Closed Bug 470318 Opened 17 years ago Closed 10 years ago

Can not find the required Certificate on Text Signing Request

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mnachev, Unassigned)

References

(
URL
)

Details

Attachments

(3 files)

The CertificateManager form where all 3 certificates in the SmartCard are shown
67.02 KB, image/png
Details
The Text Signing Request form where only 2 of possible 3 certificates are listed.
128.70 KB, image/png
Details
All certificates in the SmartCard.
4.41 KB, application/x-zip-compressed
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 In my SmartCard I have 3 certificates. When I do online banking and for some operation I received Text Signing Request only 2 Certificates are available (the "Ask me every time" radio button is selected of [Tools][Options][Advanced][Encryption][Certificates][When a server request my personal certificate]). The 3rd Certificate which is required is not listed in the Signing Certificate list menu of Text Singing Request Form. To solve that problem I must use MS Internet Explorer where I have not problems with the certificates, signing and logins. Reproducible: Always Steps to Reproduce: 1. Enter in HTTPS Web where my Certificate for online banking is required on the 1st page. 2. Enter the PIN code of the SmartCard 3. Create some document and try to sign it. Actual Results: It is not possible to sign the operation because only 2 of the 3 available certificates are listed. The other 2 certificates are for another organization (www.ePay.bg). I am trying to use the certificate for online.rbb.bg. Expected Results: To have 3 certificates in the list of certificates of Text Signing Request Form. To be able to select the correct certificate. I can send some pictures (snapshots) from CertificateManager and Text Signing Request forms.
The missed certificate is required for current operation.
Our algorithm for choosing (and some problems with it) are described at https://wiki.mozilla.org/PSM:CertPrompt I can't really see why your non-expired cert for the same site wasn't chosen and doesn't show as a choice, but the screenshots don't show the behind-the-scenes request from the server so we can judge what criteria it was using. Can you view the RBB cert and see what that cert is valid for?
Assignee: nobody → kaie
Group: core-security
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Servers requesting client key interactions send along a list of "acceptable issuers" as part of the request, so that PSM knows which keys to make available. The obvious difference between the missing key and the two others is that it has a different issuer certificate, and so my suspicion is that the server headers are not including that issuer (strange, since it appears to be RBB-issued, and it's RBB you're trying to connect to), hence we are not including it in the list. What makes me less sure of this is that it works in IE, but it still remains a possibility worth investigating here, I think.
Until now (more than 5 years) I am using Internet Banking together with SmartCards and definitely I can say that with Internet Explorer (IE) there are not problems. For me is strange how IE recognize the correct certificate and automatically use it without prompting. I am Java Developer/Architect with experience of Java Security and XML Security and this is very interesting to find the used protocol. Can you give me some instructions how to trace/debug IE and/or Firefox? From where can I read for the used protocol of IE? This night I will attach these 3 certificates with their public keys if this will help you. http://www.linkedin.com/in/mnachev
The Root CA Certificate of RBB is installed in Firefox also but is not in the SmartCard. Is it possible this to be a problem?
reporter: so. what would be more interesting is the challenge. Since you have backups (and i wouldn't normally attach an exported cert to bugzilla, if you need it deleted, just ask, it can be arranged).... i'd suggest you try this: delete all the other certificates except the one you really want to use. and then try to trigger the signing thing and see what happens. if it shows you the cert, then the problem is as described in comment 4. (afterwards, reinstall the other certificates) we probably should enhance the dialog to expose the information about which authorities the server is willing to accept...
OK. Delete the attached certificates. I can not remove the existing certificates in the SmartCard because I need of them for different institutions. Is there any standard protocol which certificate to be used? How this is realized in MS Internet Explorer where everything works perfectly without unneeded prompts? Maybe the combination of the current domain (online.rbb.bg) and username? Or if the server send some help information like user email? If you give me some instructions how to debug MS IE I can send you the log and the trace/debug information?
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Text signing (window.crypto.signText) is not supported anymore.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: