Open Bug 1826086 Opened 2 years ago Updated 9 months ago

Thunderbird's S/MIME implementation should support RSAES-OAEP encryption

Categories

(MailNews Core :: Security: S/MIME, defect)

Thunderbird 102
defect

Tracking

(Not tracked)

People

(Reporter: cancomert, Unassigned, NeedInfo)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0

Steps to reproduce:

I have configured the Thunderbird to use a SMIME Private Key for decryption of Messages.
Message decryption is working fine if the sender generates Emails with a very old algorithm such as RC2_CBC. Then I can see the content of the Email and Attachments in the Thunderbird. I can also see the Certificate used for the Signature.

However, for a regulated Market Communication we must use RSAES_OAEP encryption and RsassaPss signature algorithms. For those messages I can only see:

Message Can Not Be Decrypted:
This messages was encrypted before it was sent to you, but it can not be decrypted. There are unknown problems with this encrypted message.

I tried to enable Debug/Verbose level logs for the CMS Module but I could not see any errors.

Is RSAES_OAEP supported by Thunderbird?
How can I get the Technical Error logs for the Problem above?

Actual results:

Same Thunderbird instance that can decrypt the other messages with an old Algorithm can not decrypt messages with RSAES_OAEP encryption.

Expected results:

Message content for Emails with RSAES_OAEP encryption can be seen in Thunderbird.

Component: Security → Security: S/MIME
Product: Thunderbird → MailNews Core

"RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP)"

S/MIME support RSA-OAEP PKCS#1 v2.2 key transport

Instead of creating a new ticket, I'm joining this one. I maked a script that creates RSA-OAEP encrypted emails, maybe it will be useful for testing this feature.

Steps to Reproduce:

  1. make a self-signed cert (root+user bug#1523130#c8), import .p12 file
    1a. "Manage S/MIME Certificates" → "Your Certificates" tab → "Import..."
    1b. "Authorities" tab → "Edit Trust..."
  2. create simple e-mail messages (headers, etc. low level stuff), see: bug#1011625#c20
    2a. create a "palette" of algorithms that we will test: oaep_md:sha1→sha512, mgf1_md:sha1→sha512
    2b. glue parts from openssl .p7m with email headers to .eml files
  3. create folder "tests" in "Local Folders", see: bug#1806122, bug#1688163
  4. open envelopedData/RSA_aes128_CBC.eml
    4a. "Copy To" → "Local Folders" → "tests"
  5. open envelopedData/RSA_OAEPsha256_aes128_CBC.eml
    5a. "Copy To" → "Local Folders" → "tests"
  6. open first email (from "Local Folders") RSA_aes128_CBC.eml → [decryption OK]
  7. open second email RSA_OAEPsha256_aes128_CBC.eml → [decryption failed, not OK]
    7a. "Message Cannot Be Decrypted"... "There are unknown problems..."

Actual results:
Th. can't decipher RSA-OAEP emails

Expected Results:
Th. can decrypt and encrypt RSA-OAEP emails. 2 possibilities (for encrypt):

  1. Th. recognizes "sMIMECapabilities" extension and the RSA-OAEP fields contained therein and can encrypt emails using "RSA-OAEP" to a recipient sending such an extension with signed SMIME message.
    1a. Th. sends an "sMIMECapabilities" extension containing "RSA-OAEP" fields with each signed SMIME message.
  2. When recipient has an RSA certificate, Th. defaults the key transport encryption to RSA-OAEP. The default setting can be turned off in the "Config Editor" (PKCS #1 Version 1.5 key transport -- LEGACY).
    2a. Th. sends an "sMIMECapabilities" extension containing "RSA-OAEP" fields with each signed SMIME message.

rfc8017#section-7 :

   Two encryption schemes are specified in this document: RSAES-OAEP and
   RSAES-PKCS1-v1_5.  RSAES-OAEP is REQUIRED to be supported for new
   applications; RSAES-PKCS1-v1_5 is included only for compatibility
   with existing applications.

example "sMIMECapabilities":

SEQUENCE {
  OBJECT IDENTIFIER sMIMECapabilities (1 2 840 113549 1 9 15)
  SET {
    SEQUENCE {
      SEQUENCE {
        OBJECT IDENTIFIER rsaOAEP (1 2 840 113549 1 1 7)
        SEQUENCE {
          SEQUENCE {
            OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)
            }
          SEQUENCE {
            OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
            SEQUENCE {
              OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)
              }
            }
          SEQUENCE {
            OBJECT IDENTIFIER sha-384 (2 16 840 1 101 3 4 2 2)
            }
          SEQUENCE {
            OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
            SEQUENCE {
              OBJECT IDENTIFIER sha-384 (2 16 840 1 101 3 4 2 2)
              }
            }
          SEQUENCE {
            OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
            }
          SEQUENCE {
            OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
            SEQUENCE {
              OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
              }
            }
          }
        }
      SEQUENCE {
        OBJECT IDENTIFIER aes256-CBC (2 16 840 1 101 3 4 1 42)
        }
      SEQUENCE {
        OBJECT IDENTIFIER aes192-CBC (2 16 840 1 101 3 4 1 22)
        }
      SEQUENCE {
        OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
        }
      }
    }
  }

I included a DER extension to the certificate created, bit-exact from rfc3560 (including NULL parameters).

Emails encrypted with RSA-OAEP key transport can open, for example, Outlook2013 (extended support ended on April 11, 2023), eM Client.

Standards

rfc2437/rfc3447/rfc8017
X.509 certificates: rfc4055, rfc5756, rfc6664#section-2.3
cms: rfc3852/rfc5652
OAEP in cms: rfc3560
S/MIME Capabilities: rfc4262
other: rfc3218#section-2.3.3 , rfc8551#section-4.4

similar: bug#158747, bug#215997, bug#84213, bug#229724, bug#222179, bug#136289, bug#130633

Links:
https://cseweb.ucsd.edu/~mihir/papers/oaep.pdf
PKCS1-v1_5 Attacks:
https://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf
https://www.usenix.org/system/files/sec23summer_217-ising-prepub.pdf

Another Key Transport Algorithm: RSA-KEM rfc5990

--

User-Agent:
Thunderbird 102.11.0 (64-bit), Windows 10

Reproducible: Always

Attached image chris_oaep.jpg

Thanks for this bug report.

Thanks Leszek for these example files, I assume they will be very helpful.

Also, if you know, can you please say which other email clients already use RSA-OAEP with S/MIME?

Status: UNCONFIRMED → NEW
Ever confirmed: true

This will require enhancements to the CMS encoding/decoding code in the NSS library.
We already have an old tracking bug, bug 215997.

Depends on: 215997
Summary: SMIME Decryption with RSAES OAEP not working → Thunderbird's S/MIME implementation should support RSAES-OAEP encryption and decryption
Blocks: smime-2023

I tested on Outlook 2013, it can decode, I did not find an option to enable encryption. eM Client can decode, certificates must have CRL/OCSP because you can't send encrypted email, so I don't know if it sends OAEP by default.

(In reply to Can Cömert from comment #0)

Is RSAES_OAEP supported by Thunderbird?

Not yet, but it seems we might be close to supporting decryption.
Would you be able to help us testing an experimental version?

Flags: needinfo?(cancomert)
Depends on: 1892671
See Also: → 1893043

Changing this bug to be about encryption, only.

Decryption will be done earlier, in bug 1893043.

Summary: Thunderbird's S/MIME implementation should support RSAES-OAEP encryption and decryption → Thunderbird's S/MIME implementation should support RSAES-OAEP encryption
No longer depends on: 215997
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: