Thunderbird: Implement support for using RSA-PSS certificates with S/MIME
Categories
(Thunderbird :: Security, enhancement)
Tracking
(Not tracked)
People
(Reporter: florian.unger, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.105 Safari/537.36
Steps to reproduce:
I got a new S/MIME certificate from D-Trust type "D-TRUST Advanced Enterprise ID RSA-PSS" and imported it into Thunderbird.
I made sure the Root and Intermediate certificate had the correct trust settings ("This certificate can identify mail users").
The Thunderbird version is 91.6.0
The Certification Practice of D_Trust can be found here: https://www1.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf
The certificate settings are:
`keyUsage=critical,digitalSignature, keyEncipherment, dataEncipherment
subjectKeyIdentifier=hash
crlDistributionPoints=crlDistributionPoint0_sect
certificatePolicies=ia5org,@certpol0_sect, 0.4.0.2042.1.3
authorityInfoAccess=@authorityInfoAccess_sect
authorityKeyIdentifier=keyid
extendedKeyUsage=clientAuth, emailProtection
[authorityInfoAccess_sect]
OCSP;URI.0=http://application-certificates-ca-3-1-2013.ocsp.d-trust.net
caIssuers;URI.1=http://www.d-trust.net/cgi-bin/D-TRUST_Application_Certificates_CA_3-1_2013.crt
caIssuers;URI.2=ldap://directory.d-trust.net/CN=D-TRUST%20Application%20Certificates%20CA%203-1%202013,O=D-Trust%20GmbH,C=DE?cACertificate?base?
[certpol0_sect]
policyIdentifier=1.3.6.1.4.1.4788.2.200.2
CPS.0=http://www.d-trust.net/internet/files/D-TRUST_CSM_PKI_CPS.pdf
[crlDistributionPoint0_sect]
fullname=@crlDistributionPoint0_sect_fullname_sect
[crlDistributionPoint0_sect_fullname_sect]
URI.0=ldap://directory.d-trust.net/CN=D-TRUST%20Application%20Certificates%20CA%203-1%202013,O=D-Trust%20GmbH,C=DE?certificaterevocationlist
URI.1=http://crl.d-trust.net/crl/d-trust_application_certificates_ca_3-1_2013.crl
URI.2=http://cdn.d-trust-cloudcrl.net/crl/d-trust_application_certificates_ca_3-1_2013.crl`
Actual results:
When I try to send a signed email it always fails with error
"Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."
I suspect this might happen because this Certificate is signed using "rsassaPss", which is not common yet?
The log shows this error
mailnews.send: Exception { name: "NS_ERROR_FAILURE", message: "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation]", result: 2147500037, filename: "resource:///modules/MimeMessage.jsm", lineNumber: 457, columnNumber: 0, data: null, stack: "_startCryptoEncapsulation@resource:///modules/MimeMessage.jsm:457:25\n_writePart@resource:///modules/MimeMessage.jsm:502:12\nasync*createMessageFile@resource:///modules/MimeMessage.jsm:85:18\ncreateAndSendMessage@resource:///modules/MessageSend.jsm:129:41\nCompleteGenericSendMessage@chrome://messenger/content/messengercompose/MsgComposeCommands.js:4962:23\nGenericSendMessage@chrome://messenger/content/messengercompose/MsgComposeCommands.js:4898:29\nSendMessage@chrome://messenger/content/messengercompose/MsgComposeCommands.js:5417:21\ndoCommand@chrome://messenger/content/messengercompose/MsgComposeCommands.js:965:11\ndoCommand@chrome://messenger/content/messengercompose/MsgComposeCommands.js:1143:9\ngoDoCommand@chrome://global/content/globalOverlay.js:123:18\noncommand@chrome://messenger/content/messengercompose/messengercompose.xhtml:1:12\n", location: XPCWrappedNative_NoHelper } columnNumber: 0 data: null filename: "resource:///modules/MimeMessage.jsm" lineNumber: 457 location: XPCWrappedNative_NoHelper { QueryInterface: QueryInterface(), filename: Getter, name: Getter, … } message: "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation]" name: "NS_ERROR_FAILURE" result: 2147500037 stack: "_startCryptoEncapsulation@resource:///modules/MimeMessage.jsm:457:25\n_writePart@resource:///modules/MimeMessage.jsm:502:12\nasync*createMessageFile@resource:///modules/MimeMessage.jsm:85:18\ncreateAndSendMessage@resource:///modules/MessageSend.jsm:129:41\nCompleteGenericSendMessage@chrome://messenger/content/messengercompose/MsgComposeCommands.js:4962:23\nGenericSendMessage@chrome://messenger/content/messengercompose/MsgComposeCommands.js:4898:29\nSendMessage@chrome://messenger/content/messengercompose/MsgComposeCommands.js:5417:21\ndoCommand@chrome://messenger/content/messengercompose/MsgComposeCommands.js:965:11\ndoCommand@chrome://messenger/content/messengercompose/MsgComposeCommands.js:1143:9\ngoDoCommand@chrome://global/content/globalOverlay.js:123:18\noncommand@chrome://messenger/content/messengercompose/messengercompose.xhtml:1:12\n" <prototype>: ExceptionPrototype { toString: toString(), name: Getter, message: Getter, … } MessageSend.jsm:131:27 createAndSendMessage resource:///modules/MessageSend.jsm:131 CompleteGenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:4962 GenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:4898 SendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:5417 doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:965 doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1143 goDoCommand chrome://global/content/globalOverlay.js:123 oncommand chrome://messenger/content/messengercompose/messengercompose.xhtml:1
Expected results:
The email should signed and sent sucessfully ;)
|
||
Comment 1•2 years ago
|
||
INT, do you still see this problem ?
Yes, I still see this problem.
I tested with version 104.0a1 (2022-07-16) (64-bit)
|
||
Comment 3•2 years ago
|
||
Can you check if you have all required intermediate certificates installed?
If you have, how I could get a sample certificate for myself, so I could try to reproduce?
I have all required intermediate certificates installed. I use a D-Trust certificate, I think the root "D-TRUST Root CA 3 2013" and intermediate certificate "D-TRUST Application Certificates CA 3-1 2013" are included with Thunderbird by default.
Unfortunately there is no provider to get RSA-PSS/RSASSA-PSS certificates from for free.
The cheapest I found was
https://www.psw-group.de/smime/advanced-enterprise-rsa-a010031/
This special type of certificate is required to send and receive EDIFACT messages. In Germany now many medium size but also privately owned solar and other renewable energy plants are required to use this type of email encryption. Details (only available in German) see:
https://www.bundesnetzagentur.de/DE/Beschlusskammern/BK06/BK6_83_Zug_Mess/835_mitteilungen_datenformate/Mitteilung_21/EBD_%C3%9Cbertragungsweg_Konsultationsdokumente/Regelungen_zum_Uebertragungsweg_1_5.pdf?__blob=publicationFile&v=1#:~:text=Diese%20Regelung%20gilt%20ausschlie%C3%9Flich%20f%C3%BCr,beiden%20Marktpartnern)%20aufrecht%20zu%20halten.
I don't now any email client that can handle this type of certificate, also Outlook can not do this. It would be great if Thunderbird could get a platform for EDIFACT communication.
At the moment I work with a small self written Python script that is doing the Email encryption: https://github.com/intrdp/Send_RAIDA_EMail
|
|
||
Comment 5•2 years ago
|
||
THanks for clariying this is about RSA-PSS.
I think there hasn't yet been any testing on Thunderbird's S/MIME code with this kind of certificate.
We'd need someone to donate a test certificate to proceed with this enhancement.
Description
•