139460 - Digital signature incorectly shown as invalid if IMAP large attachments delayed download is in progress

Status: VERIFIED DUPLICATE of bug 139561

(MailNews Core :: Security: S/MIME, defect)

Description

[Vladimír Solnický]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.9+) Gecko/20020422
BuildID:    2002042209

If I have an IMAP account that contains a message, that

1) has an attachment, that is large enough (80 KB) to trigger an IMAP delayed
download process (i. e. attachment is not download from IMAP server till you
really need it because of speed).

2) this attachment is of a type that cannot be displayed directly (for instance
application/msword)

3) the whole message is digitally signed using personal certificate

Then the signature is treated as invalid although Netscape 4.5x and 4.7x shows
it as valid (in the same IMAP folder).

It does not happen, if attachments are short (few bytes) and probably if they
must be downloaded like in case of text/HTML of type=inline (not tested)

I think this is because mozilla does not use the concept of unverified signature
that netscape uses.

I think the bug when trying view message source on a message that stisfy the
criteria above shows only part of a message spurce (netscape displays a short
notice, that this part is not downlouaded and thus not shown fore every part,
but the structure is displyed properly) is connected to this.


Reproducible: Always
Steps to Reproduce:
1. Have an IMAP folder
2. Create a message
3. Attach a MS WORD .doc file of a size at least 80 KB
4. ask for digital signature
5. Send a signed message (not encrypted) to yourself
6. Get New Messages
7. Click to the one you've just sent
8. Signature is always invalid.
9. Do not delete it and use another S/MIME X509-aware program to verify that
signature is correct.



Actual Results:  Signature is always invalid sayning that message has changed.

Expected Results:  Both a special icon and text saying UNVERIFIED SIGNATURE
should display. After clicking on icon all the attachmenst should be downloaded
and icon should changed to either VALID or INVALID SIGNATURE according to the
real reasults of signature consistency tests.

Theme is classic. By he way, classis theme icons for valid and invalid
signatures are VERY similar and they should not be.

It may also be a problem not only with signed messages and a view message source
function, but with large encrypted messages, too.

Comment 1

[Vladimír Solnický]

I mentioned above that it may have been a problem with IMAP and encrypted
messages. I have just assured myself that it is. An encrypted message with
attachments (total size is about 480 KB) is not decrypted and the reason is:
There are uknown problems with this encrypted message. Netscape 4.7x decrypts it
correctly (the same message in the same IMAP folder). The message was sent from
MS outlook all the certificates used were correctly imported and are used daily
in mozilla and netscape.

If I copy a message to a local folder using a mozilla it can be decrypted
without any problem. That means that the problem is in interoperation between
IMAP subsytem and digital signatures/encryption subsytem if delayed download is
in action.

Comment 2

[Karen Huang]

.

Comment 3

[Charles Rosendahl]

The problem is with signing only, not encryption.  encrypting the message forces
the entire body to be enveloped as a single unit.

The delayed downloading/signing interaction has been partially address in bug
125607.  Outstanding issues are addressed in bug 139561.


*** This bug has been marked as a duplicate of 139561 ***

Comment 4

[Charles Rosendahl]

Reduced to major, as a workaround has been implemented, and the final fix is
scheduled for RTM

Comment 5

[Charles Rosendahl]

Verified