The default bug view has changed. See this FAQ.

Support certificates with multiple listed email addresses

VERIFIED FIXED in Future

Status

MailNews Core
Security: S/MIME
P3
enhancement
VERIFIED FIXED
17 years ago
8 years ago

People

(Reporter: bill, Assigned: kaie)

Tracking

(Blocks: 2 bugs)

1.0 Branch
Future
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

7.62 KB, patch
kaie
: review+
Alec Flett
: superreview+
Details | Diff | Splinter Review
(Reporter)

Description

17 years ago
Got an email cert from Thawte Freemail.  it was bound to "some_user@isp.net".

Then, went back to Thawte and got another cert, but bound this one to
"my_other_username@company.com".

Thawte's freemail system lets you have multiple email addresses in one cert,
which it did for this certificate.  The problem was that when I tried to set my
"from" address to be "my_other_username@company.com", my recipients got "invalid
signature" because the "from" and signer didn't match.

I suspect that PSM is only parsing the certificate and looking at the first
email address in the cert, rather than also checking the other email addresses.

I found this error in Communicator 4.74 on Solaris (no PSM), Mac Netscape 6
(build 00082504)+ PSM and Communicator 4.74/Solaris + PSM.

Comment 1

17 years ago
Changing QA contact to nitinp
QA Contact: junruh → nitinp

Updated

17 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

17 years ago
Mass reassigning nitinp's bugs to me.
QA Contact: nitinp → junruh

Comment 3

17 years ago
Moving this to bugsplat 527088 since Netscape 6 doesn't support S/MIME.
https://scopus.mcom.com/bugsplat/show_bug.cgi?id=527088
Severity: normal → enhancement
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → INVALID
Version: 1.2 → 1.4

Comment 4

17 years ago
Reopening per javi's request.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Updated

16 years ago
Target Milestone: --- → Future

Comment 5

16 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer

Comment 6

16 years ago
Changing OS to all, QA > junruh.
OS: Solaris → All
QA Contact: ckritzer → junruh
Hardware: Sun → All
Version: 1.4 → 2.1

Comment 7

15 years ago
This bug is relevant today.
Assignee: ddrinan → kaie
Status: REOPENED → NEW
Component: Client Library → S/MIME
Target Milestone: Future → 2.2

Comment 8

15 years ago
Qa > alam
QA Contact: junruh → alam
(Assignee)

Comment 9

15 years ago
This bug is a request for enhancement.
Indeed, Communicator and Mozilla only look at the first mentioned email address
in a certificate.
I agree it would be nice to allow one cert to be used for all addresses.
(Assignee)

Comment 10

15 years ago
Changing subject.
Summary: AltSubjectName not parsing correctly; invalid signature → [RFE] Support certificates with multiple listed email addresses

Comment 11

15 years ago
S/MIME bugs are automatically nsbeta1 candidates. (this is a bulk update - there
may be some adjustment of the list).
Keywords: nsbeta1

Updated

15 years ago
Keywords: nsbeta1+

Comment 12

15 years ago
removing nsbeta1, as this bug has been plussed.
Keywords: nsbeta1

Updated

15 years ago
Keywords: nsbeta1+ → nsbeta1-

Updated

15 years ago
QA Contact: alam → carosendahl

Updated

15 years ago
Blocks: 74157

Comment 13

15 years ago
*** Bug 138380 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

15 years ago
Target Milestone: 2.2 → Future

Comment 14

15 years ago
I experience similar probs when my certificate has multiple CN (common name)
fields in it.
(Assignee)

Updated

15 years ago
Blocks: 152986

Updated

15 years ago
No longer blocks: 152986
Depends on: 152986

Comment 15

15 years ago
*** Bug 151533 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

15 years ago
Keywords: nsbeta1
(Assignee)

Updated

15 years ago
Keywords: nsbeta1-

Comment 16

15 years ago
*** Bug 176451 has been marked as a duplicate of this bug. ***

Comment 17

15 years ago
*** Bug 179499 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 18

14 years ago
cc'ing ddrinan FYI
(Assignee)

Comment 19

14 years ago
Created attachment 113136 [details] [diff] [review]
Patch v1

This patch makes it work.

It contains changes to the signature verification code, and will be happy if
sender/from address matches against any address contained in the signature
certificate.

No changes are required to make sending encrypted messages work.
This works already, since Mozilla recently started to use a new version of NSS,
that supports multiple email addresses in certificates.
If the recipient certificate is stored in the database, the S/Mime code will do
a lookup with the email address as the query parameter, and NSS will find the
cert, even if the address is a secondy address in a certificate.
(Assignee)

Comment 20

14 years ago
Comment on attachment 113136 [details] [diff] [review]
Patch v1

Javi, can you please review?
Attachment #113136 - Flags: review?(javi)

Comment 21

14 years ago
Comment on attachment 113136 [details] [diff] [review]
Patch v1

is the nsIX509Cert interface not frozen for embedding purposes?

If not, r=javi

nit:
+// XXX kaie: this is bad. We return a non localizable hardcoded string.

Why not replace "(no nickname)" with something from a properties string.
Attachment #113136 - Flags: review?(javi) → review+
(Assignee)

Comment 22

14 years ago
> is the nsIX509Cert interface not frozen for embedding purposes?

Not yet, see bug 168452.


> Why not replace "(no nickname)" with something from a properties string.

I'll file a separate bug requesting to do that.

Comment 23

14 years ago
you might be interested in bug 173601 then - a way to get a list of strings..

until that is implemented, I think a more appropriate mechanism would be to use
IDL arrays:

void getEmailAddresses(out unsigned long length, [retval, array,
size_is(length)] out string addresses);

which should give you the signature:

NS_IMETHOD GetEmailAddresses(PRUint32 *aLength, char*** aAddresses);

(Assignee)

Comment 24

14 years ago
> void getEmailAddresses(out unsigned long length, [retval, array,
> size_is(length)] out string addresses);

will that work with wstring, too?
Note that we are dealing with Unicode strings here.

Comment 25

14 years ago
yep! The only trick is it doesn't work with AString/ACString... but that
shouldn't be a huge deal...
(Assignee)

Comment 26

14 years ago
Created attachment 113164 [details] [diff] [review]
Patch v3

Updated patch, use "out array wstring" as Alec suggested.
Attachment #113136 - Attachment is obsolete: true
(Assignee)

Comment 27

14 years ago
Comment on attachment 113164 [details] [diff] [review]
Patch v3

Carrying forward r=javi.

Alec, can you please review?
Attachment #113164 - Flags: superreview?(alecf)
Attachment #113164 - Flags: review+

Comment 28

14 years ago
Comment on attachment 113164 [details] [diff] [review]
Patch v3

what is the urgency here? Could we wait for bug 173601, to avoid double-looping
through the list?
(kai and I talked about this over IRC, but didn't finish the discussion)

Another option is to just add a new method in YOUR library,
CERT_GetEmailAddressCount() which tells you how many e-mail addresses there
are. Is there anyting to stop you from adding that new API?
(Assignee)

Comment 29

14 years ago
> what is the urgency here? Could we wait for bug 173601, to avoid
> double-looping through the list?

This is a very helpful feature, people are waiting for it, the earlier we get it
in, the more testing we get.


> Another option is to just add a new method in YOUR library,
> CERT_GetEmailAddressCount() which tells you how many e-mail addresses there
< are. Is there anyting to stop you from adding that new API?

As far as I understand, the implementation of the GetEmailCount in the NSS
library would require the same kind of looping.

Comment 30

14 years ago
but even so why burden the consumers? It seems like they will be able to loop
much faster internally than you will by calling GetNextEmail over and over. 

Personally I think that if this can't wait for nsIStringArray (which is slated
for 1.4alpha, we have a few other people demanding it as well for the editor API
freeze) and thus you are forced to loop twice, at least make one of the loops
happen inside NSS by adding that new API. 

If someone is going to stop you from adding to the API that's a whole other
issue, but I'm certainly willing to be a reviewer there, and you can do it as a
part of this bug.
(Assignee)

Comment 31

14 years ago
> If someone is going to stop you from adding to the API that's a whole other
> issue, but I'm certainly willing to be a reviewer there, and you can do it as a
> part of this bug.

NSS is an external library. NSS has a completely different release schedule than
Mozilla. We are currently using a branch of NSS that is the maintained snapshot
for us. It would be a separate process and a separate bug to implement an
additional API in the external library, and we would need to delay this feature
until we make the transition to move Mozilla to the next larger version of NSS.

Updated

14 years ago
Depends on: 173601

Comment 32

14 years ago
ok, I've got a mostly working version of an nsIStringEnumerator in bug 173601..
I hope to land it early in 1.4alpha. the implementation may change, but the
interfaces should stay the same, if you want to try applying it to your tree.

Comment 33

14 years ago
ok, the nsISimpleEnumerator bug has been fixed - wanna give it a try with that?
All you need is an nsCStringArray filled with e-mail addresses.

Comment 34

14 years ago
Comment on attachment 113164 [details] [diff] [review]
Patch v3

minusing the sr because we have a string enumerator now that is really easy to
use.
Attachment #113164 - Flags: superreview?(alecf) → superreview-

Comment 35

14 years ago
Requesting nsenterprise flag.
Some enterprises use an organization with an internal email that is different
from the email seen in the outside world.
Support for this feature would be really interesting for them.

This feature is now supported in Outlook XP.
Keywords: nsenterprise

Updated

14 years ago
Summary: [RFE] Support certificates with multiple listed email addresses → Support certificates with multiple listed email addresses

Comment 36

14 years ago
Comment on attachment 113164 [details] [diff] [review]
Patch v3

sorry for the delay in getting back to this after our AIM conversation

please file a bug against the non-localizable strings you use here...

sr=alecf
Attachment #113164 - Flags: superreview- → superreview+

Updated

14 years ago
Blocks: 188320
(Assignee)

Comment 37

14 years ago
Checked in, marking fixed.
Status: NEW → RESOLVED
Last Resolved: 17 years ago14 years ago
Resolution: --- → FIXED

Comment 38

14 years ago
Verified/Fixed with 2003040408 (Linux)

Good job, but still some work to do on the subject unfortunately.

This fix does not cover the encryption side of the thing, ie after importing
someone's else cert with two email email1, email2, you will only be able to
encrypt to email1, not to email2. Bug 190738 says the backend part needed for
this in the db is fixed already in nss 3.7.
There's a bug for that already somewhere, I'll include a link.

When cliking to see details of the signature of the mail, the email displayed is
always the first of the list of emails for the cert even if it does not match
the "From:". I filled bug 200710 about this.
(Assignee)

Comment 39

14 years ago
> This fix does not cover the encryption side of the thing, ie after importing
> someone's else cert with two email email1, email2, you will only be able to
> encrypt to email1, not to email2.

Did you test it?
It does work for me correctly!

If you want me to, I can send you a signed mail from my private address, using a
certificate from Thawte that contains multiple email addresses. I can send send
encrypted mail to any address listed in that cert.

Comment 40

14 years ago
libpipnss.so grew by 1.4k.  anyway to optimize this more?

libpipnss.so
  	Total:	      +1456 (+1464/-8)
  	Code:	      +1392 (+1392/+0)
  	Data:	        +64 (+72/-8)
  	      +1392 (+1392/+0)	T (CODE)
  		      +1392 (+1392/+0)	UNDEF:libpipnss.so:T
  			       +748	nsNSSCertificate::ContainsEmailAddress(nsAString const &, int *)
  			       +632	nsNSSCertificate::GetEmailAddresses(unsigned int *, unsigned
short ***)
  			        +12	cmmf_decode_process_certified_key_pair
  	        +64 (+72/-8)	D (DATA)
  		        +64 (+72/-8)	UNDEF:libpipnss.so:D
  			        +32	nsIX509Cert virtual table
  			        +32	nsNSSCertificate virtual table
  			         +8	nsPKCS12Blob virtual table
  			         -8	nsStringComparator virtual table

Comment 41

14 years ago
> Did you test it?
> It does work for me correctly!

I did test it, it was failing, but I just tried again with another install and
this time it worked (an older Mozilla install unfortunately).
I wonder if the failing case was not after importing the multiple email cert,
but before opening a message that has been signed using it. I really thought I
had checked after opening the message too, but ... I see it working now.

I'll try to verify if the failure came from that, and if so, then it's not a
problem in real use.

Comment 42

14 years ago
I have verified that this works using thawte certs on the 20030423 builds.

Jean-Marc, I want to mark this bug as verified, however as you have something
you want to look at, please mark it verified if you are satisifed.

Comment 43

14 years ago
*** Bug 204537 has been marked as a duplicate of this bug. ***

Comment 44

14 years ago
Verified
Status: RESOLVED → VERIFIED
(Assignee)

Comment 45

14 years ago
*** Bug 206409 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 46

14 years ago
*** Bug 30883 has been marked as a duplicate of this bug. ***

Updated

12 years ago
Component: Security: S/MIME → Security: S/MIME
Product: PSM → Core

Updated

9 years ago
Version: psm2.1 → 1.0 Branch

Updated

8 years ago
Component: Security: S/MIME → Security: S/MIME
Product: Core → MailNews Core
QA Contact: carosendahl → s.mime
You need to log in before you can comment on or make changes to this bug.