PSM does not import certificate chain more than 1 level

VERIFIED FIXED in psm2.1

Status

P1
normal
VERIFIED FIXED
17 years ago
2 years ago

People

(Reporter: thomask, Assigned: javi)

Tracking

1.0 Branch
psm2.1
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

17 years ago
I have setup a CMS4.2SP2, and have installed NS6.1PR1.

I went to CMS's end-user Retrieval > Import CA Certificate Chain page.
And Selected "Import the CA Certificate chain into your browser".
Now, this is a subordinate CA. Its chains contains the subordinate CA's
certificate and also the root CA's certificate.

PSM only imported the subordinate-CA certificate. (FYI, the old
browser, communicator 4.7 without PSM  would only import the root
certificate). The correct behaviour is to import both certificates.

Updated

17 years ago
Assignee: ssaux → javi
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 2.1

Comment 1

17 years ago
junruh. We don't seem to have a certificate chain on your test environment that
has more than one level.
P1
t->2.1
->javi

Comment 2

17 years ago
Reporter, can you try this again with today's build? I believe that this was 
fixed with bug 84201.
(Reporter)

Comment 3

17 years ago
Just setup a sub ca, and use the latest PSM (07-20). Problem persists.

http://192.18.121.247:1024/GetCAChain.html

Comment 4

17 years ago
I've added a test to import a subordinate root CA at 
http://junruh.mcom.com/tests.html under "Get Roots CAs"

Comment 5

17 years ago
adding nsenterprise to all P1, P2 PSM bugs with target milestone of 2.1
Keywords: nsenterprise
(Assignee)

Comment 6

17 years ago
The test site is no longer up, can we get a permanent test site deplyed to test
against?

Comment 7

17 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
(Assignee)

Comment 8

17 years ago
We've got an internal site that has a multiple cert chain.
http://juggler.red.iplanet.com:81/

This is how I see the bug right now:

CMS sends us PKCS 7 signed blob, but sends the mime type of
application/x-x509-ca-cert.  PSM interprets this to mean only *one* CA is about
to be delivered.  Is the application/x-x509-ca-cert always a PKCS7 Signed blob?
 If so, then we have to make our code smarter.  If not, then there's a bigger
problem that will required changes to both CMS and the client.

Updated

17 years ago
Keywords: nsenterprise → nsenterprise+
(Assignee)

Comment 9

17 years ago
Created attachment 46152 [details] [diff] [review]
Patch to enable downloading multiple CA's in one blob.
(Assignee)

Updated

17 years ago
Keywords: patch

Comment 10

17 years ago
adding review keyword.
Keywords: review

Comment 11

17 years ago
r=ddrinan.

Updated

17 years ago
Blocks: 81257
(Assignee)

Comment 12

17 years ago
Have been trying to get this super reviewed since Friday.  Just sent a request
to tor asking for a review.

Comment 13

17 years ago
sr=tor
(Assignee)

Comment 14

17 years ago
patch checked in.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 15

17 years ago
Marking VERIFIED FIXED on:
- MacOS91 2001-08-22-08-trunk (commercial)
- MacOS_X 2001-08-22-05-trunk (mozilla)
- LinRH62 2001-08-22-08-trunk (commercial)
- Win98SE 2001-08-22-06-trunk (commercial)
Status: RESOLVED → VERIFIED

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.