keygen tag doesn't work in M49, although it is supposed not to be removed until M54
Reported by
cesar.ar...@gmail.com,
Mar 29 2016
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Steps to reproduce the problem: 1. Access the following test page: http://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_keygen 2. Open the Developer Tools. Console shows this warning: "The <keygen> element is deprecated and will be removed in M54, around October 2016. See https://www.chromestatus.com/features/5716060992962560 for more details." 3. Enter any text in the 'Username' field and click on Send. What is the expected behavior? The 'security' parameter should contain the generated key. What went wrong? The 'security' parameter is empty. This test page works fine in Firefox. Did this work before? Yes M48 Chrome version: 49.0.2623.110 Channel: stable OS Version: 7 Flash Version:
,
Mar 29 2016
As part of the deprecation, you need to give a page permission to use <keygen>. If you open the info box, you should see a permission for it (Clicking on the icon on the left side of the address bar).
,
Mar 30 2016
Thanks. This way, keygen is enabled to generate keys. But the application/x-x509-*-cert MIME handling has been already removed, so any certificate enrollment web will fail to deliver a user certificate. Instead of installing the certificate and the private key into the OS key store, the certificate is downloaded as a file. Apparently, there is no way then to install the user certificate together with the private key (at least in Windows). What is the point in keeping the keygen tag while preventing to install certificates and private keys? This makes the keygen tag completely useless, right?
,
Mar 30 2016
Certificate enrollment continues to work, and certificates can still be delivered. They are treated the same way any other certificate with a pre-existing private key is handled. Whether or not it causes compatibility with the application depends on whether or not the application searches for private keys. Importing via the Certutil utility, for example, will associate pre-existing key metadata with the certificate, while other import methods do not. Keys generated via <keygen> remain in the CryptoAPI store, so if you've imported a certificate via a means that doesn't search for keys (such as CryptUI), you can use "certutil -repairstore" to reassociate the certificate with the key. As such, the <keygen> tag retains full functionality. The change in application/x-x509-user-cert is separate, and that simply downloads the certificate. When importing, it's the importing applications' responsibility to check for pre-existing private keys.
,
Mar 30 2016
Many certificate enrollment webs rely on the application/x-x509-user-cert handling to install the issued certificate. Knowing that in October 2016, keygen will be removed, there is no point in changing the certificate installation mechanism on those webs. This means that, for those kind of webs, Google Chrome has efectively removed the keygen feature in M49.
,
Mar 30 2016
As stated, Keygen continues to work, and continues to install keys in the CryptoAPI store. None of that implementation has changed. What you're discussing is application/x-x509-user-cert. There were already ample bugs with the old behaviour, so objectively speaking, the current behaviour is less buggy. Further, you can still update your documentation to provide clear instructions for how to import the certificate - the exact same as would be needed if the user used another browser, or, for that matter, another operating system.
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
|||
►
Sign in to add a comment |
|||
Comment 1 by mbarbe...@chromium.org
, Mar 29 2016Components: Blink>Forms>Keygen Security>UX Internals>Network>SSL
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug