Certificate from hardware crypto device cannot be selected as Personal certificate for encryption
Categories
(Thunderbird :: Account Manager, defect)
Tracking
(Not tracked)
People
(Reporter: mmokrejs, Unassigned)
Details
Attachments
(3 files)
Thunderbird_scroll-down_listing_with_both_certs_for_email_signing.jpg
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Steps to reproduce:
Hi,
under every account one can configure End-To-End encryption. There is a section S/MIME. One certificate is for email signing and second is for email encryption. It turns out, that it work properly only for certificates imported from .p12 files into Thundebirds internal storage. Such certificate have "NSS" at the beginning of their name.
I tested two eIDAS-compliant devices (Gemalto/Thales Safenet 5110CC and PC/SC Id card) and selected their respective PKCS#11 libraries in "S/MIME Security Devices" window. One can Unlock them using a PIN, to be entered twice, dunno why.
Actual results:
The problem is that if you click "Select" to pick a certificate for "digital signing", it asks you TWICE for the PIN, unlocks the USB dongle, show the certificate stored on the device. You select it from the scroll-down listing.
Then Thunderbird realizes the "Personal certificate for exncryption" field on next line is empty, and offer you to fill it for you. And that is a problem.
First of all, it should just copy the path to the certificate into the "variable", I do not see a point providing twice a PIN to unlock the device just to pick again the very same certificate.
But, not even that happens. Instead, Thunderbird shows in the scroll-down listing only certifiactes store in Thunderbirds internal crypto storage, tehy start with "NSS " as I wrote above. Basically, you cannot get the second form field populated with the certificate stored on a crypto device.
I even tried to keep the "Personal certificate for digital signing empty" and went to select the certificate for "Personal certificate for encryption" first. Wel,, you get only offered the "NSS " certificate, after provide ONCE the PIN to unlock the device.
I tried my binaries for 102.12 and 102.15, then official binaries 115.2.0, 102.9.0, 102.0.1. Will try older if my profile allow such a downgrade. The behavior is same.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
|
Reporter | |
Comment 3•2 years ago
|
||
|
|
Reporter | |
Comment 4•2 years ago
|
||
It also does not work with 91.13.1 nor 91.0.1. Make no sense to try even older IMO.
|
|
Reporter | |
Comment 5•2 years ago
|
||
The issuer Czech Postoffice used to keep email signing and encryption bits enabled in the certificates issued on qualified devices due to a bug in some Microsoft products. After that was fixed by Microsoft they dropped those fallback bit, so these certificates cannot be used anymore for email signing and encryption nor authentization. Only for (PDF and other) signing.
Please improve the checks of the certificates and check for the properties of the certificates.
It s**ks, basically I am forced to pay for yet another certificate and keep it on a local disk filesystem or generic USB device, etc.
If you send me the right openssl commands I can apply the over the public cert or even cert requests to show the relevant contents. You can fish some published certifiacted via https://www.postsignum.cz/certifikaty_uzivatelu.html where you can query by ID or by email address.
Description
•