1752799 - Support OpenPGP hidden recipients (message encrypted to key ID 0x0000000000000000)

Status: RESOLVED FIXED

(MailNews Core :: Security: OpenPGP, defect)

Description

[Mathias Schindler]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36

Steps to reproduce:

I am using thunderbird on a Macbook Air (M1), sending PGP encrypted emails to other users running Apple Mail.

Actual results:

In recent weeks, colleages have reported being unable to read encrypted emails from their colleages anymore.

The Thunderbird error message reads "Der zum Entschlüsseln dieser Nachricht benötigte geheime Schlüssel ist nicht vorhanden" (I could not find the exact english version of this message in the Localisation page because https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Thunderbird/Thunderbird_Localization does not exist any more).

The Email from Apple Mail is - according to Thunderbird - however encrypted to a user with the following key ID "0x0000000000000000". Using command line gpg2 tools, this Thunderbird message appears to be correct but I am unable to fully reproduce the error to determine if Apple Mail or Thunderbird is the source of the problem.

Expected results:

reading encrypted Emails from Thunderbird and Apple Mail should be viewable again.

Comment 1

[Kai Engert [:KaiE:]]

IIUC, an encrypted message, sent using Apple Mail, received using Thunderbird, cannot be decrypted by Thunderbird, correct?

If yes, please help me reproduce the bug.
Please ask a user of Apple Mail to obtain the following test key
https://keys.openpgp.org/search?q=bob-test%40kuix.de
and send an encrypted test message to bob-test@kuix.de

Comment 2

[Kai Engert [:KaiE:]]

please mention the bug number in the test email, and please comment in this bug after the test message was sent.

Comment 3

[Mathias Schindler]

Dear Kai,

I asked my colleague to send you a test mail to the address provided. Thank you for looking into it.

Comment 4

[Kai Engert [:KaiE:]]

Thanks. FYI, nothing arrived yet.

Comment 5

[Kai Engert [:KaiE:]]

Ok, I've received the test message.

Comment 6

[Kai Engert [:KaiE:]]

I'm able to reproduce the issue using 91.x and also using the RNP 0.15.2 command line tools.

Inspecting the OpenPGP encrypted message using low level tools shows:

Old: Public-Key Encrypted Session Key Packet(tag 1)(396 bytes)
	New version(3)
	Key ID - 0x0000000000000000
	Pub alg - RSA Encrypt or Sign(pub 1)
	RSA m^e mod n(3071 bits) - ...
		-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02

No such entry is present for the key ID of the key that I have asked to encrypt to.
However, using gnupg, having the above (comment 1) example key as the only available key, gnupg is able to decrypt.

I conclude that gnupg apparently attempts to decrypt using any available secret key,
while apparently RNP only attempts a decryption using the key ID specified - and if that one (id 000...) isn't present, RNP gives up.

Nickolay, would it make sense to change RNP to also fall back and attempt to decrypt using any available secret key?

Comment 7

[Nickolay Olshevsky]

Hi Kai,
This is what is called 'hidden recipients', and is tracked via this RNP issue: https://github.com/rnpgp/rnp/issues/1275
We plan to get to this issue soon and include into the v0.17.0 release. It's not hard to implement, but needs some thinking on how to conveniently expose it well via the API.

Comment 8

[Kai Engert [:KaiE:]]

Thanks Nickolay

Comment 9

[Mathias Schindler]

Dear Kai, Nickolay,

thank you both for your fast reply and the information.

Is there anything users can do in the meantime to access their emails?

Kind regards
Mathias

Comment 10

[Kai Engert [:KaiE:]]

Is there a reason why RNP doesn't want to try all secret keys automatically by default?

Comment 11

[Nickolay Olshevsky]

At first glance it could have 1) performance issues 2) security issues (all secret keys needs to be unlocked to attempt decryption).
At least RNP should somehow tell caller about the case / ask whether such behaviour is permitted.

Comment 12

[Kai Engert [:KaiE:]]

If you don't want any global state or changed APIs - or - if you want to offer this functionality prior to finding a good API, then you could use an environment variable. If an optional environment variable is set, AND if a key ID 0000.. is found, then try all keys.

Comment 13

[Ellie]

Attachment: Screenshot_20260509_185458.png

I ran into the same issue, screenshots attached. I know I have one of the keys, I could even let Thunderbird know which of my own private keys it needs to use, but it just won't let me. As a user, this is frustrating.

I think the obvious UI would be to let me select the key to try for decryption. That would take care of the performance issue (since it would be an explicit action, so then a small wait time would be expected) and I don't quite see how it's a security issue if I manually decide for a specific mail that I want it to try to decrypt it.

Or is the expectation is somehow that Thunderbird is likely to get owned by maliciously manipulated encrypted emails that it tries to decrypt? But that seems like it would cause issues elsewhere too if true.

Comment 14

[Kai Engert [:KaiE:]]

Attachment: Bug 1752799 - Support hidden recipients when decrypting OpenPGP. r=mkmelin

Comment 15

[Kai Engert [:KaiE:]]

The attached patch will allow decryption in TB.

To report the used key ID in the user interface, we'll require a fix to RNP.
Currently rnp_op_verify_get_used_recipient doesn't return it.
I have a patch which I will submit upstream.

Comment 16

[Kai Engert [:KaiE:]]

The additional pull request is:
https://github.com/rnpgp/rnp/pull/2391

If accepted upstream , we'll need to locally patch, or upgrade to a newer version of RNP.

Comment 17

[Pulsebot]

Pushed by edicharry@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/5e7f8066ffbe
Support hidden recipients when decrypting OpenPGP. r=mkmelin