Bug 624851

This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Thank you for your bug report. This issue was evaluated for inclusion
in the current release of Red Hat Enterprise Linux. Unfortunately, we
are unable to address this request in the current release. Because we
are in the final stage of Red Hat Enterprise Linux 6 development, only
significant, release-blocking issues involving serious regressions and
data corruption can be considered.

If you believe this issue meets the release blocking criteria as
defined and communicated to you by your Red Hat Support representative,
please ask your representative to file this issue as a blocker for the
current release. Otherwise, ask that it be evaluated for inclusion in
the next minor release of Red Hat Enterprise Linux.

Thanks for a bug report. If I got it right then the signing certificate loading works correctly, thus the smart card support works as expected, only that encryption certificate is not shown in the UI, the "Select" dialog doesn't show any available certificate?

From the code I see it should show you the same list of certificates for both signing and encrypting part, and the certificate should have set certUsageEmailSigner, otherwise it's skipped.

The thing is, when you are signing, then there is used your private key to create a signature, but when encrypting, then the public key of the recipient is used. Encryption certificate in account preferences "only" means to select your public key to be used when you have chosen "Also encrypt to self when sending encrypted messages", in all other cases should be used recipient's public key, even when you are sending messages to yourself.

With this it seems to me like NotABug, but maybe I misunderstood something.

Milan, on a "Select", the dialog only shows signing certificate that's on the token. What I expected is how Thunderbird supports; "Select" for signing certificate allow user to select signing certificate and "Select" for encryption certificate allow user to select encryption certificate from the smart card.

Created attachment 457737 [details]
proposed evo patch

for evolution;

Would this do it? It's still in the upstream code (and this patch is against actual git master of evolution), but the change is pretty simple.

Asha, if I build a test package, are you able to give it a try, please?

Milan, I don't have a Rhel 6.1 set-up yet, how soon should this be tested?

Deadline for erratas is this Friday, as far as I know.

There is no ISO for RHEL 6.1 yet, I am awaiting for that.

OK, when you get to it, I built test packages for you [1], though I would recommend not waiting for an ISO, neither for the 6.1, you can install this rpm on 6.0 too, and check whether you'll be able to select correct certificates for both signing and encrypting.

[1] https://brewweb.devel.redhat.com/taskinfo?taskID=3077347

Tested on a RHEL 6.0 desktop with the evolution test build, in the account security setting (S/MIME) I am able to select encryption and signing cert from the smartcard.

Tried to send an encrypted e-mail to self by selecting "S/MIME Encrypt" in the new mail message window, evolution error is thrown "Could not create message. Because 'Can not find certificate for "aakkiang", you may need to select different mail options.'".

(In reply to comment #12)
> Tried to send an encrypted e-mail to self by selecting "S/MIME Encrypt" in the
> new mail message window, evolution error is thrown "Could not create message.
> Because 'Can not find certificate for "aakkiang", you may need to
> select different mail options.'".

Hrm, then a clone of this bug for evolution-data-server will be required, because this error comes from there.

Actually, I can be wrong. The above was just a quick thought. On sending is searched for a certificate with the given email address, which is the recipient. It's enough to have a public key for such user/email. I suppose your certificate is set for this email, right?

Milan,

I created a clone of this bug, bz 674653. Yes, my certificate is set for the e-mail, in thunderbird using the same smart card and the certificates I am able to send/read encrypted e-mail.

Installed a RHEL 6.1 desktop and tested with "evolution-2.28.3-19.el6.x86_64" from https://brewweb.devel.redhat.com/taskinfo?taskID=3077347, unable to select encryption certificate from the smart card.

I suppose it's 19.1, right? As that build is cleaned and doesn't provide packages any more.

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Devel-acking, patch(es, see bug #674653 for eds part) available.

Test the bug with builds in comment 25 with a smart card token with both encryption and signing certs. Evolution gives the option of selecting only the signing cert and not the encryption cert. The bug does not seem to be fixed.

(In reply to Roshni from comment #26)
> Test the bug with builds in comment 25 with a smart card token with both
> encryption and signing certs. Evolution gives the option of selecting only
> the signing cert and not the encryption cert. The bug does not seem to be
> fixed.

I will have some cards for testing locally, which should help with providing proper patch, but I'd like to ask you for a help to setup/enable the smart card in evolution, please? I suppose there are needed certain steps to have it done right, and I only found [1], where the responder claims that he had no luck with evolution 2.32 (which is the version to be included in the next rhel 6). I guess it was more about nss version, than about evolution in the time of the reply on the list.

[1] https://mail.gnome.org/archives/evolution-list/2010-November/msg00151.html

I tried installing the builds mentioned in comment 28 but am seeing dependency issues on RHEL 6.4

Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libedataserver-1.2.so.14()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libcamel-provider-1.2.so.19()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libebook-1.2.so.10()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libedataserverui-1.2.so.11()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libgtkhtml-editor-3.14.so.0()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: libcamel-1.2.so.19()(64bit)
Error: Package: evolution-2.32.3-3.el6.x86_64 (evolution-deps-1)
           Requires: evolution-data-server >= 2.32.3

Oh, true, Matthew is currently updating the repo, to get brew builds, instead of Fedora 14 packages, and it's not complete yet. If you've time, just search for latest .el6 packages in brew [1], and grab them for your architecture there. You might need (if I skip those in Matthew's repo as of now):
   gtkhtml3
   evolution-data-server
   gnome-panel
   control-center
   pidgin
   ekiga
and possibly some more, in case you've them already installed. Or just wait until Matthew has the repo updated with latest brew builds. I can rebuild a test package for you then, to get higher version of evolution than will be available in Matthew's repository (evolution-2.32.3-5 is still affected).

[1] https://brewweb.devel.redhat.com/

Roshi, I'll include a patch in more recent evolution package, I'll build it by today, then we can reiterate, if it'll not work for you.

The fix works. There are several caveats though and some stuff has changed since evo 2.28 days:
1) evolution now uses standard combo of system sql:/etc/pki/nssdb and user sql:$HOME/.pki/nssdb databases
2) evolution runs as regular user but nss tools (modutil, nss-gui) remove read access from /etc/pki/nssdb/pkcs11.txt (bug 990631). The net result is that evolution is unaware of the module unless the permissions are back to 0644 or the module is added to user's database as well
3) evolution only reads certificates upon it's start so you have to restart evo after you plug the card in

So the steps for coolkey-based cards are:
1) (as root) add coolkey module to your nssdb:
# modutil -dbdir sql:/etc/pki/nssdb -add "CoolKey PKCS#11 Module" -libfile /usr/lib64/pkcs11/libcoolkeypk11.so
2) (as root) fix the file permissions again:
# chmod 0644 /etc/pki/nssdb/pkcs11.txt
3) plug in the reader & card if you haven't done so yet
4) restart evolution
5) go to Preferences - Certificates and you should see the certificates that reside on the smartcard

Thanks for the testing and confirmation, with a great summary what to do.

*** Bug 674653 has been marked as a duplicate of this bug. ***

David,

I am using nss-3.14.3-37.el6.i686, coolkey-1.1.0-29.el6.i686 and pam_pkcs11.0.6.2-13.el6.i686, evolution-2.32.3-25.el6.i686. I followed the steps you have described in comment 38 but evolution does not show the certs in the smart card.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1540.html