Closed Bug 118942 Opened 23 years ago Closed 7 years ago

Cannot send signed mail with dual certificates on iButton

Categories

(MailNews Core :: Security: S/MIME, defect, P2)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
1.0 Branch
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: timtas, Unassigned)

References

Details

(Whiteboard: [kerh-brz])

Attachments

(2 files)

Encryption certificate with funny friendly name
3.67 KB, application/octet-stream
Details
Signing certificate with funny friendly name
3.73 KB, application/octet-stream
Details 
I succesfully installed a Java-powered iButton in Mozilla, using the provided
PKCS11 Library. On the button, there are two keys, one for encryption and one
for signing mails.

Assigning them as my keys in "Mail and Newsgroups Account Settings" works fine
and decryption of mails encrypted with my public key as well. But when I want to
send a signed mail, Mozilla reports a "Send Message Error":

"You requested to digitally sign this message, but the application failed to
find the signing certificate you specified in your Mail/News account preferences
or the certificate has expired."
Changing component and contact
Assignee: ducarroz → mstoltz
Component: Composition → Security: General
QA Contact: sheelar → junruh
->PSM
Assignee: mstoltz → ssaux
Component: Security: General → S/MIME
Product: MailNews → PSM
QA Contact: junruh → alam
Version: other → 2.2
Reporter:
Check to see if logging in the ibutton first, or even just taking a look at the
certs will solve the problem.
check to see whether the ibutton certs validate by inspecting them in the cert
manager.

I use a pkcs11 ActivCard Cryptoflex java card and I don't have this problem.

Note to self: NSS3.4

Kai,  Do you still have an IButton working on Linux?
Can you try?
Priority: -- → P2
Target Milestone: --- → 2.2
I still have the java powered iButton, but when I made a quick test some months
ago, I was unable to get it to work with Mozilla (Linux). I only was able to
make it work with Communicator (Linux).

But it's good news to hear that you got it working. I'm interested to get it
working, too. I will try again. Timtas, if you had to use any tricks to get the
iButton work, I'd appreciate to hear about them :)

I got a bit further now. The problem seems only to occur in conjunction with
not-so-friendly "friendly names". My example certificates have the following
friendly name:

c01ce4a756330591de14cb1b2fe264d8_c58eed57-1732-42ab-b9f8-c832bc3b8c28

I now did the following:
- Deleted certificates from button using Mozilla PKCS11 interface
- Extracted keys and certificates from pkcs12 files with openssl
- Recreated pkcs12 files with openssl, using normal friendly names
- Reloaded both certificates on iButton, using Mozila PKCS11 interface

Now, it works

If useful, I can send two pkcs12 files containing certificates with such
friendly names.


cc relyea.  It could be that IButton doesn't like this "friendly name" (with
friends like that, who needs enemies).  It could be that friendly names have a
size limit (PKCS11 is full of strings whose UTF8 encoding must fit in either 32
or 64 bytes long storage locations).
You may want to see if you can store these certs in the software security
device. If that's that case, I would suspect IButton.

How did you create that cert and key pair on the token initially. That
'nickname' doesn't look like one that netscape would produce (unless you have an
unusual CN value).

Stephane, is there any plans to set up an API in PSM to allow us to change the
nickname on a cert? It's been a long standing issue in NSS since we took out the
ability to choose your own name for the cert in Communicator.

bob
As far as I know there was a move away from using or letting users set nicknames
for certs.  See for example bug 91581.

So in short no, there are no plans to let users edit the nickname for the cert.

Is there a spec for nicknames? X509 doesn't mention them.

    
    

    
  
The keys and the friendly name are generated by "Microsoft Base Cryptographic
Provider v1.0". I already mentioned this, the certificates work with Netscape
4.78, so it would not be a general PKCS11 problem.

It is now more or less clear to me that it is NOT an iButton problem but rather
a friendly name problem.

I attach two certificates with friendly names like that, the password on the key
is "manager".


    
    

    
  
I tried to get the iButton working again, but I'm sorry to say it doesn't work
for me. 

When I try to install the Linux PKCS#11 module for Java-powered iButton version
1.01 (dated June 28, 2001) into NS 6.x, I see a crash inside the shared library
libDSPKCS.so (269468 bytes, Jun 27 2001).

The crash is independent of whether the iButton is currently installed and
accesible (tested with pkitool) or not.

It works ok if I use the same library with Netscape 4.7x on Linux.

The crash is inside the ibutton driver:

#0  0x434e999c in GetOptDefaultPort () from /home/inst/ibutton/libDSPKCS.so
#1  0x434e079e in doFindToken () from /home/inst/ibutton/libDSPKCS.so
#2  0x434e0897 in FindToken () from /home/inst/ibutton/libDSPKCS.so
#3  0x434d0061 in checkTokenReady () from /home/inst/ibutton/libDSPKCS.so
#4  0x434ca140 in doGetSlotInfo () from /home/inst/ibutton/libDSPKCS.so
#5  0x434ca1d9 in C_GetSlotInfo () from /home/inst/ibutton/libDSPKCS.so
#6  0x436e98a7 in PK11_InitSlot (mod=0x8a5c988, slotID=0, slot=0x8a46488) at
pk11slot.c:1814
#7  0x436e6508 in SECMOD_LoadModule (mod=0x8a5c988) at pk11load.c:231
#8  0x436fbf1a in SECMOD_AddModule (newModule=0x8a5c988) at pk11util.c:429
#9  0x436fc1ef in SECMOD_AddNewModule (moduleName=0x88a7210 "testname",
dllPath=0x85abee8 "/home/inst/ibutton/libDSPKCS.so", defaultMechanismFlags=0,
cipherEnableFlags=0) at pk11util.c:531
#10 0x436940ad in nsPkcs11::Addmodule (this=0x87f2550, aModuleName=@0x8aac430,
aLibraryFullPath=@0x8aac450, aCryptoMechanismFlags=0, aCipherFlags=0,
aReturn=0xbfff9730) at
../../../../../mozilla/security/manager/ssl/src/nsCrypto.cpp:2255


    
  
QA Contact: alam → carosendahl

    
    

    
  
Moving out of unconfirmed state.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

    
  
Target Milestone: 2.2 → Future

    
  
Blocks: smartcard

    
    

    
  
I'm happy to report that meanwhile source code has been released for the iButton
pkcs#12 module, for all platforms, including Windows and Linux.

I made a quick test and I'm able to compile. So if this is still a high
priority, I might try again to get the iButton working on Linux and analyze
further what's going on. Although the source does still contain some binary only
component, we should be able to debug most parts.


    
  
Keywords: nsbeta1

    
  
Keywords: nsbeta1nsbeta1+

    
    

    
  
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Status: ASSIGNED → NEW

    
    

    
  
Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody.  Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---

    
  
Product: PSM → Core

    
  
Whiteboard: [kerh-brz]
QA Contact: carosendahl → s.mime

    
  
Version: psm2.2 → 1.0 Branch

    
  
Product: Core → MailNews Core

    
    

    
  
iButton no longer exists
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: