Thunderbird's S/MIME implementation should support RSAES-OAEP encryption
Categories
(MailNews Core :: Security: S/MIME, defect)
Tracking
(Not tracked)
People
(Reporter: cancomert, Unassigned, NeedInfo)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Steps to reproduce:
I have configured the Thunderbird to use a SMIME Private Key for decryption of Messages.
Message decryption is working fine if the sender generates Emails with a very old algorithm such as RC2_CBC. Then I can see the content of the Email and Attachments in the Thunderbird. I can also see the Certificate used for the Signature.
However, for a regulated Market Communication we must use RSAES_OAEP encryption and RsassaPss signature algorithms. For those messages I can only see:
Message Can Not Be Decrypted:
This messages was encrypted before it was sent to you, but it can not be decrypted. There are unknown problems with this encrypted message.
I tried to enable Debug/Verbose level logs for the CMS Module but I could not see any errors.
Is RSAES_OAEP supported by Thunderbird?
How can I get the Technical Error logs for the Problem above?
Actual results:
Same Thunderbird instance that can decrypt the other messages with an old Algorithm can not decrypt messages with RSAES_OAEP encryption.
Expected results:
Message content for Emails with RSAES_OAEP encryption can be seen in Thunderbird.
Updated•2 years ago
|
Comment 1•2 years ago
|
||
"RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP)"
S/MIME support RSA-OAEP PKCS#1 v2.2 key transport
Instead of creating a new ticket, I'm joining this one. I maked a script that creates RSA-OAEP encrypted emails, maybe it will be useful for testing this feature.
Steps to Reproduce:
- make a self-signed cert (root+user bug#1523130#c8), import
.p12
file
1a. "Manage S/MIME Certificates" → "Your Certificates" tab → "Import..."
1b. "Authorities" tab → "Edit Trust..." - create simple e-mail messages (headers, etc. low level stuff), see: bug#1011625#c20
2a. create a "palette" of algorithms that we will test: oaep_md:sha1→sha512, mgf1_md:sha1→sha512
2b. glue parts from openssl .p7m with email headers to .eml files - create folder "tests" in "Local Folders", see: bug#1806122, bug#1688163
- open
envelopedData/RSA_aes128_CBC.eml
4a. "Copy To" → "Local Folders" → "tests" - open
envelopedData/RSA_OAEPsha256_aes128_CBC.eml
5a. "Copy To" → "Local Folders" → "tests" - open first email (from "Local Folders")
RSA_aes128_CBC.eml
→ [decryption OK] - open second email
RSA_OAEPsha256_aes128_CBC.eml
→ [decryption failed, not OK]
7a. "Message Cannot Be Decrypted"... "There are unknown problems..."
Actual results:
Th. can't decipher RSA-OAEP emails
Expected Results:
Th. can decrypt and encrypt RSA-OAEP emails. 2 possibilities (for encrypt):
- Th. recognizes "sMIMECapabilities" extension and the RSA-OAEP fields contained therein and can encrypt emails using "RSA-OAEP" to a recipient sending such an extension with signed SMIME message.
1a. Th. sends an "sMIMECapabilities" extension containing "RSA-OAEP" fields with each signed SMIME message. - When recipient has an RSA certificate, Th. defaults the key transport encryption to RSA-OAEP. The default setting can be turned off in the "Config Editor" (PKCS #1 Version 1.5 key transport -- LEGACY).
2a. Th. sends an "sMIMECapabilities" extension containing "RSA-OAEP" fields with each signed SMIME message.
rfc8017#section-7 :
Two encryption schemes are specified in this document: RSAES-OAEP and
RSAES-PKCS1-v1_5. RSAES-OAEP is REQUIRED to be supported for new
applications; RSAES-PKCS1-v1_5 is included only for compatibility
with existing applications.
example "sMIMECapabilities":
SEQUENCE {
OBJECT IDENTIFIER sMIMECapabilities (1 2 840 113549 1 9 15)
SET {
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER rsaOAEP (1 2 840 113549 1 1 7)
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)
}
SEQUENCE {
OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
SEQUENCE {
OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)
}
}
SEQUENCE {
OBJECT IDENTIFIER sha-384 (2 16 840 1 101 3 4 2 2)
}
SEQUENCE {
OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
SEQUENCE {
OBJECT IDENTIFIER sha-384 (2 16 840 1 101 3 4 2 2)
}
}
SEQUENCE {
OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
}
SEQUENCE {
OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
SEQUENCE {
OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
}
}
}
}
SEQUENCE {
OBJECT IDENTIFIER aes256-CBC (2 16 840 1 101 3 4 1 42)
}
SEQUENCE {
OBJECT IDENTIFIER aes192-CBC (2 16 840 1 101 3 4 1 22)
}
SEQUENCE {
OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
}
}
}
}
I included a DER extension to the certificate created, bit-exact from rfc3560 (including NULL parameters).
Emails encrypted with RSA-OAEP key transport can open, for example, Outlook2013 (extended support ended on April 11, 2023), eM Client.
Standards
rfc2437/rfc3447/rfc8017
X.509 certificates: rfc4055, rfc5756, rfc6664#section-2.3
cms: rfc3852/rfc5652
OAEP in cms: rfc3560
S/MIME Capabilities: rfc4262
other: rfc3218#section-2.3.3 , rfc8551#section-4.4
similar: bug#158747, bug#215997, bug#84213, bug#229724, bug#222179, bug#136289, bug#130633
Links:
https://cseweb.ucsd.edu/~mihir/papers/oaep.pdf
PKCS1-v1_5 Attacks:
https://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf
https://www.usenix.org/system/files/sec23summer_217-ising-prepub.pdf
Another Key Transport Algorithm: RSA-KEM rfc5990
--
User-Agent:
Thunderbird 102.11.0 (64-bit), Windows 10
Reproducible: Always
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Comment 4•1 year ago
|
||
Thanks for this bug report.
Thanks Leszek for these example files, I assume they will be very helpful.
Also, if you know, can you please say which other email clients already use RSA-OAEP with S/MIME?
Comment 5•1 year ago
|
||
This will require enhancements to the CMS encoding/decoding code in the NSS library.
We already have an old tracking bug, bug 215997.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 6•1 year ago
|
||
I tested on Outlook 2013, it can decode, I did not find an option to enable encryption. eM Client can decode, certificates must have CRL/OCSP because you can't send encrypted email, so I don't know if it sends OAEP by default.
Comment 7•9 months ago
|
||
(In reply to Can Cömert from comment #0)
Is RSAES_OAEP supported by Thunderbird?
Not yet, but it seems we might be close to supporting decryption.
Would you be able to help us testing an experimental version?
Comment 8•9 months ago
|
||
Changing this bug to be about encryption, only.
Decryption will be done earlier, in bug 1893043.
Description
•