Closed Bug 1500003 Opened Last year Closed Last year

S/MIME signing broken in TB 63 beta and TB 64 Daily (soon beta)

Categories

(Thunderbird :: Security, defect)

defect
Not set

Tracking

(thunderbird64 fixed, thunderbird65 fixed)

RESOLVED FIXED
Thunderbird 65.0
Tracking Status
thunderbird64 --- fixed
thunderbird65 --- fixed

People

(Reporter: maximilian.schaumann, Assigned: jorgk)

Details

Attachments

(3 files, 2 obsolete files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.54 Safari/537.36

Steps to reproduce:

Have a valid S/MIME certificate imported and installed under "Options"->"Account settings"->"Security"
Compose E-Mail
Check "Security"->"Digitally Sign this Message"
Send E-Mail


Actual results:

Error Message:
"Sending of the message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."
Appears


Expected results:

Since the certificate is valid and available (can be found under "Manage Certificates"), E-Mail should send without issue
Yes, there seems to be a quirk. Select the certificate again in the account settings. See bug 1481969 comment #2. If the doesn't help, remove the certificate and install/select it again. If that also doesn't work, delete cert8.db.

See bug 1481969, bug 1470077, bug 1462915.
(In reply to Jorg K (GMT+2) from comment #1)
> Yes, there seems to be a quirk. Select the certificate again in the account
> settings. See bug 1481969 comment #2. If the doesn't help, remove the
> certificate and install/select it again. If that also doesn't work, delete
> cert8.db.
> 
> See bug 1481969, bug 1470077, bug 1462915.

Thank you for this tip, please note however that neither reselecting, nor removing/reinstalling the certificate, nor deleting cert8.db fixed this issue.
For me this is highly frustrating since i need s/mime to be working correctly..
:-(

Does it work on a new profile? Start Thunderbird with -p to create one.
(In reply to Jorg K (GMT+2) from comment #3)
> :-(
> 
> Does it work on a new profile? Start Thunderbird with -p to create one.

I have now tried creating a new profile, reinstalling the old certificates and curiously it still won't work. Same error message.
So you reported this for TB 63 beta? Do TB 60.2.1 ESR and the older TB 52.9.1 work?
(In reply to Jorg K (GMT+2) from comment #5)
> So you reported this for TB 63 beta? Do TB 60.2.1 ESR and the older TB
> 52.9.1 work?

Yes i am reporting this for 63.0b1 (32-Bit)

I have no way of conclusively testing if it works for either TB 60.2.1 ESR and the older TB 52.9.1, since at the moment I haven't tried rolling back and the issue started appearing after TB updated itself. Frankly, i don't even know when the issue started appearing exactly, however the same cert works on my laptop which runs on the non beta branch. 

What might be worth noting is that before the 63 update, I ran the Enigmail Addon (v. 2.0.8), which has since been automatically disabled due to it being incompatible with 63 Beta. However i am assuming that, since the addon is supposed to be disabled due to the incompatibility, this should not be the cause of this issue.

So far i have not been able to confirm any errors in the error console, except for an what i assume to be unrelated error (NS_ERROR_FILE_NOT_FOUND: ActorManagerChild.jsm:68
TypeError: this.gViewSourceUtils is undefined, can't access property "viewSource" of it  webconsole.js:152:5)
OK, I think S/MIME certificates are a pain. All my Comodo certificates had expired, so I got a new one. In TB 63 beta I can't sign and in a debug version of TB 64 beta, I crash here:

MOZ_ASSERT(!NS_IsMainThread());
if (NS_IsMainThread()) {
  return mozilla::pkix::Result::ERROR_OCSP_UNKNOWN_CERT;
}

https://searchfox.org/mozilla-central/rev/fcfb479e6ff63aea017d063faa17877ff750b4e5/security/manager/ssl/nsNSSCallbacks.cpp#448

In an opt version, this will return an error and signing will fail.

That comes from here:
https://hg.mozilla.org/mozilla-central/rev/47d306cfac90#l9.805
from bug 1456489 which landed on mozilla62 so TB 60 ESR is not affected.

Dana and Franziskus, what do we need to do here. I'll attach the call stack in the next comment.

Magnus, this falls into your territory, any interest to take this bug?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(mkmelin+mozilla)
Flags: needinfo?(franziskuskiefer)
Flags: needinfo?(dkeeler)
Summary: Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired. → S/MIME signing broken in TB 63 beta and TB 64 Daily (soon beta)
Richard, you're on Daily and use S/MIME. Have you not seen any malfunction?
Flags: needinfo?(richard.marti)
Looks like at nsMsgComposeSecure.cpp:857 we call SharedCertVerifier::VerifyCert() and that doesn't like to run on the main thread any more :-(
I haven't used it since some time. Trying to add it fails.
Flags: needinfo?(richard.marti)
I believe your two options are a) pass CertVerifier::FLAG_LOCAL_ONLY as the flags argument to CertVerifier::VerifyCert (this will disable active revocation checking like OCSP fetching) or b) make the call to CertVerifier::VerifyCert off the main thread somehow (may involve significant refactoring of nsMsgComposeSecure::MimeCryptoHackCerts et. al.).
Flags: needinfo?(dkeeler)
Attached patch 1500003-fix-smime.patch (obsolete) — Splinter Review
Thanks Dana, that works fine. We already use that flag elsewhere:
https://searchfox.org/comm-central/search?q=CertVerifier%3A%3AFLAG_LOCAL_ONLY&case=false&regexp=false&path=mailnews%2F

So this is at least a short term fix to get the beta on the road again.
Flags: needinfo?(mkmelin+mozilla)
Flags: needinfo?(franziskuskiefer)
Attachment #9019155 - Flags: review?(mkmelin+mozilla)
Attached patch 1500003-fix-smime.patch (v1b) (obsolete) — Splinter Review
There was another call site which most likely wouldn't have worked either.
Attachment #9019155 - Attachment is obsolete: true
Attachment #9019155 - Flags: review?(mkmelin+mozilla)
Attachment #9019156 - Flags: review?(mkmelin+mozilla)
Maximilian: Thanks for reporting and sorry about telling you the wrong thing. We'll get it fixed for TB 64 beta out in a few days. In the meantime you can use TB 60.2.1.
(In reply to Jorg K (GMT+2) from comment #14)
> Maximilian: Thanks for reporting and sorry about telling you the wrong
> thing. We'll get it fixed for TB 64 beta out in a few days. In the meantime
> you can use TB 60.2.1.

Ah cheers mate, i actually enjoyed reading all that
I'm just glad it wasn't an error on my side as i was worried i messed something up. Glad i could help though ^^
Comment on attachment 9019156 [details] [diff] [review]
1500003-fix-smime.patch (v1b)

Review of attachment 9019156 [details] [diff] [review]:
-----------------------------------------------------------------

Seems to work fine, r=mkmelin

::: mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
@@ +858,5 @@
>                                    certificateUsageEmailRecipient,
>                                    mozilla::pkix::Now(),
>                                    nullptr, nullptr,
> +                                  builtChain,
> +                                  CertVerifier::FLAG_LOCAL_ONLY)

I think you should add a comment here about why we add the flag, so that we remember to remove that at some (distant) future.
Attachment #9019156 - Flags: review?(mkmelin+mozilla) → review+
Now with comment.
Assignee: nobody → jorgk
Status: NEW → ASSIGNED
Attachment #9019498 - Flags: review+
Attachment #9019156 - Attachment is obsolete: true
Comment on attachment 9019498 [details] [diff] [review]
1500003-fix-smime.patch (v1c)

We'll fix it in TB 64 beta.
Attachment #9019498 - Flags: approval-comm-beta+
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/73ea8939f5e0
fix S/MIME certificate verification by adding flags parameter. r=mkmelin
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 65.0
You need to log in before you can comment on or make changes to this bug.