491698 - Firefox silently fails to import a bogus P12 certificate file

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Ricardo Camacho]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

Hello guys,

I've just created an application that generates .p12 certificates. I can import them correctly onto the windows keystore with no problem and all the extensions are there as well as the information. 

Before you ask yes I am sure I'm using the proper password! ;-)

Password is 123456. I'm attaching the p12 file to this question.

Can anyone see a reason to why this isnt imported by FF?

Thanks in advance!


Reproducible: Always

Steps to Reproduce:
1. Open up the Tools->Options menu, and go into the Advanced->Encryption->View Certificates screen
2. Click the import button and use the screen to select the appropriate P12 file

Actual Results:  
The dialog disappears and no action seems to be performed, no error message, and the certificate was not imported.

Expected Results:  
The certificate should have been added to the keystore.

I'd like to attach the p12 file that is causing this behaviour for your analysis but I'm unsure as to how to do it in bugzilla, I'll try later to add it to the bug however.

Comment 1

[Ricardo Camacho]

Attachment: The certificate file causing the behaviour, password is 123456

Comment 2

[Noah (NoahSUMO/SolidSnake) [:Noah]]

In the Certificate Manager window, which tab are you using? Probably "Servers". Try importing from the "Your Certificates" tab.

Comment 3

[Ricardo Camacho]

I tried importing to all types of certificates, although the goal was to import into the 'Your Certificates' tab. None worked.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

While investigating this, I found (at least) 3 separate problems (so far).
Two of them are NSS bugs.  One is that PSM doesn't report an error in some
cases where NSS does report an import failure.  I'm going to leave this bug
as a PSM bug about that last problem, and file some additional NSS bugs about
the NSS bugs.

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

OK, This pkcs`12 file is bogus.  The wrapped private key does not have the
same modulus as the modulus in the public key in the cert.  In other words,
that private key is not the private key that goes with that cert.  

The PKCS12 import code was correct, IMO, to not import it.  So, this bug 
is not that it failed to import, but rather that the failure was silent.

I wonder if the NSS patch for bug 492131 will suffice to fix this.

Comment 6

[Ricardo Camacho]

You are right Nelson, I just noticed it myself and was about to post this information. 
The creation of the file, implied communicating with the CA through a webservice, and the application was sending the wrong certificate ID thus wrongly merging the certificates.
I dont have the time to test the NSS patch you refer at the moment but I'll keep it in mind.
I agree with you that NSS should not have imported the file, but the lack of message can be disturbing.

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

The current behavior I'm seeing is the "... failed for an unknown reason" dialog (which isn't great, but at least this isn't a silent failure any more).