electron icon indicating copy to clipboard operation
electron copied to clipboard

Published 20 hours ago • verified publisher icon electron

[Bug]: Import Certificate doesn't set SSL Trust bit in nssdb (app.importCertificate)

Open tn185075 opened this issue 3 years ago • 22 comments

Preflight Checklist

Electron Version

13.1.4

What operating system are you using?

Ubuntu

Operating System Version

20.04.3 LTS

What arch are you using?

x64

Last Known Working Electron version

No response

Expected Behavior

On running this command,

certutil -d sql:$HOME/.pki/nssdb -L

expected

cert-name CT,,

The second & third trust bits can be anything. The first one needs to have trust flag. Reference for trust bits: image

Actual Behavior

Certificate is added to nssdb without proper trust attributes. On running the following command:

certutil -d sql:$HOME/.pki/nssdb -L

Output:

cert-name ,,

Testcase Gist URL

https://gist.github.com/tn185075/cf34e2157a69721fb29f9cf7418ee14a

Additional Information

Note that the certificate we used is in .p12 format, and is a self signed one.

tn185075 avatar Feb 09 '22 03:02 tn185075

https://github.com/electron/electron/issues/32816

Closing the linked issue.

tn185075 avatar Feb 09 '22 03:02 tn185075

Any update?

tn185075 avatar Mar 04 '22 13:03 tn185075

@tn185075, any updates would be left here in the issue. If there aren't any comments, there aren't any updates. 🙂

I'm not sure if this is a valid bug - the docs don't say anything about which trust bits will be set. I think this might be more of a feature request than a bug.

dsanders11 avatar Mar 15 '22 01:03 dsanders11

The docs won't say anything about this, but I have seen in source code on the trust bits being set here. That's the reason behind marking this as bug.

Importing certificate should surely help us trusting any certificate signed using that authority, similar to how we import our own authority in Chrome.

https://github.com/electron/electron/blob/main/shell/browser/api/electron_api_app.cc#L625-L626

tn185075 avatar Mar 15 '22 05:03 tn185075

Thanks for the extra context and linking the code. You're right, the code does look like it intends to set the trust bits.

I'll ping @deepak1556 just to confirm that is the intended behavior. I don't have a good understanding of the mechanisms involved here, but I'll point out this extra bit of context from the original comment as it may be relevant ("Note that the certificate we used is in .p12 format, and is a self signed one.")

@tn185075, could you create an Electron Fiddle gist which reproduces the issue end-to-end? You can't add a .p12 in the fiddle, but you could include it in say PEM in main.js, then dump it to .p12 format in a temp file, and import it. Then you could execute certutil -d sql:$HOME/.pki/nssdb -L via the child_process module and find the relevant certificate. I know that sounds like a lot of work, but a fully end-to-end fiddle makes it significantly more likely that we will be able to fix the issue.

dsanders11 avatar Mar 15 '22 08:03 dsanders11

sure @dsanders11. will work it out when I find time.

tn185075 avatar Mar 15 '22 08:03 tn185075

It is a bug that the CA certs are not trusted after import, there has not been much of a change for the api at //electron but it is very likely the problem is at //electron/shell/browser/certificate_manager_model.cc is broken with chromium rolls. Also, worth bringing back this test https://github.com/electron/electron/blob/4bdb50eeee95bd1853123e974b369c5fd1303843/spec-main/api-app-spec.ts#L484 when investigating this issue.

deepak1556 avatar Mar 15 '22 10:03 deepak1556

@deepak1556 would appreciate if you can try and find solution before I can make it up in a fiddle, as I need to create different cert set again.

tn185075 avatar Mar 15 '22 10:03 tn185075

I can look into this next week, so if anyone else wants to tackle this before that, feel free to!

deepak1556 avatar Mar 15 '22 12:03 deepak1556

@deepak1556 did you try that?

tn185075 avatar May 10 '22 04:05 tn185075

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

github-actions[bot] avatar Oct 05 '22 02:10 github-actions[bot]

bump!

tn185075 avatar Oct 06 '22 04:10 tn185075

Sorry I don't have plan to look into this bug anytime soon, please use https://github.com/electron/electron/issues/32825#issuecomment-1067844548 as starting point for others investigating this bug.

deepak1556 avatar Dec 08 '22 11:12 deepak1556

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

github-actions[bot] avatar Mar 09 '23 02:03 github-actions[bot]

bump

dabo248 avatar Mar 09 '23 08:03 dabo248

bump!

tn185075 avatar Mar 09 '23 09:03 tn185075

Any updates on this? This might be causing a problem we are running into. Electron doesn't seem to send any kerberos token in its requests when run in Ubuntu 22.04. We believe it has to do with the server certificate not being trusted. We are able to import the certificate via 'app.importCertificate' with a success result. Kerberos auth seems to work fine in our electron app on Windows 10.

Edit: Google chrome is installed on the same machine. Google chrome is able to utilize kerberos auth without issue. The electron application is the only thing that seems to be running into problems.

Edit 2: Electron seems to trust the certificate now. Kerberos is also working. One issue that may have been giving us trouble is incorrect file permissions on the application files.

jscottPTC avatar Apr 03 '23 19:04 jscottPTC

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

github-actions[bot] avatar Jul 05 '23 02:07 github-actions[bot]

bump!

tn185075 avatar Jul 05 '23 05:07 tn185075

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

electron-issue-triage[bot] avatar Oct 05 '23 01:10 electron-issue-triage[bot]

bump!

tn185075 avatar Oct 05 '23 06:10 tn185075

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

electron-issue-triage[bot] avatar Jan 04 '24 01:01 electron-issue-triage[bot]

Bump

tn185075 avatar Jan 11 '24 16:01 tn185075

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the latest version of Electron or in the beta—please include it with your comment!

electron-issue-triage[bot] avatar Apr 11 '24 01:04 electron-issue-triage[bot]

This issue has been closed due to inactivity, and will not be monitored. If this is a bug and you can reproduce this issue on a supported version of Electron please open a new issue and include instructions for reproducing the issue.

electron-issue-triage[bot] avatar May 12 '24 01:05 electron-issue-triage[bot]