Open Bug 1549709 Opened 5 years ago Updated 1 year ago

Check if Thunderbird still supports dual-key certificates

Categories

(MailNews Core :: Security: S/MIME, task)

Product:
MailNews Core
Component:
Security: S/MIME
Type:
task

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned)

References

Details

Attachments

(2 files)

RSA_dual-key.tar.gz
48.52 KB, application/gzip
Details
NIST_dual-key.tar.gz
21.76 KB, application/gzip
Details

Bug 1319185 removed code that was previously used to enable support for dual-key certificates (two certificates with same subject, one for encryption, one for signatures).

I suggest to investigate if dual-key certificates still work with S/MIME.

Type: defect → task
Severity: normal → S3

They seem to work (RSA).

I am attaching scripts for generating self-signed (bug#1523130#c8) certificates for RSA and NIST (prime256v1/secp384r1/secp521r1 bug#676118 not yet supported). Good for testing key scheme: C + S + E, on a living organism. CABForum SMIME BRs "ready" (no ocsp).

Perhaps this is the wrong ticket, but I would like to mention some of the main flaws in handling double keys. I have not checked if all these bugs have been fixed, perhaps they have.

For CA-signed and self-signed certificates:
bug#540498 (Th. adds S and E without root C in signed message), bug#971271, bug#339214, bug#209347 (encrypKeyPref [OID 1.2.840.113549.1.9.16.2.11] seems to work in signing message, auto-mode), bug#209348

And bug#1745483, bug#667200, bug#208286, bug#1251543, bug#209182 (it would be nice if Th. supported .p7b ASCII, .p7c binary files - "degenerate" SignedData objects), bug#145376, bug#185166 and maybe bug#1243449 (meta)

I also found a description of the software that supports dual keys:
https://help.hcltechsw.com/domino/11.0.0/conf_dualinternetcertificatesforsmimeencryptionandsign_c.html

You can realize what tests can be performed in the current state and what functions can be implemented.

Links:
https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates
https://datatracker.ietf.org/doc/html/rfc8550

NSS project page > S/MIME Toolkit (goals, Feature List)
https://www-archive.mozilla.org/projects/security/pki/nss/smime/

User-Agent:
Thunderbird 102.11.0 (64-bit), Windows 10

Attached file RSA_dual-key.tar.gz
Attached file NIST_dual-key.tar.gz
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: