The default bug view has changed. See this FAQ.

Wrong message and reason reported with untrusted CA roots when signing email

RESOLVED FIXED in Thunderbird 22.0

Status

MailNews Core
Security
RESOLVED FIXED
9 years ago
4 years ago

People

(Reporter: Eddy Nigg (StartCom), Assigned: sakshi)

Tracking

({regression})

Trunk
Thunderbird 22.0
regression
Bug Flags:
wanted-thunderbird3 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [good first bug])

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

9 years ago
Signing messages with digital certificate fails since today. This is build Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081113 Shredder/3.0b1pre . Same settings worked previously. No co clue how to debug.
Flags: blocking-thunderbird3.0b1?

Comment 1

9 years ago
Signing seems to work for me on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081119 Lightning/1.0pre Shredder/3.0b1pre

In what way does it "not work" for you?
Keywords: regression
(Reporter)

Comment 2

9 years ago
That was a weird case...I had the CA certificates on the smart card I used and they had trust only enabled for web sites. Not sure what's the reason for this default trust setting, however once I changed the trust settings to include email (as in the builtin root), it obviously worked again.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID

Updated

9 years ago
Flags: blocking-thunderbird3.0b1?
(Reporter)

Comment 3

9 years ago
The error message is highly misleading and should be corrected.
Severity: major → normal
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Summary: Certificate signing fails → Wrong message and reason reported with untrusted CA roots when signing email
(Reporter)

Comment 4

9 years ago
Created attachment 349157 [details]
Message received with untrusted root (email flag not set)

The message indicates that the settings of the certificate are incorrect, however the CA certificates have email trust bit set to off. The message should indicate that - it took me two days to figure what's going on.
Attachment #349157 - Flags: approval1.9.1?
Comment on attachment 349157 [details]
Message received with untrusted root (email flag not set)

approval1.9.1 is for getting patches into the tree, not necessary here.
Attachment #349157 - Flags: approval1.9.1?
I think I had this problem the other day.

We're getting a generic error message (ErrorCanNotSign from am-smime.properties) for a bunch of failure cases.

Could you set NSPR_LOG_MODULES to pipnss:5 (see https://wiki.mozilla.org/MailNews:Logging for how to do it), and post the relevant part of the log on the bug?

I'm expecting it'll be somewhere in nsCMSMessage::CreateSigned that it is failing, getting the log will confirm this and help us work out what we need to change.
Flags: wanted-thunderbird3+

Comment 7

8 years ago
Created attachment 354669 [details] [diff] [review]
fix text
Assignee: nobody → timeless
Status: REOPENED → ASSIGNED
Attachment #354669 - Flags: review?(bugzilla)

Comment 8

8 years ago
Comment on attachment 354669 [details] [diff] [review]
fix text

This should be caught by localizations, too, so it should get a change in the keys.

I'd suggest to use ErrorCanNotSignMail (and EncryptMail), which is a proper change carrying over the semantics of the change in the text.
Comment on attachment 354669 [details] [diff] [review]
fix text

L10n request that because of the context change we also change the name of the string, this is so that we'll force localisations to reconsider the change to the string for their language.
Attachment #354669 - Flags: review?(bugzilla) → review-

Updated

6 years ago
Assignee: timeless → nobody
Whiteboard: [good first bug]
Status: ASSIGNED → NEW
(Assignee)

Comment 10

4 years ago
Hello,

I would like to fix this bug.

Updated

4 years ago
Assignee: nobody → sakshi.april5
(Assignee)

Comment 11

4 years ago
Created attachment 723883 [details] [diff] [review]
New patch

Who should I set for review?

Comment 12

4 years ago
You'll need a mailnews/ reviewer - https://wiki.mozilla.org/Modules/All#MailNews
standard8, or IanN perhaps?
OS: Linux → All
Hardware: x86 → All

Comment 13

4 years ago
Comment on attachment 723883 [details] [diff] [review]
New patch

Review of attachment 723883 [details] [diff] [review]:
-----------------------------------------------------------------

You'll need to update the "callers" too.
Attachment #723883 - Flags: review-
(Assignee)

Comment 14

4 years ago
I guess those are placed in mailnews/extensions/smime/src/nsMsgComposeSecure.cpp ?

Comment 15

4 years ago
Yep - http://mxr.mozilla.org/comm-central/search?string=ErrorCanNotEncrypt
(Assignee)

Comment 16

4 years ago
Created attachment 723898 [details] [diff] [review]
patch with caller
Attachment #723883 - Attachment is obsolete: true
(Assignee)

Updated

4 years ago
Attachment #723898 - Flags: review?(mbanner)
(Assignee)

Comment 17

4 years ago
Any updates on the patch?
Comment on attachment 723898 [details] [diff] [review]
patch with caller

Sorry for the delay.

I'd really like to give this r+, but the new labels seem to be the wrong way around:

+ErrorCanNotSignMail=Unable to encrypt message. Please check that you have a valid email certificate for each recipient. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.
+ErrorEncryptMail=Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.

ErrorEncryptMail should be for "Unable to encrypt message..."
Attachment #723898 - Flags: review?(mbanner) → review-
(Assignee)

Comment 19

4 years ago
Created attachment 728755 [details] [diff] [review]
Patch2
Attachment #723898 - Attachment is obsolete: true
Attachment #728755 - Flags: review?(mbanner)
Comment on attachment 728755 [details] [diff] [review]
Patch2

That's better, thanks, r=Standard8.
Attachment #728755 - Flags: review?(mbanner) → review+
Keywords: checkin-needed
Component: Security → Security
Product: Thunderbird → MailNews Core
https://hg.mozilla.org/comm-central/rev/fd78e7d7cda7
Status: NEW → RESOLVED
Last Resolved: 9 years ago4 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 22.0
You need to log in before you can comment on or make changes to this bug.