Closed Bug 465351 Opened 16 years ago Closed 11 years ago

Wrong message and reason reported with untrusted CA roots when signing email

Categories

(MailNews Core :: Security, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird 22.0

People

(Reporter: eddy_nigg, Assigned: sakshi.april5)

Details

(Keywords: regression, Whiteboard: [good first bug])

Attachments

(3 files, 2 obsolete files)

Signing messages with digital certificate fails since today. This is build Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081113 Shredder/3.0b1pre . Same settings worked previously. No co clue how to debug.
Flags: blocking-thunderbird3.0b1?
Signing seems to work for me on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081119 Lightning/1.0pre Shredder/3.0b1pre

In what way does it "not work" for you?
Keywords: regression
That was a weird case...I had the CA certificates on the smart card I used and they had trust only enabled for web sites. Not sure what's the reason for this default trust setting, however once I changed the trust settings to include email (as in the builtin root), it obviously worked again.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Flags: blocking-thunderbird3.0b1?
The error message is highly misleading and should be corrected.
Severity: major → normal
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Summary: Certificate signing fails → Wrong message and reason reported with untrusted CA roots when signing email
The message indicates that the settings of the certificate are incorrect, however the CA certificates have email trust bit set to off. The message should indicate that - it took me two days to figure what's going on.
Attachment #349157 - Flags: approval1.9.1?
Comment on attachment 349157 [details]
Message received with untrusted root (email flag not set)

approval1.9.1 is for getting patches into the tree, not necessary here.
Attachment #349157 - Flags: approval1.9.1?
I think I had this problem the other day.

We're getting a generic error message (ErrorCanNotSign from am-smime.properties) for a bunch of failure cases.

Could you set NSPR_LOG_MODULES to pipnss:5 (see https://wiki.mozilla.org/MailNews:Logging for how to do it), and post the relevant part of the log on the bug?

I'm expecting it'll be somewhere in nsCMSMessage::CreateSigned that it is failing, getting the log will confirm this and help us work out what we need to change.
Flags: wanted-thunderbird3+
Attached patch fix textSplinter Review
Assignee: nobody → timeless
Status: REOPENED → ASSIGNED
Attachment #354669 - Flags: review?(bugzilla)
Comment on attachment 354669 [details] [diff] [review]
fix text

This should be caught by localizations, too, so it should get a change in the keys.

I'd suggest to use ErrorCanNotSignMail (and EncryptMail), which is a proper change carrying over the semantics of the change in the text.
Comment on attachment 354669 [details] [diff] [review]
fix text

L10n request that because of the context change we also change the name of the string, this is so that we'll force localisations to reconsider the change to the string for their language.
Attachment #354669 - Flags: review?(bugzilla) → review-
Assignee: timeless → nobody
Whiteboard: [good first bug]
Status: ASSIGNED → NEW
Hello,

I would like to fix this bug.
Assignee: nobody → sakshi.april5
Attached patch New patch (obsolete) — Splinter Review
Who should I set for review?
You'll need a mailnews/ reviewer - https://wiki.mozilla.org/Modules/All#MailNews
standard8, or IanN perhaps?
OS: Linux → All
Hardware: x86 → All
Comment on attachment 723883 [details] [diff] [review]
New patch

Review of attachment 723883 [details] [diff] [review]:
-----------------------------------------------------------------

You'll need to update the "callers" too.
Attachment #723883 - Flags: review-
I guess those are placed in mailnews/extensions/smime/src/nsMsgComposeSecure.cpp ?
Attached patch patch with caller (obsolete) — Splinter Review
Attachment #723883 - Attachment is obsolete: true
Attachment #723898 - Flags: review?(mbanner)
Any updates on the patch?
Comment on attachment 723898 [details] [diff] [review]
patch with caller

Sorry for the delay.

I'd really like to give this r+, but the new labels seem to be the wrong way around:

+ErrorCanNotSignMail=Unable to encrypt message. Please check that you have a valid email certificate for each recipient. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.
+ErrorEncryptMail=Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.

ErrorEncryptMail should be for "Unable to encrypt message..."
Attachment #723898 - Flags: review?(mbanner) → review-
Attached patch Patch2Splinter Review
Attachment #723898 - Attachment is obsolete: true
Attachment #728755 - Flags: review?(mbanner)
Comment on attachment 728755 [details] [diff] [review]
Patch2

That's better, thanks, r=Standard8.
Attachment #728755 - Flags: review?(mbanner) → review+
Product: Thunderbird → MailNews Core
https://hg.mozilla.org/comm-central/rev/fd78e7d7cda7
Status: NEW → RESOLVED
Closed: 16 years ago11 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 22.0
You need to log in before you can comment on or make changes to this bug.