Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"

VERIFIED FIXED in Firefox 6

Status

()

defect
--
blocker
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: 5rgz6ni02, Assigned: kaie)

Tracking

({regression})

6 Branch
mozilla8
All
Other
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox6+ fixed, firefox7+ fixed)

Details

Attachments

(4 attachments, 2 obsolete attachments)

Reporter

Description

8 years ago
User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0a2) Gecko/20110709 Firefox/7.0a2
Build ID: 20110709042004

Steps to reproduce:

Start Aurora with a new Profile just to be sure
Open Menu Preferences 
Select  Advanced | Encryption , View Certificates
Select tab certificates, scroll down to Thawte
Select first Thawte Certificate, click "view..." button 

(Actually the problem is not specific to this single certificate. I tried many more built-in root certificates and they all had the same issue.)



Actual results:

Certificate Viewer opens, it says "could not verify this certificate for unknown reasons"


Expected results:

Certificate Viewer opens, it should say "this certificates has been verified for the following uses" and a list of uses.
Reporter

Comment 1

8 years ago
Posted file about:support
about:support info attached

Updated

8 years ago
Component: General → Security
QA Contact: general → firefox
Reporter

Comment 2

8 years ago
Posted file about:buildconfig
Aurora has been updated several times since I originally reported the bug. The problem persists. Someone on irc wanted to see "my" about:buildconfig (I guess this really is Aurora's configuration), so I attach it here.

Updated

8 years ago
Keywords: 64bit

Updated

8 years ago
Keywords: 64bit
Blocks: psm-pkix
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
This is caused by bug 479393:

+ verifyResult =
+  CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
 			    certificateUsageSSLClient |
 			    certificateUsageSSLServer |
 			    certificateUsageSSLServerWithStepUp |
 			    certificateUsageEmailSigner |
 			    certificateUsageEmailRecipient |
 			    certificateUsageObjectSigner |
 			    certificateUsageSSLCA |
 			    certificateUsageStatusResponder,
 			    NULL, &usages);
...

+ if (verifyResult != SECSuccess) {
+     int err = PR_GetError();
+     verifyFailed(_verified, err);
+     return NS_OK;
+ }

We are expecting that CERT_VerifyCertificateNow will return SECSuccess if at least one of the given usages is valid. However, it actually returns SECFailure unless all of the given usages are valid. I remember that Kai's original patch was correctly ignoring the return value of CERT_VerifyCertificateNow, but he "corrected" it when I told him we should check the return value. My bad. :(

The fix is simple: restore the error detection logic to the way it was done before:

- if (count == 0) {
-     verifyFailed(_verified, err);		
- } else {		
-     *_verified = nsNSSCertificate::VERIFIED_OK;		
- }

Also, we should add a comment about why we are not checking the return value.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This affects Firefox 6, so we might want to consider fixing it there before shipping (I'm not exactly sure how critical this is).

Comment 5

8 years ago
(In reply to comment #4)
> (I'm not exactly sure how critical this is).

Fairly "critical", IMO, as it affects the display of *all* certs in cert viewer (Fx 6 will show "Could not verify this certificate for unknown reasons" even if a server cert is perfectly valid - try https://addons.mozilla.org e.g.).
Keywords: regression
Version: 7 Branch → 6 Branch
Assignee: nobody → bsmith
This causes the certificate viewer to show a misleading message in the General tab, and prevents the general tab from displaying the usages for which the certificate is valid. The information is still available from the Details tab. No other certificate functionality is affected by the bug--in particular, it doesn't affect any other parts of the UI like the site identity block, it doesn't stop valid SSL connections from working, and it doesn't allow invalid SSL connections to work.
Summary: Aurora regression: Built-in root certificates are displayed as untrusted → Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"
Assignee

Comment 7

8 years ago
Should be a blocker.
Severity: normal → blocker
Assignee

Comment 8

8 years ago
Let's be clear which parts need to be reverted and attach a patch.
Here is the fix.

The libpkix case is still broken, but that doesn't matter because libpkix is not enabled yet and can only be enabled with an unsupported hidden pref. I filed 672811 for fixing the libpkix case.
Attachment #547103 - Flags: review?(kaie)
Assignee

Comment 10

8 years ago
Attachment #547104 - Flags: review?(bsmith)
Assignee

Updated

8 years ago
Assignee: bsmith → kaie
Assignee

Comment 11

8 years ago
Comment on attachment 547103 [details] [diff] [review]
Fix usage display in cert viewer for non-libpkix case only

I don't like your patch, because you call PR_GetError() very late. Please call it as early as we did in the past, immediately after the action - this avoids all risk that other activity might change the error code.
Attachment #547103 - Flags: review?(kaie) → review-
Assignee

Comment 12

8 years ago
Also, you're calling PORT_GetError, while the old code used PR_GetError. Let's use exactly what we did in the past.
Comment on attachment 547104 [details] [diff] [review]
Patch v1 - restore the old behaviour

Review of attachment 547104 [details] [diff] [review]:
-----------------------------------------------------------------

r+. Please add my comment and (void) in front of the call to CERT_VerifyCertificateNow, so we don't make this mistake again.
Attachment #547104 - Flags: review?(bsmith) → review+
Assignee

Comment 14

8 years ago
(In reply to comment #9)
> 
> The libpkix case is still broken, but that doesn't matter because libpkix is
> not enabled yet and can only be enabled with an unsupported hidden pref. I
> filed 672811 for fixing the libpkix case.

My patch works in the libpkix case, too.
Assignee

Comment 15

8 years ago
(In reply to comment #14)
> 
> My patch works in the libpkix case, too.

I'm wrong.
Kai, lets worry about the libpkix case in bug 672811. I will comment there.
Assignee

Comment 17

8 years ago
carrying forward r=bsmith
Attachment #547104 - Attachment is obsolete: true
Attachment #547113 - Flags: review+
Assignee

Updated

8 years ago
Attachment #547103 - Attachment is obsolete: true
Assignee

Comment 18

8 years ago
http://hg.mozilla.org/mozilla-central/rev/c9cdc5df55f4
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Assignee

Comment 19

8 years ago
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added

Requesting approval for beta and aurora.
Firefox 6 would be the first release to show up this regression bug.
Attachment #547113 - Flags: approval-mozilla-beta?
Attachment #547113 - Flags: approval-mozilla-aurora?
Assignee

Updated

8 years ago
Assignee

Updated

8 years ago
Target Milestone: --- → mozilla6

Comment 20

8 years ago
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added

Approved for releases/mozilla-aurora and releases/mozilla-beta. We'll also track this to make sure we don't ship with this regression
Attachment #547113 - Flags: approval-mozilla-beta?
Attachment #547113 - Flags: approval-mozilla-beta+
Attachment #547113 - Flags: approval-mozilla-aurora?
Attachment #547113 - Flags: approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110726 Firefox/8.0a1

Verified issue on mozilla central using the STR from Comment 0, on Windows XP, Windows 7, Ubuntu and Mac OS X 10.6.

The target milestone of this bug is set to mozilla 6. Will this land on Firefox beta 6 and Aurora also?
Target Milestone: mozilla6 → mozilla8
Reporter

Comment 24

8 years ago
Thanks everybody, works again in the Aurora release I just received via auto update. Not sure about Mozilla's bugzilla process. Should I as the original reporter set the status to verified?

Comment 25

8 years ago
(In reply to comment #24)
> Thanks everybody, works again in the Aurora release I just received via auto
> update. Not sure about Mozilla's bugzilla process. Should I as the original
> reporter set the status to verified?

You could have done, or anyone else who could reproduce the problem and verify the fix.  I'll set it now, based on your comment.  Thanks for the report.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.