Error code for failure to import/update CRLs that use MD5-based signatures is unclear

RESOLVED INCOMPLETE

Status

Core Graveyard
Security: UI
RESOLVED INCOMPLETE
6 years ago
2 years ago

People

(Reporter: mozthun, Unassigned)

Tracking

16 Branch
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20121119183901

Steps to reproduce:

1. Import the 'Root Certificate (DER Format)' using the link on http://www.cacert.org/index.php?id=3
2. Import the corresponding CRL on the same page
(make sure it's revoke.crl and not class3-revoke.crl)


Actual results:

The following error occurs, when importing or updating the CRL:
The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error Code:ffffe009


Expected results:

CRL Import Status window should open with a message like:
The Certificate Revocation List (CRL) was successfully imported...
(Reporter)

Updated

6 years ago
OS: Windows 7 → All
Hardware: x86_64 → All

Comment 1

6 years ago
I tried with various versions of Firefox since Firefox 16 and I'm not able to reproduce the issue. Each time, the Certificate Revocation List (CRL) was successfully imported.

Do you think it could be a temporary issue?
(Reporter)

Comment 2

6 years ago
Firefox 15.0.1 and before don't have the problem, but 16.0 to 17.0 all throwing the error. All tested with an each time new installed WinXP system image.
As the files didn't change during my tests, the behaviour changed from 15.0.1 to 16.0

Firefox 17 on Linux and Mac showing the same issue. (also Thunderbird and Seamonkey on Windows with current version)

Please make sure not to mix up Class 1 and Class 3 certificates and CRLs on the cacert page. When the corresponding certificate is not imported in Firefox, the CRL can be imported without any problem.

Comment 3

6 years ago
The "real" error code you get with Firefox/Thunderbird 16 and later when following the STR from comment 0 is actually ffffe0b0 (not ffffe009). What matters is that at least the "Trust this CA to identify websites" option is checked when importing the root certificate.

0xffffe0b0 corresponds to SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED. This issue is the consequence of bug 650355.
(Reporter)

Comment 4

6 years ago
Kaspar is right! I made a mistake on copy&paste
Sorry guys!
Summary: Import/Update of CRLs fails on 16/17 Branch → Import/Update of CRLs fails on 16/17 Branch - ffffe0b0

Comment 5

6 years ago
The exact error message is:
The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error Code:ffffe0b0
Please ask your system administrator for assistance.


And in fact, the regression range is:
good=2012-07-13
bad=2012-07-14
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6489be1890c0&tochange=0602e44ac248

Not sure if it's a valid regression, but CC'ing devs.
Blocks: 650355
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Component: Security: PSM → Security: UI
Keywords: regression
Summary: Import/Update of CRLs fails on 16/17 Branch - ffffe0b0 → Error code for failure to import/update CRLs that use MD5-based signatures is unclear
(In reply to Loic from comment #5)
> Not sure if it's a valid regression, but CC'ing devs.

This is working as intended. It is a consequence of dropping support for MD5, which is something that all major browsers have done.

Comment 7

6 years ago
Created attachment 687321 [details] [diff] [review]
Print the error code as a signed decimal integer

The error message
  Error Importing CRL to local Database. Error Code:ffffe009
showed we are printing the error code as an unsigned hexadecimal
integer. This patch changes to print the error code as a signed
decimal integer.

Does anyone know how to print the error code's symbolic name
instead? PSM usually prints the symbolic name in all lowercase.
Attachment #687321 - Flags: superreview?(kaie)
Attachment #687321 - Flags: review?(bsmith)

Comment 8

6 years ago
I should clarify: printing the error code's symbolic name is probably
the fallback behavior. I think PSM prefers to print the error message
for the error code. I don't know how to do that.

Another cosmetic problem is that the space after "Error Code:" is not
printed, even though the space character exists in the source file:
http://mxr.mozilla.org/mozilla-central/source/security/manager/locales/en-US/chrome/pipnss/pipnss.properties#349

Perhaps spaces at the end of a line are ignored.
(In reply to Wan-Teh Chang from comment #7)
> Does anyone know how to print the error code's symbolic name
> instead? PSM usually prints the symbolic name in all lowercase.

1. Simplest: PR_ErrorToName()

2. nsCOMPtr<nsINSSErrorsService> errorService = do_GetService(something);

   if (errorService) {
      nsresult nssError;
      rv = errorService->GetXPCOMFromNSSError(errorCode);
      if (NS_SUCCEEDED(rv)) {
         nsAutoString message;
         rv = errorService->GetErrorMessage(getter_Copies(message));
         if (NS_SUCCEEDED(rv)) {
            errorMessage.Append(message);
         }
      }
   }

   errorMessage.Append(' ');
   errorMessage.Append('(');

   const char * nsprErrorName = PR_ErrorToName(errorCode);
   if (nsprErrorName) {
      errorMessage.Append(nsprErrorName);
   } else {
      errorMessage.AppendInt(errorCode);
   }

   errorMessage.Append(')');
-          rv = errorService->GetErrorMessage(getter_Copies(message));
+          rv = errorService->GetErrorMessage(nssError, getter_Copies(message));

Comment 11

6 years ago
(In reply to Brian Smith (:bsmith) from comment #9)

Nelson would very much welcome these changes, I assume: bug 379298, bug 443435.

Comment 12

5 years ago
Comment on attachment 687321 [details] [diff] [review]
Print the error code as a signed decimal integer

Kaspar: thanks for the info. I will move this patch to bug 379298
and close bug 443435 as a duplicate.
Attachment #687321 - Attachment is obsolete: true
Attachment #687321 - Flags: superreview?(kaie)
Attachment #687321 - Flags: review?(bsmith)
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INCOMPLETE
(Assignee)

Updated

2 years ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.