Re: S/MIME X509 certificate requirements for Thunderbird 60.x

[Martin Büchler]

Thanks Kai for clarification, I will try getting this attribute into our next 
batch of certificates. 
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME X509 certificate requirements for Thunderbird 60.x

[Kai Engert]

On 23.11.18 12:58, Martin Büchler wrote:
> That is exactly what I am looking for: Where are the certificate requirements 
> specified other than in TB source code? I then would like to instruct our PKI 
> to add/change missing extensions, fields, or anticipated X500 name formats. 

I agree it would be useful to have this kind of documentation, like a
wiki page.

In your case, your certificate is apparently missing the
  "Certificate Basic Constraints"
extension, which makes it clear if a certificate is a CA, or not a CA.

Could you try adding it? (With CA: false)

I think NSS is unwilling to accept certificates without that statement,
as in the past, as a missing extension was used to trick software into
assuming a certificate could be used as a CA.

BTW, you aren't subscribed to this list, which causes your messages to
get stuck in the moderation queue, until someone reviews that queue. I
didn't see your message until today.

Kai
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME X509 certificate requirements for Thunderbird 60.x

[Martin Büchler]

On Friday, November 23, 2018 at 12:02:57 PM UTC+1, Kai Engert wrote:
...
> 
> How did you learn that TB refused it?
> 
> In account settings, security tab (not openpgp security tab), if you
> click a select button, does TB offer you to use that certificate?
> 

The usual way: Set one of the above mentioned email addresses in TB account 
settings, then choose S/MIME settings, choose Select and dialog appears: 

Zertifikateverwaltung kann kein gültiges Zertifikat finden, das verwendet 
werden kann, um Ihre Nachrichten mit der Adresse @ 
digital zu unterschreiben.

(sorry for german, my current locale is set to DE.)

same happens with @.


> If it isn't offered, your certificate doesn't have the properties that
> TB expects. It would be helpful to see a full dump of the properties of
> your certificate. Does it include a certificate key usage extension that
> allows both digital signature and data encipherment?
> 

That is exactly what I am looking for: Where are the certificate requirements 
specified other than in TB source code? I then would like to instruct our PKI 
to add/change missing extensions, fields, or anticipated X500 name formats. 

I general: that is one of the big shortcomings of PKI, that any software is 
free to define what part and how they accept the standards, see Chrome's 
subjectAlternativeName requirement for hostnames in server certs. While MS 
Outlook accepts it, TB doesn't. Not much of a help when promoting PKI company 
wide using multiple OS platforms.

Regards
Martin

$ openssl x509 -in  -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:00:00:3c:54:95:ad:db:bc:c1:71:d6:08:00:00:00:00:3c:54
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = com, DC = , CN = 
Validity
Not Before: Nov 22 11:30:54 2018 GMT
Not After : Nov 21 11:30:54 2020 GMT
Subject: CN = @
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:8b:e3:76:af:14:8d:f3:eb:8c:22:53:25:af:
de:ca:a6:8e:0d:87:80:1a:54:41:ad:1e:85:d6:96:
25:c4:3e:de:f3:44:4c:47:44:43:cc:44:ba:c4:a6:
ae:c6:85:19:6a:79:a7:eb:24:c5:a4:72:88:d0:cf:
b9:c0:94:e1:ec:0b:a9:ab:80:a2:1f:0f:30:72:4e:
4f:bb:dd:d5:90:b3:81:2d:37:dd:98:a6:4d:a5:6b:
11:6a:52:05:37:a5:83:20:94:53:52:ee:02:10:79:
8c:e8:1f:ce:c4:dd:44:53:c6:2d:41:57:24:7a:18:
44:31:21:13:ef:17:45:d3:73:c7:f9:0d:bc:f0:71:
ec:7a:54:ce:ba:78:08:93:78:32:31:cb:f4:af:8b:
02:4a:69:fe:83:69:14:ee:f5:dd:6c:2e:b1:df:56:
a6:77:1c:ca:38:29:62:f4:a8:af:78:7c:a4:75:33:
2f:4f:9d:1c:ac:20:ae:f1:6b:e1:a3:02:8d:d5:a9:
b2:10:b6:3e:ea:7e:45:de:10:94:06:92:79:99:40:
41:aa:ca:70:fe:e6:83:bd:39:8f:67:05:5e:80:6d:
8d:20:c2:2b:58:dd:74:69:ee:62:aa:9c:94:01:95:
46:b7:51:89:53:65:91:7c:76:b6:3e:6d:21:06:c7:
b9:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7: 
0+.#+.7.a...5..R...(5.)..d...
1.3.6.1.4.1.311.21.10: 
0.0
..+...
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: 
TLS Web Client Authentication
S/MIME Capabilities: 
..0...`.H.e...*0...`.H.e...-0...`.H.e0...`.H.e0...+0
..*.H..
X509v3 Subject Key Identifier: 
EA:CB:7D:C9:38:C9:9A:AF:17:0F:42:74:E5:68:6B:B0:4A:CA:09:49
X509v3 Subject Alternative Name: 
DNS:vpn., DNS:vpn2., 
DNS:vpn-ro., email:@
X509v3 Authority Key Identifier: 

keyid:69:27:1E:8A:1F:66:7B:EB:45:A1:EE:DC:58:C5:FB:15:AD:EC:C0:C8

X509v3 CRL Distribution Points: 

Full Name:

  

Authority Information Access: 
CA Issuers - 
CA Issuers - 
Signature Algorithm: sha256WithRSAEncryption
 52:1c:7e:ff:53:4e:5a:d9:ee:36:08:23:a3:f6:ea:31:9e:cc:
 5f:a5:46:9a:f3:39:51:4f:61:48:8e:0c:86:0d:84:95:b7:02:
 95:17:2d:a4:f4:0d:37:e6:05:f4:60:1a:d4:71:fd:57:13:88:
 71:45:73:12:a5:0e:e8:e5:e3:af:b5:a1:c2:04:86:c7:83:52:
 f5:58:65:0c:ea:99:74:dc:25:f3:bb:46:ac:42:d4:d9:cb:4d:
 80:2e:f3:1c:73:3f:77:08:b2:b3:0c:0c:3f:c3:9b:db:44:47:
 d4:24:37:20:c3:df:67:22:fb:00:e2:85:5d:a2:48:ca:df:a0:
 00:d2:ae:0d:d6:54:12:28:1b:cb:64:76:58:27:d6:c0:d9:6e:
 d8:70:14:1d:8a:d4:13:ce:ee:24:03:ac:6e:64:5d:1e:9f:ad:
 

S/MIME X509 certificate requirements for Thunderbird 60.x

[Kai Engert]

On 22.11.18 17:38, mbch...@gmail.com wrote:
> Now, I want to import a certificate, originally created by our company PKI as 
> SSL-Client certificate for use with Cisco Anyconnect VPN clients.
> 
> I realized that it differs in its DN format, misses explicit mail 
> sing/encryption flags and has additional subject alternative names. 
> 
> Two of my company email addresses are contained as 
> 
>   1. "Subject: CN = @" 
>   2."X509v3 Subject Alternative Name: DNS:vpn., 
> email:@
> 
> I was trying to figure out why Thunderbird refuses to accept this cert for 
> use with either

How did you learn that TB refused it?

In account settings, security tab (not openpgp security tab), if you
click a select button, does TB offer you to use that certificate?

If it isn't offered, your certificate doesn't have the properties that
TB expects. It would be helpful to see a full dump of the properties of
your certificate. Does it include a certificate key usage extension that
allows both digital signature and data encipherment?

Kai
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

S/MIME X509 certificate requirements for Thunderbird 60.x

[mbchler]

Dear all,

Importing a COMODO email signing cert into Thunderbird 60.2.1 works fine in a 
plain vanilla way, that is: enroll, download, import.

Now, I want to import a certificate, originally created by our company PKI as 
SSL-Client certificate for use with Cisco Anyconnect VPN clients.

I realized that it differs in its DN format, misses explicit mail 
sing/encryption flags and has additional subject alternative names. 

Two of my company email addresses are contained as 

  1. "Subject: CN = @" 
  2."X509v3 Subject Alternative Name: DNS:vpn., 
email:@

I was trying to figure out why Thunderbird refuses to accept this cert for use 
with either

@

or

@


but there seems to be no diagnostic output, nor any documentation, what the 
minimum requirements for Thunderbird to accept a given cert for S/MIME actually 
are. 

I once debugged Thunderbird and NSS code to figure this out, and I remember it 
was a hell of a setup to find out, what is really going on, but maybe there is 
somewhere a document outlining these requirements.

Would be great if you could point me into the right direction.

Regards

Martin
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto