Closed Bug 1662913 Opened 2 years ago Closed 2 years ago

Thunderbird 78.2.1 fails when signing with a PIV smartcard

Categories

(MailNews Core :: Security: S/MIME, defect)

defect

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: wolfgang, Unassigned)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Steps to reproduce:

Digitally signing an outgoing email fails with a popup saying "Unable to sign message" and to check mail account for valid and trusted certs. All certs were checked and trusted, and the correct S/MIME certs were loaded. The PIN was also requested and entered. Middleware is ActivID x64 (7.1.0.257) - FIXS1911001. and works with Chrome as expected.

Actual results:

Mail was not sent. Popup failure message:

Sending of the message failed:
Unable to sign message. Please check that the certificates specified
in Mail & Newsgroups Account Settings for this mail account are
valid and trusted for mail.

Expected results:

Message should have been digitally signed and sent. Encryption-only works as expected, but without the digital signature.

The PIV card works with Thunderbird 68.11.0 on Linux.

Component: Untriaged → Security: S/MIME
Keywords: regression
Product: Thunderbird → MailNews Core

It's currently unknown if this is because of changes in Thunderbird code or in NSS code.

Note that this problem appears on the Windows-10 version of Thunderbird, I might not have been clear. The application in use is ActivID for Windows. Is NSS an option on Windows 10? I'd be happy to try it! Note that ActiveID is the approved Smartcard application for government Windows hosts.

Further information:

I reproduced the problem with Tbird 68.11.0, 32-bit. Both versions of Tbird worked with ActivID using the CAC. Both versions fail to sign outgoing messages when using a patched version of ActivID to allow PIV compatibility. It's tempting to blame ActivID, but it works okay when using the PIV to authenticate to web sites using Chrome. A good test would be to use Outlook to PIV-sign email, but I don't have that available here. I'll try to arrange a test.

The PIV is supposed to contain three certs, all are visible with the ActivID user console, but only one is available for selection in the Tbird certificate association screen. Could Tbird not be seeing the correct signing cert?

Again, Tbird 68.11.0 works perfectly on Linux (openSUSE Leap-15.2) with opensc as the middleware. Cookkey wasn't able to handle the PIV Smartcard.

(In reply to Train Dancer from comment #2)

Is NSS an option on Windows 10?

It's Thunderbird that uses NSS

(In reply to Train Dancer from comment #2)

I reproduced the problem with Tbird 68.11.0, 32-bit.

This seems to be a contraction to your later statement:

Again, Tbird 68.11.0 works perfectly on Linux (openSUSE Leap-15.2) with opensc as the middleware.

If this isn't influenced by Thunderbird version, but rather by version of smartcard specific software, then the problem seems to be outside the scope of Thunderbird.

Make sure you have the correct active ID PKCS #11 module installed in your Thunderbird. NSS uses pkcs #11, not the Microsoft capi stuff. If you don't have the PKCS #11 module installed, it isn't going to work. Chrome is likely using capi, so it's a different part of the active ID software.

It works!

The problem was with ActivID, which is the proprietary and supported Smartcard reader module approved for government use. ActivID works as expected with Microsoft Outlook, Edge, and Chrome, but partially with Thunderbird.

The fix:

Download and install OpenSC-0-20-0 and load the opensc-pkcs11.dll module in Thunderbird.

Thanks to Kai and Robert for their suggestions.

Thanks Bob for helping out!

Train Dancer, thanks for reporting back.

Marking invalid.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

Your welcome. I though ActivID had it's own pkcs #11 module for windows. My backup suggestion was to load opensc, which we use on Linux for piv support. I see you beat me to that recommendation;)

Quite frankly, the whole Smartcard infrastructure is rather opaque. We are mostly a Linux shop and have used Thunderbird for years with coolkey and pcscd. But occasionally, usually for political reasons, Windows must be used. The PIV card update broke coolkey, requiring a switch to opensc on the Linux side.

My confusion:

Linux: Smartcard > pcscd > opensc > Thunderbird
Windows: Smartcard > opensc > Thunderbird

Does this imply that in the Windows environment opensc can interface directly with the CAC/PIV reader? Where's the analog for pcscd?

Maybe, ActiveID can serve as analogs both for pcscd and opensc? Maybe opensc short-circuits some of ActiveID's functionality but uses its interface with the reader?

I haven't heard anything yet from our Apple MAC friends, but I expect to hear complaints as CAC's are replaced with PIV cards going forward.

Puzzling.

  • The pcsc interface was originally a microsoft interface to access smart cards through various readers in a consistant way. The Linux pcsc-lite (with the pcscd daemon) mimics the microsoft built in pcsc support. Apple also uses the opensource pcsc-lite (though generally hides the library interface from applications).

  • Active ID is a CAPI driver that works on Microsoft (and itself uses pcsc). At one time they shipped a pkcs #11 driver as well. I guess they don't any longer?

  • Coolkey was maintained by me initially to give coolkey, CAC, and PIV support on Linux. opensc initially only supported PKCS #15 file system cards. When PIV support was added to opensc, and PKCS #15 support was added to coolkey, it became clear that they were merging in functionality, and since I was the only maintainer of coolkey, I added cac and coolkey support to opensc and we dropped further updated to coolkey (other then bug fixes).

If your apple friends are using opensc, they should be fine. Apple has a pkcs #11 provider and a lot of people and applications use that provider to supply support for their cards.

Wow! A truckload of thanks go to you, Robert! Without coolkey, and now opensc, legions of Linux users would have been forced to use Windows. Since many technical/scientific people can't use Windows for their work, they would need to use two operating systems when required to use CAC/PIV cards. You've helped to make my life tolerable for more than a decade now.

I guess ActivID still ships with a pkcs11 driver (acpkcs211.dll), that's what I loaded into Thunderbird. I guess Microsoft applications don't use this driver, which implies that this is where our bug resides?

I guess ActivID still ships with a pkcs11 driver (acpkcs211.dll), that's what I loaded into Thunderbird. I guess Microsoft applications don't use this driver, which implies that this is where our bug resides?

Yup

You need to log in before you can comment on or make changes to this bug.