209168 - Mozilla Mail S/Mime instructs NSS to import the wrong certs

Status: VERIFIED FIXED

(MailNews Core :: Security: S/MIME, defect)

Description

[Kai Engert (:KaiE:)]

cc'ing many people, mostly FYI

When Mozilla Mail processes an S/Mime message, it tries to import the certs
contained in the message. It does so by calling
  NSS_CMSSignedData_ImportCerts(.., .., certUsageEmailSigner, ..);

This seems to be wrong. It should instead import type certUsageEmailRecipient.

In the past, before bug 193367 was fixed, this mistake didn't matter, because
NSS_CMSSignedData_ImportCerts imported any contained cert.

Comment 1

[Kai Engert (:KaiE:)]

The consequence of this bug is: Mozilla versions that uses an NSS version
containing the fix from bug 193367, might not import the required certificate to
reply using encrypted mail, if dual-key certificates are used.

See also bug 209166, a related issue, that requests a more relaxed handling of
importing S/Mime certificates.

Comment 2

[Kai Engert (:KaiE:)]

Attachment: Patch v1

Suggested fix

Comment 3

[Kai Engert (:KaiE:)]

fixing summary

Comment 4

[Kai Engert (:KaiE:)]

Proposing this bug as a 1.4 blocker, because I believe this bug breaks S/Mime
functionality when using dual key certificates.

Comment 5

[Kai Engert (:KaiE:)]

After having tested, I can confirm
- Mozilla is currently broken
- this patch fixes the problem

Testing scenario:
- set up a new Mozilla profile, let's call it RECIPIENT, with an empty
certificate database, where you can receive mail
- using another profile, let's call it SENDER, send a signed message using a
dual key certificate (like the ones that are issued at testca.netscape.com).

[all actions below are to be done in the RECIPIENT PROFILE]
- use the RECIPIENT profile to receive the message

[checkpoint]
- read the received message, you should see a valid signature icon.
- open certificate manager other people's tab. It's empty
- click reply, and in the new compose message window, click the security icon.
You'll see the recipient's name listed and the certificate status will be "not
found".

The above behaviour is incorrect.

With the patch applied the tested behaviour after [checkpoint] is instead:
- read the received message, you see the valid signature icon
- open cert manager tab, you'll see the mail message sender's encryption cert 
- click reply in the received email message, click security icon. You'll see the
certificate status is "valid".

Comment 6

[Kai Engert (:KaiE:)]

cc'ing Terry FYI

Comment 7

[Robert Relyea]

Comment on attachment 125502 [details] [diff] [review]
Patch v1

Looks good r=relyea

Comment 8

[Kai Engert (:KaiE:)]

Comment on attachment 125502 [details] [diff] [review]
Patch v1

Thanks for the review, marking the patch as r=relyea.

Comment 9

[kinmoz]

Comment on attachment 125502 [details] [diff] [review]
Patch v1

sr=kin@netscape.com

Comment 10

[Kai Engert (:KaiE:)]

Comment on attachment 125502 [details] [diff] [review]
Patch v1

requesting branch approval for this regression fix

Comment 11

[Rafael Ebron (:rebron)]

a=adt to land on the branch.  Please add fixed1.4 keyword.

nsbeta1+/adt2

Comment 12

[Kai Engert (:KaiE:)]

/me waits for driver's approval before landing

Comment 13

[Kai Engert (:KaiE:)]

fixed on trunk

Comment 14

[Kai Engert (:KaiE:)]

*** Bug 203235 has been marked as a duplicate of this bug. ***

Comment 15

[Brendan Eich [:brendan]]

Comment on attachment 125502 [details] [diff] [review]
Patch v1

Can't hurt.

/be

Comment 16

[Kai Engert (:KaiE:)]

fixed on 1.4 branch after rc2, thanks a lot for approving.

Comment 17

[bmartin]

Verified that expected results outlined in comment #5 occur in 1.4 branch 20030624

"With the patch applied the tested behaviour after [checkpoint] is instead:
- read the received message, you see the valid signature icon
- open cert manager tab, you'll see the mail message sender's encryption cert 
- click reply in the received email message, click security icon. You'll see the
certificate status is "valid"."