Closed Bug 578295 Opened 14 years ago Closed 10 years ago

S/MIME Signature not shown/verified in nested MIME-Message

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: maxka, Unassigned)

Details

(Keywords: testcase)

Attachments

(1 file)

example of how mailman nests smime signed messages in a way that causes thunderbird to be unable to verify the signature
11.41 KB, application/octet-stream
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100506 SUSE/3.5.10-0.1.1 Firefox/3.5.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.4) Gecko/20100608 SUSE/3.1.0 Lightning/1.0b2 Thunderbird/3.1

When S/MIME multipart/signed message is nested in another multipart message, the signature isn't verified. However, the .p7s part isn't shown, though.

Reproducible: Didn't try



Expected Results:  
Best expectation: The signature for the signed part is verified and success is  indicated. Second to best: It is indicated, that there could be a signature, or showing the S/MIME-Signature as an attachment.

here's an example, a signed message gone throuhg a mailing list with an additional signature:

Content-Type: multipart/mixed; boundary="MIMEStream=_0+214171_17845734712750_3202552214"

--MIMEStream=_0+214171_17845734712750_3202552214
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060001040707080708060500"

--------------ms060001040707080708060500
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

actual message, shown in the message-view window

--------------ms060001040707080708060500
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

[base64]

--------------ms060001040707080708060500--

--MIMEStream=_0+214171_17845734712750_3202552214
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
Actual mailman List footer, shown as attachment "part 1.2" AND shown inline, despite "show attachments inline" is unchecked.

--MIMEStream=_0+214171_17845734712750_3202552214--
Component: Mail Window Front End → Security
QA Contact: front-end → thunderbird
The issue can be seen on the ietf-dkim@mipassoc.org mailing list.  Look for recent messages from John Levine and Jesse Thompson.  I will attach an example message.
Keywords: testcase
Your message isn't signed if it's only partially signed. Particularly in the context of Thunderbird, if we claimed a message was signed if only part of it was signed, an attacker could attach signed contents to a message that never get displayed and give the appearance in the UI of a signed message.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: