The default bug view has changed. See this FAQ.

Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"

VERIFIED FIXED in Firefox 6

Status

()

Core
Security: PSM
--
blocker
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Uwe Geuder, Assigned: kaie)

Tracking

({regression})

6 Branch
mozilla8
All
Other
regression
Points:
---

Firefox Tracking Flags

(firefox6+ fixed, firefox7+ fixed)

Details

Attachments

(4 attachments, 2 obsolete attachments)

(Reporter)

Description

6 years ago
Created attachment 545008 [details]
screen shots: Aurora 7.0a2 top, FF 3.6.18 bottom

User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0a2) Gecko/20110709 Firefox/7.0a2
Build ID: 20110709042004

Steps to reproduce:

Start Aurora with a new Profile just to be sure
Open Menu Preferences 
Select  Advanced | Encryption , View Certificates
Select tab certificates, scroll down to Thawte
Select first Thawte Certificate, click "view..." button 

(Actually the problem is not specific to this single certificate. I tried many more built-in root certificates and they all had the same issue.)



Actual results:

Certificate Viewer opens, it says "could not verify this certificate for unknown reasons"


Expected results:

Certificate Viewer opens, it should say "this certificates has been verified for the following uses" and a list of uses.
(Reporter)

Comment 1

6 years ago
Created attachment 545009 [details]
about:support

about:support info attached

Updated

6 years ago
Component: General → Security
QA Contact: general → firefox
(Reporter)

Comment 2

6 years ago
Created attachment 545697 [details]
about:buildconfig

Aurora has been updated several times since I originally reported the bug. The problem persists. Someone on irc wanted to see "my" about:buildconfig (I guess this really is Aurora's configuration), so I attach it here.

Updated

6 years ago
Keywords: 64bit

Updated

6 years ago
Keywords: 64bit
Blocks: 479393
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
This is caused by bug 479393:

+ verifyResult =
+  CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
 			    certificateUsageSSLClient |
 			    certificateUsageSSLServer |
 			    certificateUsageSSLServerWithStepUp |
 			    certificateUsageEmailSigner |
 			    certificateUsageEmailRecipient |
 			    certificateUsageObjectSigner |
 			    certificateUsageSSLCA |
 			    certificateUsageStatusResponder,
 			    NULL, &usages);
...

+ if (verifyResult != SECSuccess) {
+     int err = PR_GetError();
+     verifyFailed(_verified, err);
+     return NS_OK;
+ }

We are expecting that CERT_VerifyCertificateNow will return SECSuccess if at least one of the given usages is valid. However, it actually returns SECFailure unless all of the given usages are valid. I remember that Kai's original patch was correctly ignoring the return value of CERT_VerifyCertificateNow, but he "corrected" it when I told him we should check the return value. My bad. :(

The fix is simple: restore the error detection logic to the way it was done before:

- if (count == 0) {
-     verifyFailed(_verified, err);		
- } else {		
-     *_verified = nsNSSCertificate::VERIFIED_OK;		
- }

Also, we should add a comment about why we are not checking the return value.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This affects Firefox 6, so we might want to consider fixing it there before shipping (I'm not exactly sure how critical this is).
tracking-firefox6: --- → ?

Comment 5

6 years ago
(In reply to comment #4)
> (I'm not exactly sure how critical this is).

Fairly "critical", IMO, as it affects the display of *all* certs in cert viewer (Fx 6 will show "Could not verify this certificate for unknown reasons" even if a server cert is perfectly valid - try https://addons.mozilla.org e.g.).
Keywords: regression
Version: 7 Branch → 6 Branch
Assignee: nobody → bsmith
This causes the certificate viewer to show a misleading message in the General tab, and prevents the general tab from displaying the usages for which the certificate is valid. The information is still available from the Details tab. No other certificate functionality is affected by the bug--in particular, it doesn't affect any other parts of the UI like the site identity block, it doesn't stop valid SSL connections from working, and it doesn't allow invalid SSL connections to work.
Summary: Aurora regression: Built-in root certificates are displayed as untrusted → Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons"
(Assignee)

Comment 7

6 years ago
Should be a blocker.
Severity: normal → blocker
(Assignee)

Comment 8

6 years ago
Let's be clear which parts need to be reverted and attach a patch.
Created attachment 547103 [details] [diff] [review]
Fix usage display in cert viewer for non-libpkix case only

Here is the fix.

The libpkix case is still broken, but that doesn't matter because libpkix is not enabled yet and can only be enabled with an unsupported hidden pref. I filed 672811 for fixing the libpkix case.
Attachment #547103 - Flags: review?(kaie)
(Assignee)

Comment 10

6 years ago
Created attachment 547104 [details] [diff] [review]
Patch v1 - restore the old behaviour
Attachment #547104 - Flags: review?(bsmith)
(Assignee)

Updated

6 years ago
Assignee: bsmith → kaie
(Assignee)

Comment 11

6 years ago
Comment on attachment 547103 [details] [diff] [review]
Fix usage display in cert viewer for non-libpkix case only

I don't like your patch, because you call PR_GetError() very late. Please call it as early as we did in the past, immediately after the action - this avoids all risk that other activity might change the error code.
Attachment #547103 - Flags: review?(kaie) → review-
(Assignee)

Comment 12

6 years ago
Also, you're calling PORT_GetError, while the old code used PR_GetError. Let's use exactly what we did in the past.
Comment on attachment 547104 [details] [diff] [review]
Patch v1 - restore the old behaviour

Review of attachment 547104 [details] [diff] [review]:
-----------------------------------------------------------------

r+. Please add my comment and (void) in front of the call to CERT_VerifyCertificateNow, so we don't make this mistake again.
Attachment #547104 - Flags: review?(bsmith) → review+
(Assignee)

Comment 14

6 years ago
(In reply to comment #9)
> 
> The libpkix case is still broken, but that doesn't matter because libpkix is
> not enabled yet and can only be enabled with an unsupported hidden pref. I
> filed 672811 for fixing the libpkix case.

My patch works in the libpkix case, too.
(Assignee)

Comment 15

6 years ago
(In reply to comment #14)
> 
> My patch works in the libpkix case, too.

I'm wrong.
Kai, lets worry about the libpkix case in bug 672811. I will comment there.
(Assignee)

Comment 17

6 years ago
Created attachment 547113 [details] [diff] [review]
Patch v1 with comment added

carrying forward r=bsmith
Attachment #547104 - Attachment is obsolete: true
Attachment #547113 - Flags: review+
(Assignee)

Updated

6 years ago
Attachment #547103 - Attachment is obsolete: true
(Assignee)

Comment 18

6 years ago
http://hg.mozilla.org/mozilla-central/rev/c9cdc5df55f4
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 19

6 years ago
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added

Requesting approval for beta and aurora.
Firefox 6 would be the first release to show up this regression bug.
Attachment #547113 - Flags: approval-mozilla-beta?
Attachment #547113 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

6 years ago
tracking-firefox7: --- → ?
(Assignee)

Updated

6 years ago
Target Milestone: --- → mozilla6

Updated

6 years ago
tracking-firefox6: ? → +
tracking-firefox7: ? → +

Comment 20

6 years ago
Comment on attachment 547113 [details] [diff] [review]
Patch v1 with comment added

Approved for releases/mozilla-aurora and releases/mozilla-beta. We'll also track this to make sure we don't ship with this regression
Attachment #547113 - Flags: approval-mozilla-beta?
Attachment #547113 - Flags: approval-mozilla-beta+
Attachment #547113 - Flags: approval-mozilla-aurora?
Attachment #547113 - Flags: approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110726 Firefox/8.0a1

Verified issue on mozilla central using the STR from Comment 0, on Windows XP, Windows 7, Ubuntu and Mac OS X 10.6.

The target milestone of this bug is set to mozilla 6. Will this land on Firefox beta 6 and Aurora also?
Target Milestone: mozilla6 → mozilla8
Yes, it will.

Comment 23

6 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/8966bdc465aa
http://hg.mozilla.org/releases/mozilla-beta/rev/d66a5a76f6ba
status-firefox6: --- → fixed
status-firefox7: --- → fixed
(Reporter)

Comment 24

6 years ago
Thanks everybody, works again in the Aurora release I just received via auto update. Not sure about Mozilla's bugzilla process. Should I as the original reporter set the status to verified?

Comment 25

6 years ago
(In reply to comment #24)
> Thanks everybody, works again in the Aurora release I just received via auto
> update. Not sure about Mozilla's bugzilla process. Should I as the original
> reporter set the status to verified?

You could have done, or anyone else who could reproduce the problem and verify the fix.  I'll set it now, based on your comment.  Thanks for the report.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.