Imprecise message when trying to sign an email with a certificate without its full chain installed

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Imprecise message when trying to sign an email with a certificate without its full chain installed

Jaime Hablutzel Egoavil
If a commercial S/MIME certificate is imported into Thunderbird from a PFX
missing the intermediate CA certificate and this certificate is then
selected from "Account Settings > Security" (which Thunderbird will allow
for), currently, when a message is about to be signed and sent, Thunderbird
will produce the following error message:

NoSenderSigningCert=You specified that this message should be digitally
signed, but the application either failed to find the signing certificate
specified in your Mail & Newsgroup Account Settings, or the certificate has
expired.

Where that message doesn't include the possibility of the certificate not
being correctly validated because of a failure in the certification path
building process, so, wouldn't it better to provide a more general error
message like the following one which is already being used under other
circumstances?:

ErrorCanNotSignMail=Unable to sign message. Please check that the
certificates specified in Mail & Newsgroups Account Settings for this mail
account are valid and trusted for mail.

And even better, the error result produced by the call to
CertVerifier::VerifyCert could be included in the displayed message to
detail it further. This would impact around the following highlighted
original lines:

if (!mSigningCertDBKey.IsEmpty()) {

  res = certdb->FindCertByDBKey(mSigningCertDBKey,

                                getter_AddRefs(mSelfSigningCert));

  if (NS_SUCCEEDED(res) && mSelfSigningCert &&

      (



*certVerifier->VerifyCert(mSelfSigningCert->GetCert(),
                            certificateUsageEmailSigner,
                              mozilla::pkix::Now(),
                                nullptr, nullptr,
                                  builtChain)* != mozilla::pkix::Success))
{
    // not suitable for signing, so unset cert and clear pref

    mSelfSigningCert = nullptr;

    mSigningCertDBKey.Truncate();

    aIdentity->SetCharAttribute("signing_cert_dbkey", mSigningCertDBKey);

  }

}



// must have both the signing and encryption certs to sign

if (!mSelfSigningCert && aSign) {

  *SetError(sendReport, u"NoSenderSigningCert");*

  return NS_ERROR_FAILURE;

}


Finally, Thunderbird users would really get benefit from clarifications for
this error message. A quick Google search shows that a lot of people is
facing problems with this,
https://www.google.com/search?q=%22You+specified+that+this+message+should+be+digitally+signed,+but+the+application+either+failed+to+find+the+signing+certificate%22&ei=o7VVXZiSN4Sw5wLQ3IH4BA&start=0&sa=N&ved=0ahUKEwjY7_CW0YXkAhUE2FkKHVBuAE84FBDy0wMIbQ&biw=1853&bih=1008
.

PS:

   - This applies to Thunderbird v60.8.0.



--
Jaime Hablutzel -  +51 994690880
_______________________________________________
dev-apps-thunderbird mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-apps-thunderbird
Reply | Threaded
Open this post in threaded view
|

Re: Imprecise message when trying to sign an email with a certificate without its full chain installed

Jörg Knobloch
On 15 Aug 2019 21:46, Jaime Hablutzel wrote:
> If a commercial S/MIME certificate is imported into Thunderbird from a PFX
> missing the intermediate CA certificate and this certificate is then
> selected from "Account Settings > Security" (which Thunderbird will allow
> for), currently, when a message is about to be signed and sent, Thunderbird
> will produce the following error message:

Please file a bug with these details. CC me.

Jörg.

_______________________________________________
dev-apps-thunderbird mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-apps-thunderbird
Reply | Threaded
Open this post in threaded view
|

Re: Imprecise message when trying to sign an email with a certificate without its full chain installed

Jaime Hablutzel Egoavil
>
> Please file a bug with these details. CC me.
>

Done, https://bugzilla.mozilla.org/show_bug.cgi?id=1574325.
_______________________________________________
dev-apps-thunderbird mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-apps-thunderbird