Closed Bug 1777781 Opened 3 years ago Closed 3 years ago

Digital signature of S/MIME signed message shown as not valid

Categories

(MailNews Core :: Security: S/MIME, defect, P4)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Thunderbird 102
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: pavel, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

export.zip
250.23 KB, application/x-zip-compressed
Details
Attached file export.zip

Steps to reproduce:

I have opened an email message, from bank, that is digitally signed by S/MIME signature, Thunderbird recognizes the signature, but shows it as "not valid", because of potential altering/tampering with message.
You can reproduce it on the attached email message, after importing into an mailbox. (Just opening it from file does not process S/MIME validation.)
The signature is validated in other email clients, but not in Thunderbird.

Actual results:

Thunderbird recognizes the affected email's S/MIME signature as "not valid", as it had been altered/tampered.
I do not know, how to generate debug logs for S/MIME operations.

Expected results:

Thunderbird should validate that S/MIME signature successfully.

Component: Untriaged → Security
Priority: -- → P4
Component: Security → Security: S/MIME
Product: Thunderbird → MailNews Core
Blocks: tb102found

I have analyzed the message, and it really is BAD.

But it's really unusual.

If you look at the message source, the MIME header says

Content-Type: multipart/signed; 
	boundary="----=_Part_1086775_2137432030.1650522863189"; 
	protocol="application/pkcs7-signature"; micalg=SHA1

Looking at the inner data structure of the S/MIME signature, it says that SHA512 was used to calculate the message digest.

As a consequence, Thunderbird attempts to calculate a SHA1 digest, and that doesn't match the SHA512 from inside the signature, and it reports a mismatch.

You can perform an experiment: Save the message to a file, edit the message with a text editor, change the email header to micalg=SHA512, then open that modified message with Thunderbird, then copy it to one of your folders, then click the message in that folder. For me, then it shows a correct signature.

The message is incorrect, Thunderbird is reporting it correctly, and therefore I'm resolving this as invalid.

You should contact the people who sent this message, and make them aware of their mistake.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID

Dear Kai,
Thank you for your effort. I have tested it on my Thunderbird and it worked as you have written. The message composition is not correct. Unfortunately, some other email clients do not do such validation.
I will contact the originator.
Best Regards,
Pavel

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: