106812 - Can't send an encrypted msg to whom has sent a signed msg

Status: VERIFIED WORKSFORME

(MailNews Core :: Security: S/MIME, defect, P1)

Description

[Antonio Lam]

Build: 2001-10-24-14-OTIS commercial build.

If User A sent a sign msg to User B, User B is not able to send an encrypted msg 
back to User A.

Step to reproduce:

1) From User A account, send a sign msg to User B
2) User B read the sign msg and the User A cert is store in "Other Peoples" 
CertDB
3) Try to send an encrypted msg from User B account to User A

It failed and give the error message "Sending of message failed" (I will provide 
the screenshot later)

Note:  If I add the recipient cert from the netscape phonebook, it worked fine.

Comment 1

[Antonio Lam]

Attachment: Failed to send encrypted msg dialog

Comment 2

[Antonio Lam]

cc kaie

Comment 3

[Kai Engert (:KaiE:)]

David just checked in a fix to the otis test branch, I tested it and it works
now for me.

Please allow some time for rebuild and retest with the next otis test build.
When you retest, be sure you first delete the certs you received in previous
sessions, as during receiving a special flag is now added to the cert database
that makes it work.

(However, what is left to be done: We should give a better error dialog in case
sending fails because certificate was not found, but that is probably a
different bug.)

Comment 4

[Antonio Lam]

Tried with 2001-11-13-09 trunk build on NT, and the problem still existed. I am 
getting the same error message: "Sending of message failed" (See attachment 
above).

Comment 5

[Antonio Lam]

Couple more things:

1) It seems that it is not working for dual-key certs only.  It worked fine 
with single dual-purpose certificate though. For example, if an user used 
dual-key certs to sign the message, then the recipient is NOT able to reply the 
sender with an encrypted message.  However, if an user used a single 
dual-purpose cert to sign the message, the recipient is able to send back an 
encrypted message to the sender.

2) For the testing in item one, I checked the "Aways encrypt" checkbox in the 
Secure Mail pref in the Mail Account setting, since the Option|Security menu 
option is still missing in the 2001-11-13-09 trunk build. Other than that, the 
steps should be the same as I described above. (Not sure that will make the 
difference).

Comment 6

[Stephane Saux]

ddrinan

Comment 7

[Kai Engert (:KaiE:)]

The fact that it only happens in a dual-cert environment, makes me believe, that
on signing the wrong "own" certificate gets attached.

If the signing cert is attached, the other side will not be able to encrypt,
because usage does not allow that.

We must make sure that the encryption cert is attached.

Assigning to myself.

Comment 8

[Stephane Saux]

I'm pretty sure the right certs get attached.

Are you sure this is still happening?

I can work with you by setting new profile, you send me a signed email, I
respond with encrypted.

Comment 9

[Kai Engert (:KaiE:)]

Our code needs to be extended.

Currently, only signing a message results in a certificate being attached. It is
the signing cert that gets attached.

If we send an encrypted message, self's encryption cert must be attached.

Our code must attach both certificates if self uses dual-certs, but should
include it only once if a single cert is used for both purposes.

In addition, I think now the time has come to extend the general certificate
picker and configuration storage code that identifies a cert using values stored
in preferences.

Comment 10

[Kai Engert (:KaiE:)]

Stephane, due to the last paragraph in my previous comment, and the fact that
our dual-certs use the same nickname, it might happen that accidentially the
wrong cert get's attached.

Comment 11

[Stephane Saux]

Kai:
nsMsgComposeSecure.cpp:666
  rv = cinfo->CreateSigned(mSelfSigningCert, mSelfEncryptionCert, sec_item_data,
sec_item_len);
  mSelfSigningCert and mSelfEncryptionCert are set in the code I just fixed.
Before that fix, it could happen that the cert was not found.

In:
nsCMS.cpp:324 on is where the certs are attached, and they appears to be.

Comment 12

[Stephane Saux]

works for me buildId 2002010703 Win2000

Comment 13

[Antonio Lam]

Tested with 2002011103 build, I still got the same problem.

I have confirmed that the sender's encryption cert is stored in the certDB, and 
both the Intranet Certificate Authority and GTE Cyber Trust Root CAs are 
trusted for mail user.

I am getting the following error message when try to send an encrypted mail:

Sending of message failed
You requested to encrypt this message, but the application failed to find an 
encryption cert for sectest@netscape.com

Comment 14

[Antonio Lam]

If I migrate from previous 4.7 profile (where there is other person's encrypting 
cert) to current mozilla build, I am able to send the person an encrypted 
message.

But I can't send an encrypted msg to who has sent me a signed message with 
dual-key certs.

Comment 15

[Stephane Saux]

S/MIME bugs are automatically nsbeta1 candidates. (this is a bulk update - there
may be some adjustment of the list).

Comment 16

[Kai Engert (:KaiE:)]

Antonio, now that we have landed NSS 3.4, can you please repeat the tests?
I just tested, and it worked for me.
Please reopen the bug if you still see problems.

Comment 17

[Antonio Lam]

Confirmed and verified with today's trunk build (20020212).