Closed Bug 183782 Opened 23 years ago Closed 21 years ago

cert other than chosen used to sign outbound s/mime email

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Other Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jbj1, Unassigned)

Details

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126 I have several certificates, 3 stored in the software security device, and two in my Java iButton crypto device. I recently installed 1.2 to see if bugs were fixed letting me use the certs on the iButton. Eureka the CKA_SERIAL_NUMBER bug is fixed. However, I noticed a bug I saw before but didn't file on. Before I added the iButton pkcs11 module I had been using a cert in my software security device and all was well (except Outlook can't read some text/html signed messages but that's another story). I then added the iButton pkcs11 module. However, I now notice that even though that mail account is configured to use a cert in the software device it in fact uses one on my iButton! I don't know what is used to lookup the certs. It seems to be the CKA_LABEL since that's what seems to be stored in prefs.js (well, a concat of the device name, ':', and the CKA_LABEL). In this case it is hard to notice this problem (I looked for it because I noticed it before) because the certificate it uses does, in fact, have the right email address in the Subject DN. It just isn't the right cert. Shouldn't internally the certificate chosen for a signing on a given mail account be stored as the issuer DN/serial number? I'm guessing the lookup somehow involves the email address in the subject DN. Reproducible: Always Steps to Reproduce: 1. Send email to be signed. 2. Go to account where email is sent and examing cert in signature. 3. Notice that it doesn't match the cert you intended to sign with. Actual Results: Signed email comes signed with wrong cert. Expected Results: Signed with the cert that matches the one chosen in the Mail/News preferences for that particular account.
I was messing with this again today and now it is using the correct certificate. I'm wondering if it was only happening during the time when I had just added the pkcs module. Also, today when I try to sign using a cert on the iButton it isn't finding that cert at all. The cert in question that it can't find was stored with the truncated serial number but when I was using mail yesterday it was able to find this cert. Very strange. I did archive my cert .dbs so if I get a chance I'll restore the old ones before I added the pkcs module and try again.
Which iButton are you using, and how is it connected to your PC? I am not too familiar with the iButton hardware, so I'm not quite sure what to get and install. The java powered cryptographic iButton looks nifty, but I am wondering what dll (pkcs module) I would have to load in order to access it.
I'm using the DS1957B, the latest Java iButton. The PC talks to it (in my case) through the DS1490F- 2-in-1 Fob which just plugs into a USB hub. There are a number of other (serial port, parallel port) options available. The pkcs11 module is supplied by Dallas Semiconductor. There should be links on their product page to where you go to download the software. So if you want to get set up just purchase the two things above and then you can download the software. I run Windows (mostly) but supposedly they have working code for linux as well (which I also run but haven't even tried the iButton in). The Java iButton is indeed a cool thing. Especially since you can write you own applications to run inside the iButton. DS has a little development environment (itself written in Java) to help you do this. I've been thinking about writing a small applet (for whatever reason JavaCard applications are called applets) to do SSH authentication. Another thing on my list of cool things to work on if I had time.
This bug never came to the attention of NSS developers. A lot has changed in NSS since this bug was filed. Submittor, can you reporoduce this with a recent version of mozilla?
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
(In reply to comment #4) > This bug never came to the attention of NSS developers. > A lot has changed in NSS since this bug was filed. > Submittor, can you reporoduce this with a recent version of mozilla? I cannot reproduce with a recent version. I guess it must have been fixed along the way.
Thanks, Jens. I'm marking "WORKSFORME" based on your comment. The very first personal crypto token we ever got working with mozilla was an iButton, IIRC. We did have some problems at one time with a cert being both in the software token and in a hardware token (or being in any two tokens simultaneously), and we fixed (some of) those problems. I hope we fixed the one that was affecting you.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
Product: PSM → Core
Product: Core → MailNews Core
QA Contact: carosendahl → s.mime
You need to log in before you can comment on or make changes to this bug.