Closed Bug 74339 Opened 24 years ago Closed 23 years ago

Support import of SSL, S/MIME, and CA certs

Categories

(Core Graveyard :: Security: UI, enhancement, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
enhancement

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: lord, Assigned: KaiE)

References

Details

Attachments

(1 file, 2 obsolete files)

Patch v3
17.02 KB, patch
KaiE
: review+
alecf
: superreview+
Details | Diff | Splinter Review
PSM should allow the user to import and export certs of various sorts. Note that this is more than just PKCS#12 support. Users should be able to export, say, a friend's S/MIME encryption cert to a file.
Target -> 2.1
Target Milestone: --- → 2.0
Target Milestone: 2.0 → 2.1
Keywords: nsenterprise
-> enhancement -> p3 -> move to future, as such a feature is most likely to be use in conjuction with s/mime.
Severity: normal → enhancement
Priority: -- → P3
Target Milestone: 2.1 → Future
Version: 1.01 → 2.0
You should be able to drag a cert from the Cert Manager (and possibly the Cert Viewer) to a Mail Compose window, or to the desktop.
moving to t->2.1: New feature candidate.
Target Milestone: Future → 2.1
Moving all P3 and P4 bugs targetted to 2.1 to future.
Target Milestone: 2.1 → Future
removing nsenterprise keyword from PSM bugs with target milestone of future.
Keywords: nsenterprise
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
OS > all
OS: Windows 2000 → All
QA Contact: ckritzer → junruh
Hardware: PC → All
Version: 2.0 → 2.1
Blocks: 74157
Depends on: 118772
Any hope that this will be done before Mozilla 1.0? This bug is the last significant feature that needs to be fixed to give usable S/MIME support in Mozilla (that is, comparable with current OE and old Netscape 4). I currently can't use my old certificates exported from other mail clients - I need to generate a new one from scratch at my CA, and do the whole process in Mozilla... I vote for raising priority and setting the target to something in the nearest future.
Re-assigning to Kai.
Assignee: ddrinan → kaie
Kai, I think this bug is quite important and its priority and severity needs to be raised. It's not only an enhancement, this functionality is a must. For example, let's imagine I've received my friend's public key certificate in a .cer file on a floppy disk. Currently I'm unable to send encrypted mail to him because I cannot import that certificate into Other People's cert store - he needs to send signed mail to me first, that's the only option. Another example: there's a new internal CA in our company. I can get its root cert as a .crt file from a network fileserver share, but it isn't published on any HTTP server. If I want to setup trust for that new CA, I need to access it by HTTP, I cannot just point to a file on my disk and import it. So I need to put it on the web server only for the purpose of importing it in Mozilla and setting up trust. That's quite ridiculous. There just need to be "Import" buttons on all tabs in the cert manager, and import of various formats of certificate files must be possible (DER, PEM, p12 files and all).
Attached patch Patch v1 (obsolete) — Splinter Review
I still think this is an enhancement, but I agree it is a very reasonable enhancement. As it is not difficult to to, I created a patch. I tested with email recipient certificates and CA certificates, both in DER and PEM format. I added the ability to import server certificates, too, although I'm not sure whether anybody would ever need that. I found other small problems. - Our existing import routine to import a CA cert always returns failure. - our cert tree view needed a fix to ensure the contents get refreshed if we add new entries - we reload the contents of the certificate manager user tab, even if the user only tried to import but pressed cancel.
Javi, can you please review?
Keywords: nsbeta1+
Attached patch Patch v2 (obsolete) — Splinter Review
Actually, I want to take back the statement about SSL web site certificates. While PSM already has appropriate logic to import CA and Email certificates, it does not for Web Site certificates. Is it really needed? Attaching a new patch that leaves out importing web sites certs for now. Only adds support to import CA and Email certificates.
Attachment #93139 - Attachment is obsolete: true
The ability to import web site certificates is needed for at least 2 reasons: 1. UI Consistency - from the prespective of cert manager user interface, the only difference between server certificates and the remaining 3 types (personal, other people's, CAs') is the type of entities they identify. 2. There are scenarios where such functionality is required (e.g. there's a secure website we intend to connect to, and we recieved its cert through a trusted courier on a physical medium - think e.g. Federal Government procedures. At the same time we don't want to trust the signer CA as we know it has been compromised recently and we can expect forged certificates from it). But this feature isn't as important to hold back fixing the bug for the remaining cert types. So it may be wise to spawn a follow-up bug.
Attached patch Patch v3Splinter Review
Ok, this patch imports server certificates, too. I tested that server certificates actually show up in cert manager. Note that none of the imported certificates are trusted initially. You need to manually add the trust. Note to reviewers: - function defaultServerNickname is only being moved from one file to another, it remains unchanged - ImportServerCertificate is mostly a clone of existing function ImportEmailCertificate
Attachment #93140 - Attachment is obsolete: true
Comment on attachment 93154 [details] [diff] [review] Patch v3 r=javi
Comment on attachment 93154 [details] [diff] [review] Patch v3 marking patch as has-review
Attachment #93154 - Flags: review+
Alec, can you please review? See also comment 16.
Comment on attachment 93154 [details] [diff] [review] Patch v3 I'm not font of your use of PR_smprintf - seems like you could use the string classes and avoid the extra allocation.. something like nsCAutoString nickname(servername); if (count != 1) { nickname += " #"; nickname.AppendInt(count); } That saves you a whole bunch of allocations. the JS is another good place for string bundle stuff. sr=alecf for the branch (and landing testing on the trunk) but if this is trunk-only I'd really prefer the string classes to simplify the code and reduce allocations.
Attachment #93154 - Flags: superreview+
*** Bug 159825 has been marked as a duplicate of this bug. ***
Alec, I agree that PR_smprintf is not optimal. But note that I did not write this function. I was only required to move that function around. I did not change its implementation. I hoped to get around having to rewrite that function.
ok ok :) but if you aren't going to be cleaning it up now, and we both recognize that it is a problem, please file a bug against cleaning up this code - especially if there is other code like this in the file(s).. the sr= stands then.
Thanks, bug 160112 filed.
You mean bug 160122 ?
oops, thanks.
As far as I can understand, the patch is ok for trunk landing?
The trunk is currently in the final phase for the 1.1 release. I don't want to ask for allowance to check in new features at this time. I'd need additional approval to check in. The mozilla.org team scheduled to create branch in 2 days, and after that the trunk will open for normal business. I will check in as soon as that happens.
Also note, this patch only supports importing. We can either leave this bug open for further development or spawn an export patch.
Blocks: 149694
Importing feature added on trunk. Marking fixed. Export feature request now tracked in bug 161275.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Summary: Support import and export of SSL, S/MIME, and CA certs → Support import of SSL, S/MIME, and CA certs
Just an additional remark. It's really nice to have this feature, but there was the same limitation in Netscape 4.x and there is a work around, I'll describe it here in case that would be useful to someone. If you make sure there's a MIME association between the extension you give to the file with the certificat and the type required for importation (should be the case by default in Windows for a CA cert if you give it the extension .cer/.crt, you can do it through Preference/Navigator/Helper Application in Linux, the type is either application/x-x509-ca-cert or application/x-x509-user-cert) you just have to open the file from a navigator windows to import it.
Verified.
Status: RESOLVED → VERIFIED
Version: 2.1 → 2.3
Product: PSM → Core
Version: psm2.3 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: