Include signer cert chain root in SMIME signed emails

NEW
Unassigned

Status

NSS
Tools
4 years ago
4 years ago

People

(Reporter: Frederik Vermeulen, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11

Steps to reproduce:

Send signed email with Thunderbird.
Alternatively: cmsutil -S -d certdir -N "mycert" -v >signed.out



Actual results:

signer cert + intermediate certs are added, but not the root cert.
Verified with openssl pkcs7 -in signed.out  -inform der -print_certs


Expected results:

Include root cert in the chain. The S/MIME spec allows this and some MUAs seem to expect it (MS Outlook for example).

This can be obtained by the following change in mozilla/security/nss/cmd/smimetools/cmsutil.c 

-    if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain,
+    if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChainWithRoot,

See also https://bugzilla.mozilla.org/show_bug.cgi?id=540498
(Reporter)

Updated

4 years ago
Blocks: 540498

Comment 1

4 years ago
Can you attach that as a patch?
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 2

4 years ago
(In reply to Magnus Melin from comment #1)
> Can you attach that as a patch?

The proposed patch was attached to bug 540498 and can be found at
https://bug540498.bugzilla.mozilla.org/attachment.cgi?id=813716
You need to log in before you can comment on or make changes to this bug.