Closed Bug 728166 Opened 13 years ago Closed 13 years ago

Can not use self-signed certificate to sign e-mail messages

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
10 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: imitko, Unassigned)

Details

Attachments

(1 file)

(Working) test certificate in PKCS#12 format, with an empty passphrase
2.46 KB, application/octet-stream
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.53.11 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Steps to reproduce: I'm following steps in http://kb.mozillazine.org/Installing_an_SMIME_certificate , in particular the section for self-signed. 1) export certificate in DER format from self-signed certificate PKCS#12 bundle 2) import the certificate in Authorities, selecting all purposes to trust 3) import the PKCS#12 bundle in Personal certificates 4) go to the account settings->security and try to select a certificate to sign outgoing messages Actual results: I'm getting error message : "Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages." Also when go to see the Authorities i do not longer see my certificate, it disappeared after import into the Personal certificates Expected results: I'm expecting to be able to select self-signed certificates to sign/encrypt mail messages.
(In reply to Mitko Iliev from comment #0) Check this bug if it can offer some help: bug 420419.
(In reply to Hashem Masoud from comment #1) > (In reply to Mitko Iliev from comment #0) > Check this bug if it can offer some help: bug 420419. This not help.
Does you certificate contains the proper subject and the proper email ?
(In reply to Ludovic Hirlimann [:Usul] from comment #3) > Does you certificate contains the proper subject and the proper email ? yes, the default mail identity has exactly same name as certificate subject CN and exactly same email address as in certificate emailAddress field.
Mitko did you try with a new profile ?
(In reply to Ludovic Hirlimann [:Usul] from comment #5) > Mitko did you try with a new profile ? yes, before to try i have cleaned the user's profile by removal of ~user/Library/Thunderbird directory.
So what is the state of this bug report? I too get this error message, now on Thunderbird 14 on different macs and user accounts. Things I have tried: 1. self signed s/mime cert, that includes a CA itself (user.cer imported in Authorities, user.pkcs12 in "your certificates", after that second step, the entry in authorities dissapeares reproducibly) 2. importing a self generated CA and an s/mime cert signed by that generated CA (CA entry remains in authorities, user entry remains in "your certificates", but) Importing works, using doesnt, although thunderbird does accept the s/mime cert in both cases
To be exact, I get two error messages for both cases (completely self signed cert and a cert generated by a self signed CA): 1. When I try to send a signed message, it says: "Sending of message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired" 2. When I try to select the certificate for encryption: "Certificate Manager can't locate a valid certificate that other people can use to send you encrypted email messages."
(In reply to Dusan Zivadinovic from comment #7) > So what is the state of this bug report? > It could use some additional information. My questions: 1) Is this a regression, and if so what versions is it known to work on? 2) Would it be possible for you to generate a self-signed certificate that you could upload to this bug to serve as an example that fails?
Kent, thank you for your fast reply :-) > It could use some additional information. My questions: > > 1) Is this a regression, and if so what versions is it known to work on? For me, this has not worked so far. I tried Thunderbird 13 and 14. > 2) Would it be possible for you to generate a self-signed certificate that > you could upload to this bug to serve as an example that fails? Okay, I created a new cert, which contains a CA in intself using Certificate Assistant on Mac OS X. It was automatically safed to the keychain. To export the complete cert including the private key, I used pkcs12 format (no way to export pem directly from keychain...) and converted it afterwards to pem. username: mail example password: 123 mail address: example@mail.com I hope, this is okay. Thank you for your support :-) Regards, Dusan Bag Attributes friendlyName: mail example localKeyID: 0D BF 77 D9 91 6E BB C1 B7 22 91 A6 FD 1C 22 7F 28 17 DC AF subject=/CN=mail example/C=DE/emailAddress=mail@example.com issuer=/CN=mail example/C=DE/emailAddress=mail@example.com -----BEGIN CERTIFICATE----- MIIDWzCCAkOgAwIBAgIBATALBgkqhkiG9w0BAQswRTEVMBMGA1UEAwwMbWFpbCBl eGFtcGxlMQswCQYDVQQGEwJERTEfMB0GCSqGSIb3DQEJARYQbWFpbEBleGFtcGxl LmNvbTAeFw0xMjA3MjgxOTE3MTNaFw0xMzA3MjgxOTE3MTNaMEUxFTATBgNVBAMM DG1haWwgZXhhbXBsZTELMAkGA1UEBhMCREUxHzAdBgkqhkiG9w0BCQEWEG1haWxA ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC65lpf c6gmgt06xVqOdokiazoTbY7DwCquPp2RlACUZeuLq0KP4TeGQyfRVxcEou6ujRte oRl0rCwKpCQf1TyF1ntFNdjKar4zOf+GwgB70Ve3Yv1ZNRhmlLBJgATNmLOgyIKF 79qDfm/nrMEOuGOaa1izrlm7cP+i/Ez5u8ItjVZugDmnG6+H5lKAs8VS/DE9GmUo qzsAQfcKPUDW6KVios0UORGPv0ysCwtZho5X/Nm8GM4LPwu5UVYb/YhVc5HQJXks z/+wyflHErQFPQTKRO+fQZPyi4BLl3Bufq2kVBaaxpwmDb5bZ0CRJ7jbBz8oMGKu z7PepnuUmgXDkxbVAgMBAAGjWDBWMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMEMBsGA1UdEQQUMBKBEG1haWxA ZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAH6eAzMUn3KUBrPJaDUwr+G5 96ANlF80SAzWyw74BsRlUhg90xmyAGAdgL6LEsPq1TVIxunX5uGBYFDYCqLPe+0Z +Si2kaw/OiXTPt1TtxQmOAOm9M/6cr/9b6XTcrgVBV+yxh7vQXF+vQMpNxmU+nIw f5rxCC7GJXTxVz6vqo9tq92uW/b6vonIPC2FrA6VgLCCvQTOhI5imDlNbbEvs7fj RdcEwSXdnwC9iVwyH8WCTbroQB132buOB589hQgrfnIwgI3xHzUPf2MgoTmE8GLe jfDNFAPAQ9hbViTMbVzym2Z1IALcgKcMihT2ASKLZUDISaprFxgn135kdrWyssg= -----END CERTIFICATE----- Bag Attributes friendlyName: mail example localKeyID: 0D BF 77 D9 91 6E BB C1 B7 22 91 A6 FD 1C 22 7F 28 17 DC AF Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC65lpfc6gmgt06 xVqOdokiazoTbY7DwCquPp2RlACUZeuLq0KP4TeGQyfRVxcEou6ujRteoRl0rCwK pCQf1TyF1ntFNdjKar4zOf+GwgB70Ve3Yv1ZNRhmlLBJgATNmLOgyIKF79qDfm/n rMEOuGOaa1izrlm7cP+i/Ez5u8ItjVZugDmnG6+H5lKAs8VS/DE9GmUoqzsAQfcK PUDW6KVios0UORGPv0ysCwtZho5X/Nm8GM4LPwu5UVYb/YhVc5HQJXksz/+wyflH ErQFPQTKRO+fQZPyi4BLl3Bufq2kVBaaxpwmDb5bZ0CRJ7jbBz8oMGKuz7PepnuU mgXDkxbVAgMBAAECggEAWnZuna7UX7eNrwmhGD2FiNRPquGnbVYREn+aMsFpOmrO hK7jK9L91g2hMzEtIgBe+Lux2K6vLIq9UnU6SvIiNkGnLsuuX+MkppTW+nniVAvy of/W0pvhcJ1damX9bSoRH6yNiJicsnK7ZW53j1FuXGrC501nf1NlWJU4CNR5WyQu gebrGgO2OfMnhn++r2zq9L3yK9z6thNozcK9y9ncyAr4CZex1DcAgoyxNQAheXkW ncgO3Q6kzCB90SevPzG0oZsnegbww1LSCsvOb8yiSL206Nd1Ej6h5cyQu9O0XVFe msJIaOahIB1TkTrKk88BFEdtNNdxM2khh06m1rdpQQKBgQDuMeRqRv+UhjBoS56f DYzPgIdA9NeSYOqVTSGpzekfV3inoiOOy8rxJZXhfhoxIBo+496jqaFOq5N35/17 vqPn59+HfzbzrIKCViJXUz1bAsKCVgM2ZWBPvQV63jhrTrIjPT0D7kHpCO8kLISq SnFVbgny25Y2ri3ATQdtI7vgxQKBgQDI3uBBOX6eVJLzQcygsoBNYLoMoWWbSBuY 9nvRBiTcLerqEUQbDc7KzZJz69wihIZeMmh31OfAwoP2rOHSijrY/L/cxC70pI9Y KfUOokTbmkykB/F+9QMxGirleeZdkmFhWvbE5N1m+mbXyE+kpw6Oybrc7yrAj9pB G1yasgue0QKBgH/M3ywymdC7yt86q4nVQFbZNDii5cMRIuwmbUhpRYpeaUswEHn+ WA3Yx7kr6quu+MYDhyIy0myeXEo6e+PYHqM/4swVcot9ZKy/wD8wVzwsl+ZMdf7K l8lQts78yjKxD50er00bmduJwp2bETc5J+PZXZcjQE5oV/3UloZ1ZMmtAoGBAItM RCf3Px99dwrKrqUiJGeElID9zACLWNgS1np10EoAbdA0eQ5p3OY2+UD6Z4ZocOYR /vBa7Px36BvAeDoRMg4X+NWYFxgApod1UUP8s9O2hT+bYpWwQ65hfy30AxUQ1gc1 lbulGwS20WsCtnhwgV/z9WoRUYyINcrAts9weS6BAoGBANS0AvT8w0EbzfS5FQrI hZ29/qFvQL8b6EXzYSpnn7Yvqo0rQsZn58OzJc760glTeizrzNssnXUd6ajSYIHB YwvfJC0WgjgeyFz2pM0+ni5xzGpfWIOmJm+URdAHwcUfDZCArIIM2brkUrT+w8QN yI3rvA0q9qukP6PovAR99LN7 -----END PRIVATE KEY-----
(In reply to Dušan Živadinović from comment #10) > Okay, I created a new cert, which contains a CA in intself using Certificate > Assistant on Mac OS X. > It was automatically safed to the keychain. To export the complete cert > including the private key, > I used pkcs12 format (no way to export pem directly from keychain...) and > converted it afterwards > to pem. Schöne Grüße nach Hannover, auch in die Redaktion. Attaching PKCS#12 files with test certificates is also fine, generally speaking. > username: mail example > password: 123 > mail address: example@mail.com > > I hope, this is okay. The problem with this certificate is that it includes a basicConstraints extension with the "cA" boolean set to true - which is the reason why NSS/Thunderbird does not allow you to select the certificate for either message signing or encryption, as the NS_CERT_TYPE_EMAIL key type is not set when NSS processes the cert. Cf. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/certdb.c&rev=1.123&mark=545-554#540 as to how the certificate type is computed: /* * allow a cert with the extended key usage of EMail Protect * to be used for email or as an email CA, if basic constraints * indicates that it is a CA. */ if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) == SECSuccess) { if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) { nsCertType |= NS_CERT_TYPE_EMAIL_CA; } else { nsCertType |= NS_CERT_TYPE_EMAIL; } } Populating a cert with an EKU extension and asserting the cA bit in the basicConstraints extension (as the OS X Certificate Assistant apparently does) is pretty weird, so I'm not sure I would consider this a "bug" in NSS. From RFC 5280: 4.2.1.9. Basic Constraints The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. The cA boolean indicates whether the certified public key may be used to verify certificate signatures. [...] 4.2.1.12. Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. (A self-signed certificate which is used for message signing doesn't need to be a CA certificate - its public key is not "used to verify certificate signatures", it is used to verify message digests / hash values, see RFC 5652 section 5.)
Kaspar, (schöne Grüße zurück! :) thank you for your valuable hint. That brought me on my way. Concerning Certificate Assistant and the "weird" cert: partly, that was my fault. On mozillazine, there is a HowTo, saying one would have to import a self signed cert first to the authorites section of Thunderbirds cert management. I tried that, but Thunderbird denied, telling me, the file was not a CA cert. So I made another cert with the Assistant and chose it to be a CA cert, too -- so thats the short story behind the "weirdness" :-). Based on your input, I have done some further "research" on that subject the last days (what else could I do on sunny days? ;-) and came to this: Apples Certificate Assistant does not create usable smime certs by himself, but only with some additional clicks. Having approved that this new kind of cert was working, I tried to import it in Thunderbird. I found a way at long last, so Thunderbird signes and encrypts my mails using a self-signed cert as expected, but I'm wondering if I missed something. The procedure was not really apparent or transparent to me -- or is there more than one way to import a self signed cert, and I only found out the hard way? Best regards, Dusan
And of course, one could close this case now, there is no such bug in Thunderbirds management of self-signed smime certs. Regards, Dusan
(In reply to Dusan Zivadinovic from comment #12) > On mozillazine, there is a HowTo, saying one would have to import a > self signed cert first to the authorites section of Thunderbirds cert > management. You are referring to http://kb.mozillazine.org/Installing_an_SMIME_certificate#Installing_a_Self-Signed_SMIME_Certificate_for_Your_Own_Identity, I assume? Well, its statement before you can install that file into the tab named "Your Certificates", you must first install that certificate as a certificate authority in the "Authorities" tab is simply wrong. It's sufficient to import the PKCS#12 file, in the "Your Certificates" tab. > So I made another cert with the Assistant and chose it to be > a CA cert, too I.e., the cert in comment 10 was created by selecting "Self Signed Root" as the "Identity Type" and "S/MIME (Email)" as the Certificate Type? > Apples > Certificate Assistant does not create usable smime certs by himself, but > only with some additional clicks. If you select "Leaf" for the "Identity Type", does that fix the problem? (You might want to have a look at the cert in attachment 646952 [details] for what I would recommend as reasonable settings for the subject DN and the extensions.) > is there more than one way to > import a self signed cert, and I only found out the hard way? There's only one - import a PKCS#12 file through the "Your Certificates" tab.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: