported

This bug is a showstopper for me. If I cannot fix it, I have to use M$ Outlook, bleech.
(Reporter)

Comment 1

10 years ago
Created attachment 341084 [details]
The certificates you can reproduce the bug with.
(Reporter)

Comment 2

10 years ago
Comment on attachment 341084 [details]
The certificates you can reproduce the bug with. 

it is a tar.gz
NSS has two separate bodies of code that do cert path validation, 
an old one that does not understand policies and probably never will, and
a new one that does understand policies now.  

The Mozilla code common to Firefox, Thunderbird, SeaMonkey and other 
mozilla clients sometimes uses one and sometimes uses the other. 
Until it switches over completely to the new one, certs with critical
policy extensions will continue to not be accepted by those products.

The policies extensions are not required to be critical. If you (or your
company, whoever runs the CA) find that Microsoft's CA is taking control
away from you, not letting you generate the certs you want to generate,
you should consider finding a CA software product that will put you back
in control.
Assignee: nobody → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Version: unspecified → 1.9.0 Branch
(Reporter)

Comment 4

10 years ago
Any timetable for switching over to the new code?
How can I help with it? If you outline what to be changed to what, I can dig into the code and maybe come out with a patch working.

If this would be a small company with maybe tens of rolled out certificates, I would switch CA and reroll the certs. (Or better I would not do the mistake to choose any software written by M$.) But it isn't.
(Reporter)

Comment 5

10 years ago
Okay, I have found code in security/manager/ssl/src/nsNSSCertificateDB.cpp , function nsNSSCertificateDB::ImportEmailCertificate

Is s/certificate/cert/ in function/constant names and doing the necessary changes coming from API changes is The Right Way?
I plan to change
SECCertUsage to SECCertificateUsage
certUsageEmailRecipient to certificateUsageEmailRecipient
CERT_VerifyCert to CERT_VerifyCertificate

But what to do with CERT_ImportCerts and CERT_CertChainFromCert? Cannot find the new equivalents.
(Reporter)

Comment 6

10 years ago
Tried the above, did not work.
Even tried CERT_SetUsePKIXForValidation(PR_TRUE) in CERT_VerifyCertificate, before the for cycle.
cert_VerifyCertChainPkix returns != SECSuccess, but could not yet find the exact place in the code where things went wrong.

Any help anyone?
(Reporter)

Comment 7

10 years ago
This is a remainder that I still have the bug, and it is a showstopper for me.
Downloading Microsoft outlook 2007 right now...

Comment 8

8 years ago
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody

Updated

8 years ago
Whiteboard: [psm-cert-manager]
We won't be supporting this OID.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.