The default bug view has changed. See this FAQ.

mozilla can't read encrypted mail from Lotus Notes

RESOLVED FIXED in 3.8.1

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
14 years ago
14 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Wan-Teh Chang)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [3.7.5])

Attachments

(1 attachment, 1 obsolete attachment)

2.97 KB, patch
Julien Pierre
: review+
(not reading, please use seth@sspitzer.org instead)
: approval1.4+
Details | Diff | Splinter Review
A certain Netscape user regularly receives encrypted SMIME email from 
his coworkers who are users of Lotus Notes.  He can read these encrypted
emails with no problems using Communicator 4.7x on Windows or Linux.
But using newer Netscape and mozilla browsers, he cannot read these 
encrypted emails.  Mozilla reports: 
"There are unknown problems with this encrypted message."  (sigh.)

When he attempts to read them using NSS's cmsutil test program, it reports:  
"cmsutil: problem decoding: security library: improperly formatted
DER-encoded message."

He compared encrypted messages generated by several SMIME email programs
and found a crucial difference between the messages generated by Lotus
Notes and those generated by other programs.  The RecipientInfos SET 
in the Enveloped Data type is indefinite-length encoded by Notes and 
definite length encoded by others.  He altered one message from Notes,
changing the RecipientInfos SET to definite length encoding and then 
mozilla was able to read the message.  He sent me both the original and
altered copies for me to test with.  I will attach them to this bug.

RecipientInfos is permitted to be indefinite length encoded.  
The decoding failure in NSS's fault.  It is a regression in libSMIME 
as compared to the old libPKCS7.  

I have been debugging his unaltered message using cmsutil in NSS 3.8 
and have found several problems.  
The RecipientInfos SET contains a single RecipientInfo.  The decoder
decodes that correctly, using NSSCMSRecipientInfoTemplate, then 
returns to the parent state.  It sees that it is parsing a SET, so
it goes to parse the next NSSCMSRecipientInfoTemplate, and then 
discovers the EndOfContents bytes.  But by that time, it thinks it's
parsing the CHOICEs inside the NSSCMSRecipientInfoTemplate, and it 
concludes that it has found no item that matches any of those CHOICEs.
I conclude that the EndOfContents bytes are being found at the wrong 
point in the decoding, but I'm not sure yet how to do it better.

In the old PKCS7 library, the RecipientInfoTemplate was not a CHOICE.
Rather, it was very similar to the NSSCMSKeyTransRecipientInfoTemplate.
I suspect it is the new combination of a SET of a CHOICE that causes 
the problem.
(Reporter)

Comment 1

14 years ago
I asked the reporter to detemine which Netscape/mozilla clients can, and 
which cannot, read encrypted emails from Lotus notes.  Here is his answer:

> Netscape 4.79 Linux               success
> Netscape 7.0 Linux                fails
> Netscape 7.0 Windows              fails
> Mozilla 1.0.1 Linux               fails
> Mozilla 1.3 Linux                 fails
> NSS 3.4.1 Linux                   fails
> Outlook Express 6.0               success
> openssl 0.9.6 Linux               success
Summary: mozilla can't read encrypted mail from Lotus Notes → mozilla can't read encrypted mail from Lotus Notes
(Reporter)

Comment 2

14 years ago
This bug appears to now be fixed in NSS by revisions 1.20-1.22 of file
nss/lib/util/secasn1d.c.  
Don't know how soon the mozilla browser will pick this up though.

I'm tentatively marking this fixed.  
However, testing of the ASN.1 BER decoder continues.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

14 years ago
Created attachment 121959 [details] [diff] [review]
Patch for NSS_3_8_BRANCH
(Assignee)

Comment 4

14 years ago
Comment on attachment 121959 [details] [diff] [review]
Patch for NSS_3_8_BRANCH

Bob, could you review Nelson's fix for this bug?

This patch is the diffs between rev. 1.21 and rev. 1.23
adapted for the NSS_3_8_BRANCH.  (We can't apply the diffs
from the trunk to the NSS_3_8_BRANCH directly because
Nelson also made some white space changes on the trunk to
fix the coding style.)
Attachment #121959 - Flags: review?(relyea)

Comment 5

14 years ago
Comment on attachment 121959 [details] [diff] [review]
Patch for NSS_3_8_BRANCH

As much as I can understand give that the ASN1 decoder is black magic;).
Attachment #121959 - Flags: review?(relyea) → review+
(Reporter)

Comment 6

14 years ago
Created attachment 122538 [details] [diff] [review]
Updated patch to NSS 3.8 branch

This patch incorporates the changes from revisions 1.22-1.24 on the trunk.
Attachment #121959 - Attachment is obsolete: true
(Reporter)

Comment 7

14 years ago
Wan-Teh,  If you agree, I'll check this patch into the 3.8 branch.
Priority: -- → P1
Target Milestone: --- → 3.8.1
(Assignee)

Comment 8

14 years ago
Comment on attachment 122538 [details] [diff] [review]
Updated patch to NSS 3.8 branch

Nelson, you can check in this patch on the 3.8 branch.
The only change I would suggest is to use the old 2-space
indentation level in the "hunk" of your patch at
-2187,6 +2205,26.
(Reporter)

Comment 9

14 years ago
Comment on attachment 122538 [details] [diff] [review]
Updated patch to NSS 3.8 branch

Requesting review.  I hope to get this in mozilla 1.4b
Attachment #122538 - Flags: review?(jpierre)

Updated

14 years ago
Attachment #122538 - Flags: review?(jpierre) → review+
(Reporter)

Comment 10

14 years ago
Comment on attachment 122538 [details] [diff] [review]
Updated patch to NSS 3.8 branch

Requesting approval for Moz 1.4b.  Note, SR not needed for NSS code.
Attachment #122538 - Flags: approval1.4?
Comment on attachment 122538 [details] [diff] [review]
Updated patch to NSS 3.8 branch

a=sspitzer

so you are just going to back port this fix from the nss trunk to the nss 3.8
branch?
Attachment #122538 - Flags: approval1.4? → approval1.4+
(Reporter)

Comment 12

14 years ago
Re comment 11, yes, that's exactly what patch attachment 122538 [details] [diff] [review] is, 
a back port from the trunk to the branch.
(Reporter)

Comment 13

14 years ago
Moved NSS_CLIENT_TAG for nss/lib/util/secasn1d.c from rev 1.19 to rev 1.19.26.1
for Mozilla 1.4
(Assignee)

Comment 14

14 years ago
Comment on attachment 122538 [details] [diff] [review]
Updated patch to NSS 3.8 branch

Nelson, could you check in this patch on the NSS_3_7_BRANCH?
(Reporter)

Comment 15

14 years ago
Done.  Patch applied to 3.7 branch.
(Assignee)

Updated

14 years ago
Whiteboard: [3.7.5]
You need to log in before you can comment on or make changes to this bug.