Closed Bug 1497154 Opened Last year Closed Last year
Wrong encipherment certificate status - recipient certificate status should not be checked for signing usage, since that only concerns the sender certificate
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce: - Composing a ciphered email using valid encipherment certificates. - Save it. - Viewing "Security message" window. Actual results: All encipherment certificate statuses are "Invalid". Expected results: All encipherment certificate statuses should be "Valid".
Hello, In the "Message Security" window, all the recipient's encryption certificates always have the status "Invalid", although these certificates are all valid as well as the certificate of the associated CA and that their usages include "Critical" and "Key Encryption". Indeed, the control performed on the uses of these certificates includes signing and key encipherment, whereas it should only include encryption. The signature of the message only concerns the sender of the message. Therefore, to resolve this problem, you must remove line 263 from the mailnews/extensions/smime/content/msgCompSecurityInfo.js file, as described in the attached hotfix. Thank you in advance.
Comment on attachment 9015205 [details] [diff] [review] msgCompSecurityInfo.js.patch Not a proper HG patch, but we got the message, thanks. Magnus, this one is for you.
Assignee: nobody → chris.m.gaudry
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Wrong encipherment certificate status → Wrong encipherment certificate status - recipient certificate status should not be checked for signing usage, since that only concerns the sender certificate.
Made that a proper patch. Thanks for the patch! I wonder though, what kind of strange certificates are these? How would anybody be able to get them and use them them when they are not sent out through signing. It's also bad procedures to send encrypted but unsigned mails.
Corrected surname of author.
(In reply to Magnus Melin [:mkmelin] from comment #3) > Created attachment 9015486 [details] [diff] [review] > bng1497154_certificate_status_usage.patch > > Made that a proper patch. > Thanks for the patch! > > I wonder though, what kind of strange certificates are these? How would > anybody be able to get them and use them them when they are not sent out > through signing. It's also bad procedures to send encrypted but unsigned > mails. I'm not sending encrypted unsigned mail, but encrypted AND signed mail. The problem is not there. The "Message Security" window only checks for recipients certificates. These certificates only apply to encipherment. When you send encrypted and signed mail, you sign with the sender's signing certificate and cipher with all the cipherment certificates (sender+recipient(s)). The original code only works if each recipient certificate has both signature and cipherment usages. The good procedure is to separate authentication, signing and cipherment certificates, to be able to remove any of theses usages of the user at anytime by revoking the corresponding certificate.
Yes, I'm not suggesting your usage is wrong. I'm suggesting the recipient certs are odd. How did you obtain them, if they weren't obtained by receiving signed mails from these persons?
These certificates are imported from an LDAP directory. These certificates have been generated by a professionnal PKI for enterprise use.
I see. Kind of defeats the purpose though, doesn't it. Or well, you could secure your internal communications, but anyone outside the eh, ldap access, can't send you encrypted mail.
This is for internal use only (the network is closed for security reasons).
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/comm-central/rev/03c827f7c3ac recipient certificate status should not be checked for signing usage since that only concerns the sender certificate. r=mkmelin
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Reported against TB 60, so I guess we should fix it there. So uplift?
Target Milestone: --- → Thunderbird 64.0
Comment on attachment 9015490 [details] [diff] [review] bng1497154_certificate_status_usage.patch Review of attachment 9015490 [details] [diff] [review]: ----------------------------------------------------------------- Yep
Comment on attachment 9015490 [details] [diff] [review] bng1497154_certificate_status_usage.patch [Triage Comment]
You need to log in before you can comment on or make changes to this bug.