Closed Bug 670454 Opened 10 years ago Closed 10 years ago

Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"

Categories

(Core :: Security: PSM, defect)

6 Branch
All
Other
defect
Not set
blocker

Tracking

()

VERIFIED FIXED
mozilla8
Tracking Status
firefox6 + fixed
firefox7 + fixed

People

(Reporter: 5rgz6ni02, Assigned: KaiE)

References

Details

(Keywords: regression)

Attachments

(4 files, 2 obsolete files)

User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0a2) Gecko/20110709 Firefox/7.0a2
Build ID: 20110709042004

Steps to reproduce:

Start Aurora with a new Profile just to be sure
Open Menu Preferences 
Select  Advanced | Encryption , View Certificates
Select tab certificates, scroll down to Thawte
Select first Thawte Certificate, click "view..." button 

(Actually the problem is not specific to this single certificate. I tried many more built-in root certificates and they all had the same issue.)



Actual results:

Certificate Viewer opens, it says "could not verify this certificate for unknown reasons"


Expected results:

Certificate Viewer opens, it should say "this certificates has been verified for the following uses" and a list of uses.
Attached file about:support
about:support info attached
Component: General → Security
QA Contact: general → firefox
Attached file about:buildconfig
Aurora has been updated several times since I originally reported the bug. The problem persists. Someone on irc wanted to see "my" about:buildconfig (I guess this really is Aurora's configuration), so I attach it here.
Keywords: 64bit
Keywords: 64bit
Blocks: psm-pkix
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
This is caused by bug 479393:

+ verifyResult =
+  CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
 			    certificateUsageSSLClient |
 			    certificateUsageSSLServer |
 			    certificateUsageSSLServerWithStepUp |
 			    certificateUsageEmailSigner |
 			    certificateUsageEmailRecipient |
 			    certificateUsageObjectSigner |
 			    certificateUsageSSLCA |
 			    certificateUsageStatusResponder,
 			    NULL, &usages);
...

+ if (verifyResult != SECSuccess) {
+     int err = PR_GetError();
+     verifyFailed(_verified, err);
+     return NS_OK;
+ }

We are expecting that CERT_VerifyCertificateNow will return SECSuccess if at least one of the given usages is valid. However, it actually returns SECFailure unless all of the given usages are valid. I remember that Kai's original patch was correctly ignoring the return value of CERT_VerifyCertificateNow, but he "corrected" it when I told him we should check the return value. My bad. :(

The fix is simple: restore the error detection logic to the way it was done before:

- if (count == 0) {
-     verifyFailed(_verified, err);		
- } else {		
-     *_verified = nsNSSCertificate::VERIFIED_OK;		
- }

Also, we should add a comment about why we are not checking the return value.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This affects Firefox 6, so we might want to consider fixing it there before shipping (I'm not exactly sure how critical this is).
(In reply to comment #4)
> (I'm not exactly sure how critical this is).

Fairly "critical", IMO, as it affects the display of *all* certs in cert viewer (Fx 6 will show "Could not verify this certificate for unknown reasons" even if a server cert is perfectly valid - try https://addons.mozilla.org e.g.).
Keywords: regression
Version: 7 Branch → 6 Branch
Assignee: nobody → bsmith
This causes the certificate viewer to show a misleading message in the General tab, and prevents the general tab from displaying the usages for which the certificate is valid. The information is still available from the Details tab. No other certificate functionality is affected by the bug--in particular, it doesn't affect any other parts of the UI like the site identity block, it doesn't stop valid SSL connections from working, and it doesn't allow invalid SSL connections to work.
Summary: Aurora regression: Built-in root certificates are displayed as untrusted → Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"
Should be a blocker.
Severity: normal → blocker
Let's be clear which parts need to be reverted and attach a patch.
Here is the fix.

The libpkix case is still broken, but that doesn't matter because libpkix is not enabled yet and can only be enabled with an unsupported hidden pref. I filed 672811 for fixing the libpkix case.
Attachment #547103 - Flags: review?(kaie)
Attachment #547104 - Flags: review?(bsmith)
Assignee: bsmith → kaie
Comment on attachment 547103 [details] [diff] [review]
Fix usage display in cert viewer for non-libpkix case only

I don't like your patch, because you call PR_GetError() very late. Please call it as early as we did in the past, immediately after the action - this avoids all risk that other activity might change the error code.
Attachment #547103 - Flags: review?(kaie) → review-
Also, you're calling PORT_GetError, while the old code used PR_GetError. Let's use exactly what we did in the past.
Comment on attachment 547104 [details] [diff] [review]
Patch v1 - restore the old behaviour

Review of attachment 547104 [details] [diff] [review]:
-----------------------------------------------------------------

r+. Please add my comment and (void) in front of the call to CERT_VerifyCertificateNow, so we don't make this mistake again.
Attachment #547104 - Flags: review?(bsmith) → review+
(In reply to comment #9)
> 
> The libpkix case is still broken, but that doesn't matter because libpkix is
> not enabled yet and can only be enabled with an unsupported hidden pref. I
> filed 672811 for fixing the libpkix case.

My patch works in the libpkix case, too.
(In reply to comment #14)
> 
> My patch works in the libpkix case, too.

I'm wrong.
Kai, lets worry about the libpkix case in bug 672811. I will comment there.
carrying forward r=bsmith
Attachment #547104 - Attachment is obsolete: true
Attachment #547113 - Flags: review+
Attachment #547103 - Attachment is obsolete: true
http://hg.mozilla.org/mozilla-central/rev/c9cdc5df55f4
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added

Requesting approval for beta and aurora.
Firefox 6 would be the first release to show up this regression bug.
Attachment #547113 - Flags: approval-mozilla-beta?
Attachment #547113 - Flags: approval-mozilla-aurora?
Target Milestone: --- → mozilla6
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added

Approved for releases/mozilla-aurora and releases/mozilla-beta. We'll also track this to make sure we don't ship with this regression
Attachment #547113 - Flags: approval-mozilla-beta?
Attachment #547113 - Flags: approval-mozilla-beta+
Attachment #547113 - Flags: approval-mozilla-aurora?
Attachment #547113 - Flags: approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110726 Firefox/8.0a1

Verified issue on mozilla central using the STR from Comment 0, on Windows XP, Windows 7, Ubuntu and Mac OS X 10.6.

The target milestone of this bug is set to mozilla 6. Will this land on Firefox beta 6 and Aurora also?
Target Milestone: mozilla6 → mozilla8
Thanks everybody, works again in the Aurora release I just received via auto update. Not sure about Mozilla's bugzilla process. Should I as the original reporter set the status to verified?
(In reply to comment #24)
> Thanks everybody, works again in the Aurora release I just received via auto
> update. Not sure about Mozilla's bugzilla process. Should I as the original
> reporter set the status to verified?

You could have done, or anyone else who could reproduce the problem and verify the fix.  I'll set it now, based on your comment.  Thanks for the report.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.