S/MIME X509 certificate requirements for Thunderbird 60.x

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

S/MIME X509 certificate requirements for Thunderbird 60.x

Martin Büchler
Dear all,

Importing a COMODO email signing cert into Thunderbird 60.2.1 works fine in a plain vanilla way, that is: enroll, download, import.

Now, I want to import a certificate, originally created by our company PKI as SSL-Client certificate for use with Cisco Anyconnect VPN clients.

I realized that it differs in its DN format, misses explicit mail sing/encryption flags and has additional subject alternative names.

Two of my company email addresses are contained as

  1. "Subject: CN = <myuid>@<companydomain>"
  2."X509v3 Subject Alternative Name: DNS:vpn.<companydomain>, email:<myemailname>@<companydomain>

I was trying to figure out why Thunderbird refuses to accept this cert for use with either

<myuid>@<companydomain>

or

<myemailname>@<companydomain>


but there seems to be no diagnostic output, nor any documentation, what the minimum requirements for Thunderbird to accept a given cert for S/MIME actually are.

I once debugged Thunderbird and NSS code to figure this out, and I remember it was a hell of a setup to find out, what is really going on, but maybe there is somewhere a document outlining these requirements.

Would be great if you could point me into the right direction.

Regards

Martin
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

S/MIME X509 certificate requirements for Thunderbird 60.x

Kai Engert-4
On 22.11.18 17:38, [hidden email] wrote:

> Now, I want to import a certificate, originally created by our company PKI as SSL-Client certificate for use with Cisco Anyconnect VPN clients.
>
> I realized that it differs in its DN format, misses explicit mail sing/encryption flags and has additional subject alternative names.
>
> Two of my company email addresses are contained as
>
>   1. "Subject: CN = <myuid>@<companydomain>"
>   2."X509v3 Subject Alternative Name: DNS:vpn.<companydomain>, email:<myemailname>@<companydomain>
>
> I was trying to figure out why Thunderbird refuses to accept this cert for use with either

How did you learn that TB refused it?

In account settings, security tab (not openpgp security tab), if you
click a select button, does TB offer you to use that certificate?

If it isn't offered, your certificate doesn't have the properties that
TB expects. It would be helpful to see a full dump of the properties of
your certificate. Does it include a certificate key usage extension that
allows both digital signature and data encipherment?

Kai
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: S/MIME X509 certificate requirements for Thunderbird 60.x

Martin Büchler
On Friday, November 23, 2018 at 12:02:57 PM UTC+1, Kai Engert wrote:
...
>
> How did you learn that TB refused it?
>
> In account settings, security tab (not openpgp security tab), if you
> click a select button, does TB offer you to use that certificate?
>

The usual way: Set one of the above mentioned email addresses in TB account settings, then choose S/MIME settings, choose Select and dialog appears:

Zertifikateverwaltung kann kein gültiges Zertifikat finden, das verwendet werden kann, um Ihre Nachrichten mit der Adresse <myuid>@<companydomain> digital zu unterschreiben.

(sorry for german, my current locale is set to DE.)

same happens with <myemailname>@<companydomain>.


> If it isn't offered, your certificate doesn't have the properties that
> TB expects. It would be helpful to see a full dump of the properties of
> your certificate. Does it include a certificate key usage extension that
> allows both digital signature and data encipherment?
>

That is exactly what I am looking for: Where are the certificate requirements specified other than in TB source code? I then would like to instruct our PKI to add/change missing extensions, fields, or anticipated X500 name formats.

I general: that is one of the big shortcomings of PKI, that any software is free to define what part and how they accept the standards, see Chrome's subjectAlternativeName requirement for hostnames in server certs. While MS Outlook accepts it, TB doesn't. Not much of a help when promoting PKI company wide using multiple OS platforms.

Regards
Martin

$ openssl x509 -in <cert> -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            39:00:00:3c:54:95:ad:db:bc:c1:71:d6:08:00:00:00:00:3c:54
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = <companydomain>, CN = <companycaname>
        Validity
            Not Before: Nov 22 11:30:54 2018 GMT
            Not After : Nov 21 11:30:54 2020 GMT
        Subject: CN = <myuid>@<companydomain>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:da:8b:e3:76:af:14:8d:f3:eb:8c:22:53:25:af:
                    de:ca:a6:8e:0d:87:80:1a:54:41:ad:1e:85:d6:96:
                    25:c4:3e:de:f3:44:4c:47:44:43:cc:44:ba:c4:a6:
                    ae:c6:85:19:6a:79:a7:eb:24:c5:a4:72:88:d0:cf:
                    b9:c0:94:e1:ec:0b:a9:ab:80:a2:1f:0f:30:72:4e:
                    4f:bb:dd:d5:90:b3:81:2d:37:dd:98:a6:4d:a5:6b:
                    11:6a:52:05:37:a5:83:20:94:53:52:ee:02:10:79:
                    8c:e8:1f:ce:c4:dd:44:53:c6:2d:41:57:24:7a:18:
                    44:31:21:13:ef:17:45:d3:73:c7:f9:0d:bc:f0:71:
                    ec:7a:54:ce:ba:78:08:93:78:32:31:cb:f4:af:8b:
                    02:4a:69:fe:83:69:14:ee:f5:dd:6c:2e:b1:df:56:
                    a6:77:1c:ca:38:29:62:f4:a8:af:78:7c:a4:75:33:
                    2f:4f:9d:1c:ac:20:ae:f1:6b:e1:a3:02:8d:d5:a9:
                    b2:10:b6:3e:ea:7e:45:de:10:94:06:92:79:99:40:
                    41:aa:ca:70:fe:e6:83:bd:39:8f:67:05:5e:80:6d:
                    8d:20:c2:2b:58:dd:74:69:ee:62:aa:9c:94:01:95:
                    46:b7:51:89:53:65:91:7c:76:b6:3e:6d:21:06:c7:
                    b9:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.7:
                0+.#+.....7.........a...5..R...(....5.)..d...
            1.3.6.1.4.1.311.21.10:
                0.0
..+.......
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
            X509v3 Subject Key Identifier:
                EA:CB:7D:C9:38:C9:9A:AF:17:0F:42:74:E5:68:6B:B0:4A:CA:09:49
            X509v3 Subject Alternative Name:
                DNS:vpn.<companydomain>, DNS:vpn2.<companydomain>, DNS:vpn-ro.<companydomain>, email:<myemailname>@<companydomain>
            X509v3 Authority Key Identifier:
                keyid:69:27:1E:8A:1F:66:7B:EB:45:A1:EE:DC:58:C5:FB:15:AD:EC:C0:C8

            X509v3 CRL Distribution Points:

                Full Name:
                  <hidden>                  
                  <hidden>

            Authority Information Access:
                CA Issuers - <hidden>
                CA Issuers - <hidden>
    Signature Algorithm: sha256WithRSAEncryption
         52:1c:7e:ff:53:4e:5a:d9:ee:36:08:23:a3:f6:ea:31:9e:cc:
         5f:a5:46:9a:f3:39:51:4f:61:48:8e:0c:86:0d:84:95:b7:02:
         95:17:2d:a4:f4:0d:37:e6:05:f4:60:1a:d4:71:fd:57:13:88:
         71:45:73:12:a5:0e:e8:e5:e3:af:b5:a1:c2:04:86:c7:83:52:
         f5:58:65:0c:ea:99:74:dc:25:f3:bb:46:ac:42:d4:d9:cb:4d:
         80:2e:f3:1c:73:3f:77:08:b2:b3:0c:0c:3f:c3:9b:db:44:47:
         d4:24:37:20:c3:df:67:22:fb:00:e2:85:5d:a2:48:ca:df:a0:
         00:d2:ae:0d:d6:54:12:28:1b:cb:64:76:58:27:d6:c0:d9:6e:
         d8:70:14:1d:8a:d4:13:ce:ee:24:03:ac:6e:64:5d:1e:9f:ad:
         50:c4:09:c0:d5:41:cf:c7:2d:6a:f5:d6:96:df:cb:ae:66:a9:
         63:24:f3:98:ea:30:d0:11:21:0b:24:d5:f3:72:fd:bc:96:73:
         32:ed:fd:63:bc:9c:4e:3a:2f:64:57:7c:d6:51:12:d0:ed:ca:
         52:b0:69:93:f3:a1:ba:58:97:ab:d9:42:2d:27:e7:f6:38:e9:
         e9:0d:89:54:c3:4d:2f:62:cf:f8:29:d3:f2:92:a6:5a:ec:05:
         98:5a:b4:a7
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: S/MIME X509 certificate requirements for Thunderbird 60.x

Kai Engert-4
On 23.11.18 12:58, Martin Büchler wrote:
> That is exactly what I am looking for: Where are the certificate requirements specified other than in TB source code? I then would like to instruct our PKI to add/change missing extensions, fields, or anticipated X500 name formats.

I agree it would be useful to have this kind of documentation, like a
wiki page.

In your case, your certificate is apparently missing the
  "Certificate Basic Constraints"
extension, which makes it clear if a certificate is a CA, or not a CA.

Could you try adding it? (With CA: false)

I think NSS is unwilling to accept certificates without that statement,
as in the past, as a missing extension was used to trick software into
assuming a certificate could be used as a CA.

BTW, you aren't subscribed to this list, which causes your messages to
get stuck in the moderation queue, until someone reviews that queue. I
didn't see your message until today.

Kai
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: S/MIME X509 certificate requirements for Thunderbird 60.x

Martin Büchler
Thanks Kai for clarification, I will try getting this attribute into our next batch of certificates.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto