Closed Bug 765133 Opened 12 years ago Closed 9 years ago

Certificate details dialog box shows the wrong error message for certificates that are blocked because their cert chain contains an MD5-based signature

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: briansmith, Unassigned)

References

Details

(In reply to Brian Smith (:bsmith) from bug 758314 comment #3) > [T]he certificate details dialog box WILL NOT show this custom > error message for certificates with MD5-based signatures, because > CERT_VerifyCertificate does NOT return the > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED error for them when we call it > from nsUsageArrayHelper::GetUsagesArray. Instead, CERT_VerifyCertificate > returns SEC_ERROR_INADEQUATE_CERT_TYPE. I believe this is because we're > asking it to verify the cert for every possible usage, and > CERT_VerifyCertificate first detects > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, and then later detects > SEC_ERROR_INADEQUATE_CERT_TYPE, and decides to return the latter error code > instead of the former. > > Consequently, the error message in the certificate details dialog box will > not be very helpful; it will say "Could not verify certificate for unknown > reasons." > > Also, when you have libpkix enabled, you also get the "Could not verify > certificate for unknown reasons" because of a known bug, bug 672811.
I do not want to make enhancements to the old non-libpkix certificate path validation library. Instead, we should fix this by switching to libpkix.
Depends on: 672811, pkix-default
No longer depends on: pkix-default
We switched to mozilla::pkix, so if I'm understanding comment 0 correctly, this should be fixed (also I double-checked with sha1 disabled and everything looks good to me).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.