Open Bug 1753886 Opened 3 years ago Updated 3 years ago

S/MIME X.509 certificate validation fails

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: rufus.buschart, Unassigned)

Details

Attachments

(6 files)

Error message in Thunderbird
340.39 KB, image/png
Details
Valid in GMail
302.71 KB, image/png
Details
Certificate in Gmail
112.56 KB, image/png
Details
Certificate
13.57 KB, application/x-x509-ca-cert
Details
Repro NOT working with EE embedded.eml
26.47 KB, message/rfc822
Details
Repro working with full CA chain embedded.eml
41.74 KB, message/rfc822
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36 Edg/98.0.1108.43

Steps to reproduce:

In Thunderbird on OS X I open an email with an S/MIME signature that was created with the private key of a publicly trusted end-entity-certificate.

Actual results:

The S/MIME signature is displayed as "invalid". See attached screenshot.

Expected results:

The signature should be displayed as "valid", like it is on Outlookk for Windows or within GMail. See attached screenshot.

Ideally Thunderbird would display a message, why it considers a certificate as "invalid".

Attached image Valid in GMail
Attached image Certificate in Gmail
Attached file Certificate

I have been able to reproduce this behavior also on an out-of-the-box Windows with Thunderbird.

One additional update: if the S/MIME signature contains a full certificate chain, the signature is validated correctly, but if Thunderbird has to download the intermediate and issuing CAs from the AIPs it fails.

Is there someone who could have a look in this issue?

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: