UTF8 characters in client certificate not displayed correctly from Firefox cert store



10 years ago
2 years ago


(Reporter: mike220474, Assigned: kaie)


Firefox Tracking Flags

(Not tracked)




(3 attachments)



10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/2008102920 Firefox/3.0.4

I have created a X.509 v3 client certificate using OpenSSL.

The CN and OU field contain UTF8 characters, in this case Thai
characters for testing purposes.

When I import this certificate into the Windows certificate store it
shows all fields correctly, ie I can actually see the Thai characters
I used.

However when I import the certificate into Firefox (3.04) and view the
certificate subject from Firefox (tools->options->advanced->view
certificates->view->details) then the UTF8 characters are not shown

Result: http://www.vandersman.org/certstore.PNG 

Serverside the certificate subject is interpreted correctly for
authentication purposes, when I use Firefox to go to a server to
authenticate against. 

The used certificate in DER and PEM file format can be found here:

The required CA chain can be found here:

Reproducible: Always

Steps to Reproduce:
1. Create a certificate using Thai characters using the Open SSL libs
2. Import the certificate into the browser

Actual Results:  

Additional information can be found here:

Likely ties to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=234856
In many cases we've found that the strings aren't being properly identified in the certificate as UTF8 strings, but whether this is our bug or not, I'll move it to the component that tracks this UI.
Assignee: nobody → kaie
Component: Security → Security: UI
Product: Firefox → Core
QA Contact: firefox → ui

Comment 2

10 years ago
Created attachment 354934 [details]

Comment 3

10 years ago
Created attachment 354935 [details]

Comment 5

10 years ago
so. for the time being, i'km going to resolve this as invalid.
you've removed the chain (which is unfortunate) and nelson indicates in the thread:

> The CN and OU attributes in that cert, which (as I understand it) you 
> have said are UTF8 strings, are not encoded as UTF8 strings.  That is, 
> the DER encoding in the certificate does not say they are UTF8 strings. 
> It says they are Teletex strings.  This is an improper encoding for 
> UTF8 strings. 

I believe it's our expectation that a proper CA would not sign such an invalid Certificate.

note that we kindly request that you attach the relevant files to bugzilla so that they are available later (to avoid the problem of a file such as http://www.boraxx.nl/Mozilla/ChainUCAcert.pem being missing).
Last Resolved: 10 years ago
Resolution: --- → INVALID
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.